# Errata Security

## Errata Security Advanced persistent cybersecurity

• Anatomy of how you get pwned
by Robert Graham on April 29, 2021 at 8:09 am

• Ethics: University of Minnesota’s hostile patches
by Robert Graham on April 21, 2021 at 9:27 pm

• A quick FAQ about NFTs
by Robert Graham on March 26, 2021 at 6:43 pm

I thought I’d write up 4 technical questions about NFTs. They may not be the ones you ask, but they are the ones you should be asking. The questions:What does the token look like?How does it contain the artwork? (or, where is the artwork contained?)How are tokens traded? (How do they get paid? How do they get from one account to another?)What does the link from token to artwork mean? Does it give copyrights?I’m going to use 4 sample tokens that have been sold for outrageous prices as examples.#1 What does the token look like?An NFT token has a unique number, analogous to:your social security number (SSN#)your credit card numberthe VIN# on your carthe serial number on a dollar billetc.This unique number is composed of two things:the contract number, identifying the contract that manages the tokenthe unique token identifier within that contractHere are some example tokens, listing the contract number (the long string) and token ID (short number), as well as a link to a story on how much it sold for recently.0x2a46f2ffd99e19a89476e2f62270e0a35bbf0756 – #40913 (Beeple $69m)0xb47e3cd837dDF8e4c57F05d70Ab865de6e193BBB #7804 ($7.6m CryptoPunks)0x9fc4e38da3a5f7d4950e396732ae10c3f0a54886 – #1 (AP $180k)0x06012c8cf97BEaD5deAe237070F9587f8E7A266d – #896775 ($170k CryptoKitty)With these two numbers, you can go find the token on the blockchain, and read the code to determine what the token contains, how it’s traded, its current owner, and so on.#2 How do NFTs contain artwork? or, where is artwork contained?Tokens can’t*** contain artwork — art is too big to fit on the blockchain. That Beeple piece is 300-megabytes in size. Therefore, tokens point to artwork that is located somewhere else than the blockchain.*** (footnote) This isn’t actually true. It’s just that it’s very expensive to put artwork on the blockchain. That Beeple artwork would cost about $5million to put onto the blockchain. Yes, this less than a tenth the purchase price of$69million, but when you account for all the artwork for which people have created NFTs, the total exceeds the prices for all NFTs.So if artwork isn’t on the blockchain, where is it located? and how do the NFTs link to it?Our four examples of NFT mentioned above show four different answers to this question. Some are smart, others are stupid — and by “stupid” I mean “tantamount to fraud”.The correct way to link a token with a piece of digital art is through a hash, which can be used with the decentralized darknet.A hash is a unique cryptographic “key” (sic) generated from the file contents. No two files with different contents (or different lengths) will generate the same hash. A hacker can’t create a different file that generates the same hash. Therefore, the hash becomes the identity of the file — if you have a hash and a file, you can independently verify the two match.The hash (and therefore unique identity) of the Beeple file is the following string:QmXkxpwAHCtDXbbZHUwqtFucG1RMS6T87vi1CdvadfL7qAWith the hash, it doesn’t matter where the file is located right now in cyberspace. It only matters that at some point in the future, when the owner of the NFT wants to sell it, they can produce the file which provably matches the hash.To repeat: because of the magic of cryptographic hashes, the artwork in question doesn’t have to be located anywhere in particular.However, people do like having a live copy of the file available in a well known location. One way of doing this is with the darknet, which is essentially a decentralized version of the web. In much the same way the blockchain provides decentralized transactions, darknet services provide decentralized file sharing. The most famous of such services is BitTorrent. The most popular for use with NFTs is known as IPFS (InterPlanetary File System). A hash contained within an NFT token often links to the IPFS system.In the $69million Beeple NFT, this link is:ipfs://ipfs/QmPAg1mjxcEQPPtqsLoEcauVedaeMH81WXDPvPx3VC5zUzSharp eyed readers will notice the hash of the artwork (above) doesn’t match the hash in this IPFS link.That’s because the NFT token points to a metadata file that contains the real hash, along with other information about the artwork. The QmPAg…. hash points to metadata that contains the QmXkx… hash.But a chain of hashes in this manner is still just as secure as a single hash — indeed, that’s what the “blockchain” is — a hash chain. In the future, when the owner sells this NFT, they’ll need to provide both files, the metadata and the artwork, to conclusively transfer ownership.Thus, in answer to the question of where the artwork is located (in the NFT? on the web?), the answer is often that the NFT token contains a hash pointing to the darknet.Let’s look at another token on our list, the$180k AP artwork. The NFT links to the following URL:https://ap-nft.everipedia.org/api/presidential-2020/1Like the above example with Beeple, this too points to a metadata file, with a link to the eventual artwork (here). However, this chain is broken in the middle with that URL — it isn’t decentralized, and there’s no guarantee in the future that it’ll exist. The company “Everipedia” could go out of business tomorrow, or simply decide to stop sharing the file to the web, or decide to provide a different file at that location. In these cases, the thing the NFT points to disappears.In other words, 50 years from now, after WW III and we’ve all moved to the off-world colonies, the owner of Beeple’s NFT will still be able to sell it, providing the two additional files. The owner of this AP NFT probably won’t — the link will probably have disappeared from the web — they won’t be able to prove that the NFT they control points to the indicated artwork.I would call this tantamount to fraud — almost. The information is all there for the buyer to check, so they know the problems with this NFT. They obviously didn’t care — maybe they plan on being able to offload the NFT onto another buyer before the URL disappears.Now let’s look at the CryptoPunks #7804 NFT. The contract points to the same hash of an image file that contains all 10,000 possible token images. That hash is the following. Click on it to see the file it maps to:ac39af4793119ee46bbff351d8cb6b5f23da60222126add4268e261199a2921bThe token ID in question is #7804. If you look in that file for the 7804th face, you’ll see which one the token matches.Unfortunately, the original contract doesn’t actually explain how we arrive at the 7804th sub-image. Do we go left to right? Top down? or some other method? Currently, there exists a website that does the translation using one algorithm, but in the future, there’s no hard proof which token maps to which face inside that massive image.Now let’s look at the CryptoKitty #896775 . In this case, there’s no hashes involved, and no image. Instead, each kitty is expressed as a pattern of “genes”, with contracts that specify how to two kittens can breed together to create a new kitty’s genes. The above token contains the gene sequence:235340506405654824796728975308592110924822688777991068596785613937685997There are other contracts on the blockchain that can interact with this. The CryptoKitty images we see are generated by an algorithm that reads the gene sequence. Thus, there is no image file, no hash of a file. The algorithm that does this is located off-chain, so again we have the problem that in the future, the owner of the token may not be able to prove ownership of the correct image.So what we see in these examples is one case where there’s a robust hash chain linking the NFT with the corresponding image file, and three examples where the link is problematic — ranging from slightly broken to almost fraudulent.#3 How are tokens traded?There are two ways you can sell your NFTs:off the blockchainon the blockchainThe Beeple artwork was sold through Christie’s — meaning off blockchain. Christies conducted the bidding and collected the payment, took its cut, and gave the rest to the artist. The artist then transferred the NFT. We can see this on the blockchain where Beeple transferred the NFT for $0, but we can’t see the flow of money off blockchain.This is the exception. The rule is that NFTs are supposed to be traded on blockchain.NFT contracts don’t have auction or selling capabilities themselves. Instead, they follow a standard (known as ERC721) that allows them to be managed by other contracts. A person controlling a token selects some other auction/selling contract that matches the terms they want, and gives control to that contract.Because contracts are code, both sides are know what the terms are, and can be confident they won’t be defrauded by the other side.For example, a contract’s terms might be to provide for bids over 5 days, transfer the NFT from the owner to the buyer, and transfer coins from the buyer to the previous owner.This is really why NFTs are so popular: not ownership of artwork, but on blockchain buying and selling of tokens. It’s the ability to conduct such commerce where the rules are dictated by code rather than by humans, where such transfers happen in a decentralized manner rather than through a central authority that can commit fraud.So the upshot is that if you own an NFT, you can use the Transfer() function to transfer it to some other owner, or you can authorize some other contract to do the selling for you, which will eventually call this Transfer() function when the deal is done. Such a contract will likely also transfer coins in the other direction, paying you for your token.#4 What does this all mean?If you break into the Louvre Museum and steal the Mona Lisa, you will control the artwork. But you won’t own it. The word “ownership” is defined to mean your legal rights over the object. If the legal authorities catch up with you, they’ll stick you in jail and transfer control of the artwork back to the rightful legal owner.We keep talking about “ownership” of NFTs, but this is fiction. Instead, all that you get when you acquire an NFT is “control” — control of just the token even, and not of the underlying artwork. Much of what happens in blockchain/cryptocurrencies isn’t covered by the law. Therefore, you can’t really “own” tokens. But you certainly control them (with the private key in your wallet that matches the public key of your account/address on the blockchain).This is why NFTs are problematic, people are paying attention to the fiction (“ownership”) and not the technical details (“control”). We see that in the AP artwork above which simply links to a URL instead of a hash, missing a crucial step. They weren’t paying attention to the details.There are other missing steps. For example, I can create my own NFTs representing all these artworks and sell them (maybe covered in a future blogpost). It’s a fiction that one of these is valid and my copy NFTs are invalid.On the other hand, this criticism can go too far. Some people claim the entire blockchain/cryptocurrency market is complete fiction. This isn’t true — there’s lots of obvious value in transactions that are carried out by code rather than by humans.For example, an oil company might sell tokens for oil futures, allowing people to trade such futures on the blockchain. Ultimately, though, the value of such tokens comes down to faith in the original issuer that they’ll deliver on the promise — that the controller of the token will eventually get something in the real world. There are lots of companies being successful with this sort of thing, such as the BAT token used in the “Brave” web browser that provides websites with micropayment revenue instead of advertising revenue.Thus, the difference here is that cryptocurrencies are part fiction, part real — tied to real world things. But NFTs representing artwork are pretty much completely fiction. They confer no control over the artwork in the real world. Whatever tie a token has to the artwork is purely in your imagination. • Deconstructing that$69million NFT
by Robert Graham on March 21, 2021 at 3:12 am

“NFTs” have hit the mainstream news with the sale of an NFT based digital artwork for $69 million. I thought I’d write up an explainer. Specifically, I deconstruct that huge purchase and show what actually was exchanged, down to the raw code. (The answer: almost nothing).The reason for this post is that every other description of NFTs describe what they pretend to be. In this blogpost, I drill down on what they actually are.Note that this example is about “NFT artwork”, the thing that’s been in the news. There are other uses of NFTs, which work very differently than what’s shown here.tl;drI have long bit of text explaining things. Here is the short form that allows you to drill down to the individual pieces.Beeple created a piece of art in a fileHe created a hash that uniquely, and unhackably, identified that fileHe created a metadata file that included the hash to the artworkHe created a hash to the metadata fileHe uploaded both files (metadata and artwork) to the IPFS darknet decentralized file sharing serviceHe created, or minted a token governed by the MakersTokenV2 smart contract on the Ethereum blockchainChristies created an auction for this tokenThe auction was concluded with a payment of$69 million worth of Ether cryptocurrency. However, nobody has been able to find this payment on the Ethereum blockchain, the money was probably transferred through some private means.Beeple transferred the token to the winner, who transferred it again to this final Metakovan accountEach of the link above allows you to drill down to exactly what’s happening on the blockchain. The rest of this post discusses things in long form.Why do I care?Well, you don’t. It makes you feel stupid that you haven’t heard about it, when everyone is suddenly talking about it as if it’s been a thing for a long time. But the reality, they didn’t know what it was a month ago, either. Here is the Google Trends graph to prove this point — interest has only exploded in the last couple months:The same applies to me. I’ve been aware of them (since the CryptoKitties craze from a couple years ago) but haven’t invested time reading source code until now. Much of this blogpost is written as notes as I discover for myself exactly what was purchased for $69 million, reading the actual transactions.So what is it?My definition: “Something new that can be traded on a blockchain that isn’t a fungible cryptocurrency”.In this post, I’m going to explain in technical details. Before this, you might want to pause and see what everyone else is saying about it. You can look on Wikipedia to answer that question, or look at the following definition from CNN (the first result when I google it):Non-fungible tokens, or NFTs, are pieces of digital content linked to the blockchain, the digital database underpinning cryptocurrencies such as bitcoin and ethereum. Unlike NFTs, those assets are fungible, meaning they can be replaced or exchanged with another identical one of the same value, much like a dollar bill.You can also get a list of common NFT systems here. While this list of NFT systems contains a lot of things related to artwork (as described in this blogpost), a lot aren’t. For example, CryptoKitties is an online game, not artwork (though it too allows ties to pictures of the kitties).What is fungible?Let’s define the word fungible first. The word refers to goods you purchase that can be replaced by an identical good, like a pound of sugar, an ounce of gold, a barrel of West Texas Intermediate crude oil. When you buy one, you don’t care which one you get.In contrast, an automobile is a non-fungible good — if you order a Tesla Model 3, you won’t be satisfied with just any car that comes out of the factory, but one that matches the color and trim that you ordered. Art work is a well known non-fungible asset — there’s only one Mona Lisa painting in the world, for example.Dollar bills and coins are fungible tokens — they represent the value printed on the currency. You can pay your bar bill with any dollars. Cryptocurrencies like Bitcoin, ZCash, and Ethereum are also “fungible tokens”. That’s where they get their value, from their fungibility.NFTs, or non-fungible tokens, is the idea of trading something unique (non-fungible, not the same as anything else) on the blockchain. You can trade them, but each is unique, like a painting, a trading card, a rare coin, and so on.This is a token — it represents a thing. You aren’t trading an artwork itself on the blockchain, but a token that represents the artwork. I mention this because most descriptions about NFTs are that you are buying artwork — you aren’t. Instead, you are buying a token that points to the artwork.The best real world example is a receipt for purchase. Let’s say you go to the Louvre and buy the Mona Lisa painting, and they give you a receipt attesting to the authenticity of the transaction. The receipt is not the artwork itself, but something that represents the artwork. It’s proof you legitimately purchased it — that you didn’t steal it. If you ever resell the painting, you’ll probably need something like this proving the provenance of the piece.Show me an example!So let’s look an at an example NFT, the technical details, to see how it works. We might as well use this massive$69 million purchase as our example. Some news reports describing the purchase are here: [1] [2] [3].None of these stories say what actually happened. They say the “artwork was purchased”, but what does that actually mean? We are going to deconstruct that here. (The answer is: the artwork wasn’t actually purchased).What was the artwork?It’s a piece created by an artist named “Beeple” (Mike Winkelmann), called “Everydays: The First 5000 Days”. It’s a 500-megapixel image, which is about 300-megabytes in size. A thumbnail of this work is shown below.So the obvious question is where is this artwork? Is it somewhere on the blockchain? Well, no, the file is 300-megabytes in size, much too large to put on the blockchain. Instead, the file exists somewhere out in cyberspace (described below).What exists on the blockchain is a unique fingerprint linking to the file, known as a hash.What is a hash?It’s at this point we need to discuss cryptography: it’s not just about encryption, but also random numbers, public keys, and hashing.A “hash” passes all the bytes of a file through an algorithm to generate a short signature or fingerprint unique to that file. No two files with different contents can have the same hash. The most popular algorithm is SHA-256, which produces a 256-bit hash.We call it a cryptographic hash to differentiate it from weaker algorithms. With a strong algorithm, it’s essentially impossible for a hacker to create a different file that has the same hash — even if the hacker tried really hard.Thus, the hash is the identity of the file. The identity of the artwork in question is not the title of the piece mentioned above, other pieces of art can also be given that title. Instead, the identity of the artwork is its hash. Other pieces of artwork cannot have the same hash.For this artwork, that 300-megabyte file is hashed, producing a 256-bit value. Written in hex, this value is:6314b55cc6ff34f67a18e1ccc977234b803f7a5497b94f1f994ac9d1b896a017Hexadecimal results in long strings. There are shorter ways of representing hashes. One is a format called MultiHash. It’s value is shown below. This refers to the same 256-bits, and thus the two forms equivalent, they are simply displayed in different ways.QmXkxpwAHCtDXbbZHUwqtFucG1RMS6T87vi1CdvadfL7qAThis is the identity of the artwork. If you want to download the entire 300-megabyte file, simply copy and paste that into google, and it’ll lead you to someplace in cyberspace where you can download it. Once you download it, you can verify the hash, such as with the command-line tool OpenSSL:$openssl dgst -sha256 everdays5000.jfifSHA256(everdays5000.jfif)= 6314b55cc6ff34f67a18e1ccc977234b803f7a5497b94f1f994ac9d1b896a017The above is exactly what I’ve done — I downloaded the file from cyberspace, named it “everydays5000.jfif”, and then calculated the hash to see if it matches. As you can tell by looking at my result with the above hash, they do match, so I know I have an exact copy of the artwork.Where to download the image from cyberspace?Above, I downloaded the file in order to demonstrate calculating the hash. It doesn’t live on the blockchain, so where does it live?There’s two answers. The first answer is potentially anywhere in cyberspace. Thousands of people have downloaded the file onto the personal computers, so obviously it exists on their machines — you just can’t get at it. If you ever do come across it somewhere, you can always verify it’s the exact copy by looking at the hash.The second answer is somewhere on the darknet. The term “darknet” refers to various systems on the Internet other than the web. Remember, the “web” is not the “Internet”, but simply one of many services on the Internet.The most popular darknet services are decentralized file sharing systems like BitTorrent and IPFS. In much the same way that blockchains are decentralized transaction services, these two system are decentralized file services. When something is too big to live on the blockchain, it often lives on the darknet, usually via IPFS.The way these services identify files is through their hashes. If you know their hash, you can stick it into one of these services and find it. Thus, if you want to find this file on IPFS, download some IPFS aware software, and plug in the hash.There’s an alternative privacy-focused browser called “Brave” that includes darknet features (TOR, BitTorrent, and IPFS). To download this file using Brave, simply use the following URL:ipfs://QmXkxpwAHCtDXbbZHUwqtFucG1RMS6T87vi1CdvadfL7qABut an easier way is to use one of the many IPFS gateways. These are web servers that will copy a file off the darknet and make it available to you. Here is a URL using one of those gateways:https://ipfsgateway.makersplace.com/ipfs/QmXkxpwAHCtDXbbZHUwqtFucG1RMS6T87vi1CdvadfL7qAIf you click on this link within your browser, you’ll download the 300-megabyte file from the IPFS darknet. It’ll take a while, the service is slow. Once you get it, you can verify the hashes match. But since the URL is based on the hash, of course they should match, unless there was some error in transmission.So this hash is on the blockchain?Well, it could’ve been, but it wasn’t. Instead, the hash that’s on the blockchain points to a file containing metadata — and it’s the metadata that points to the hash.In other words, it’s a chain of hashes. The hash on the blockchain (as we’ll see below) is this one here (I’ve made it a link so you can click on it to see the raw data):QmPAg1mjxcEQPPtqsLoEcauVedaeMH81WXDPvPx3VC5zUzWhen you click on this, you see a bunch of JSON data. Below, I’ve stripped away the uninteresting stuff to show the meaningful bits;title:”EVERYDAYS: THE FIRST 5000 DAYS” description:”I made a picture from start to finish every single day from May 1st, 2007 – January 7th, 2021. This is every motherfucking one of those pictures.” digital_media_signature:”6314b55cc6ff34f67a18e1ccc977234b803f7a5497b94f1f994ac9d1b896a017″ raw_media_file:”https://ipfsgateway.makersplace.com/ipfs/QmXkxpwAHCtDXbbZHUwqtFucG1RMS6T87vi1CdvadfL7qA”Now remember that due to the magic of cryptographic hashes, this chain can’t be broken. One hash leads to the next, such that changing any single bit breaks the chain. Indeed, that’s what a “blockchain” is — a hash chain. Changing any bit of information anywhere on the Bitcoin blockchain is immediately detectable, because it throws off the hash calculations.So we have a chain: hash -> metadata -> hash -> artworkSo if you own the root, you own the entire chain.Note that this chain seems unbreakable here, in this$69 million NFT token. However, in a lot of other tokens, it’s not. I mean, the hash chain itself doesn’t promise much (it simply points at the artwork, giving no control over it), but other NFTs promise even less.So what, exactly, is the NFT that was bought and sold?Here’s what Christie’s sold. Here’s how Christies describes it:Beeple (b. 1981)EVERYDAYS: THE FIRST 5000 DAYStoken ID: 40913wallet address: 0xc6b0562605D35eE710138402B878ffe6F2E23807smart contract address: 0x2a46f2ffd99e19a89476e2f62270e0a35bbf0756non-fungible token (jpg)21,069 x 21,069 pixels (319,168,313 bytes)Minted on 16 February 2021. This work is unique.The seller is the artist Beeple. The artist created the token (shown below) and assigned their wallet address as the owner. This is their wallet address:0xc6b0562605D35eE710138402B878ffe6F2E23807When Beeple created the token, he did so using a smart contract that governs the rules for the token. Such smart contracts is what makes Ethereum different from Bitcoin, allowing things to be created and managed on the blockchain other than simple currency transfers. Contracts have addresses on the blockchain, too, but no person controls them — they are rules for decentralized transfer of things, with nobody (other than the code) in control.There are many smart contracts that can manage NFTs. The one Beeple chose is known as MakersTokenV2. This contract has the following address:0x2a46f2ffd99e19a89476e2f62270e0a35bbf0756Note that if you browse this link, you’ll eventually get to the code so that you can read the smart contract and see how it works. It’s a derivation of something known as ERC721 that defines the properties of a certain class of non-fungible tokens.Finally, we get to the actual token being sold here. It is:#40913In other words, it’s the 40913rd token created and managed by the MakersTokenV2 contract. The full description of what Christies is selling is this token number governed by the named contract on the Ethereum blockchain:Ethereum -> 0x2a46f2ffd99e19a89476e2f62270e0a35bbf0756 -> 40913We have to search the blockchain in order to find the transaction that created this token. The transaction is identified by the hash:0x84760768c527794ede901f97973385bfc1bf2e297f7ed16f523f75412ae772b3The smart contract is code, so in the above transaction, Beeple calls functions within the contract to create a new token, assign digital media to it (the hash), and assign himself owner of the newly created token.After doing this, the token #40913 now contains the following information:creator : 0xc6b0562605d35ee710138402b878ffe6f2e23807metadataPath : QmPAg1mjxcEQPPtqsLoEcauVedaeMH81WXDPvPx3VC5zUztokenURI : ipfs://ipfs/QmPAg1mjxcEQPPtqsLoEcauVedaeMH81WXDPvPx3VC5zUzThis is the thing that Christie’s auction house sold. As you can see in their description above, it all points to this token on the blockcahin.Now after the auction, the next step is to transfer the token to the new owner. Again, the contract is code, so this is calling the “Transfer()” function in that code. Beeple is the only person who can do this transfer, because only he knows the private key that controls his wallet. This transfer is done in the transaction below:0xa342e9de61c34900883218fe52bc9931daa1a10b6f48c506f2253c279b15e5bf token : 40913from : 0xc6b0562605d35ee710138402b878ffe6f2e23807to : 0x58bf1fbeac9596fc20d87d346423d7d108c5361aThat’s not the current owner. Instead, it was soon transferred again in the following transaction:0x01d0967faaaf95f3e19164803a1cf1a2f96644ebfababb2b810d41a72f502d49 token : 40913from : 0x58bf1fbeac9596fc20d87d346423d7d108c5361ato : 0x8bb37fb0f0462bb3fc8995cf17721f8e4a399629That final address is known to belong to a person named “Metakovan”, who the press has identified as the buyer of the piece. I don’t know what that intermediary address between Beeple and Metakovan was, but it’s common in the cryptocurrency world to have many accounts that people transfer things between, so I bet it also belongs to Metakovan.How are things transferred?Like everything on the blockchain, control is transfered via public/private keys. Your wallet address is a hash of your public key, which everyone knows. Anybody can transfer something to your public address without you being involved.But every public key has a matching private key. Both are generated together, because they are mathematically related. Only somebody who knows the private key that matches the wallet address can transfer something out of the wallet to another person.Thus Beeple’s account as the following public address. But we don’t know his private key, which he has stored on a computer file somewhere.0xc6b0562605D35eE710138402B878ffe6F2E23807To summarize what was bought and soldSo that’s it. To summarize:Beeple created a piece of art in a fileHe created a hash that uniquely, and unhackably, identified that fileHe created a metadata file that included the hash to the artworkHe created a hash to the metadata fileHe uploaded both files (metadata and artwork) to the IPFS darknet decentralized file sharing serviceHe created, or minted a token governed by the MakersTokenV2 smart contract on the Ethereum blockchainChristies created an auction for this tokenThe auction was concluded with a payment of $69 million worth of Ether cryptocurrency. However, nobody has been able to find this payment on the Ethereum blockchain, the money was probably transferred through some private means.Beeple transferred the token to the winner, who transferred it again to this final Metakovan accountAnd that’s it.Okay, I understand. But I have a question. WHAT IS AN NFT????So if you’ve been paying attention, and understood everything I’ve said, then you should still be completely confused. What exactly was purchased that was worth$69 million?If we are asking what Metakovan purchased for his $69 million, it comes down to this: the ability to transfer MakersTokenV2 #40913 to somebody else.That’s it. That’s everything he purchased. He didn’t purchase the artwork, he didn’t purchase the copyrights, he didn’t purchase anything more than the ability to transfer that token. Even saying he owns the token is a misnomer, since the token lives on the blockchain. Instead, since only Metakovan knows the private key that controls his wallet, all that he possesses is the ability to transfer the token to the control of another private key.It’s not even as unique as people claim. Beeple can mint another token for the same artwork. Anybody else can mint a token for Beeple’s artwork. Insignificant changes can be made to that artwork, and tokens can be minted for that, too. There’s nothing hard and fast controlled by the code — the relationship is in people’s minds.If you are coming here asking why somebody thinks this is worth$69 million, I have no answer for you.The conclusionI think there are two things that are clear here:This token is not going to be meaningful to most of us: who cares if the token points to a hash that eventually points to a file freely available on the Internet?This token is meaningful to those in the “crypto” (meaning “cryptocurrency”) community, but it’s in their minds, rather than something hard and fast controlled by code or cryptography.In other words, the work didn’t sell for $69 million of real money.For one thing, it’s not the work that was traded, or rights or control over that work. It’s simply a token that pointed to the work.For another thing, it was sold for 42329.453 ETH, not$dollars. Early adopters with lots of cryptocurrency are likely to believe the idea that the token is meaningful, whereas outsiders with $dollars don’t.An NFT is ultimately like those plaques you see next to paintings in a museum telling people about the donor or philanthropist involved — only this plaque is somewhere where pretty much nobody will see it. • We are living in 1984 (ETERNALBLUE) by Robert Graham on March 1, 2021 at 12:06 am In the book 1984, the protagonist questions his sanity, because his memory differs from what appears to be everybody else’s memory.The Party said that Oceania had never been in alliance with Eurasia. He, Winston Smith, knew that Oceania had been in alliance with Eurasia as short a time as four years ago. But where did that knowledge exist? Only in his own consciousness, which in any case must soon be annihilated. And if all others accepted the lie which the Party imposed—if all records told the same tale—then the lie passed into history and became truth. ‘Who controls the past,’ ran the Party slogan, ‘controls the future: who controls the present controls the past.’ And yet the past, though of its nature alterable, never had been altered. Whatever was true now was true from everlasting to everlasting. It was quite simple. All that was needed was an unending series of victories over your own memory. ‘Reality control’, they called it: in Newspeak, ‘doublethink’.I know that EternalBlue didn’t cause the Baltimore ransomware attack. When the attack happened, the entire cybersecurity community agreed that EternalBlue wasn’t responsible.But this New York Times article said otherwise, blaming the Baltimore attack on EternalBlue. And there are hundreds of other news articles [eg] that agree, citing the New York Times. There are no news articles that dispute this.In a recent book, the author of that article admits it’s not true, that EternalBlue didn’t cause the ransomware to spread. But they defend themselves as it being essentially true, that EternalBlue is responsible for a lot of bad things, even if technically, not in this case. Such errors are justified, on the grounds they are generalizations and simplifications needed for the mass audience.So we are left with the situation Orwell describes: all records tell the same tale — when the lie passes into history, it becomes the truth.Orwell continues:He wondered, as he had many times wondered before, whether he himself was a lunatic. Perhaps a lunatic was simply a minority of one. At one time it had been a sign of madness to believe that the earth goes round the sun; today, to believe that the past is inalterable. He might be ALONE in holding that belief, and if alone, then a lunatic. But the thought of being a lunatic did not greatly trouble him: the horror was that he might also be wrong.I’m definitely a lunatic, alone in my beliefs. I sure hope I’m not wrong. Update: Other lunatics document their struggles with Minitrue: When I was investigating the TJX breach, there were NYT articles citing unnamed sources that were made up & then outlets would publish citing the NYT. The TJX lawyers would require us to disprove the articles. Each time we would. It was maddening fighting lies for 8 months.— Nicholas J. Percoco (@c7five) March 1, 2021 • Review: Perlroth’s book on the cyberarms market by Robert Graham on February 27, 2021 at 5:03 am New York Times reporter Nicole Perlroth has written a book on zero-days and nation-state hacking entitled “This Is How They Tell Me The World Ends”. Here is my review.I’m not sure what the book intends to be. The blurbs from the publisher implies a work of investigative journalism, in which case it’s full of unforgivable factual errors. However, it reads more like a memoir, in which case errors are to be expected/forgivable, with content often from memory rather than rigorously fact checked notes.But even with this more lenient interpretation, there are important flaws that should be pointed out. For example, the book claims the Saudi’s hacked Bezos with a zero-day. I claim that’s bunk. The book claims zero-days are “God mode” compared to other hacking techniques, I claim they are no better than the alternatives, usually worse, and rarely used.But I can’t really list all the things I disagree with. It’s no use. She’s a New York Times reporter, impervious to disagreement.If this were written by a tech journalist, then criticism would be the expected norm. Tech is full of factual truths, such as whether 2+2=5, where it’s possible for a thing to be conclusively known. All journalists make errors — tech journalists are constantly making small revisions correcting their errors after publication.The best example of this is Ars Technica. They pride themselves on their reader forums, where readers comment, opine, criticize, and correct stories. Sometimes readers add more interesting information to the story, providing free content to other readers. Sometimes they fix errors.It’s often unpleasant for the journalists who steel themselves after hitting “Submit…”. They have a lot of practice defending or correcting every assertion they make, from both legitimate and illegitimate criticism. This makes them astoundingly good journalists — mistakes editors miss readers don’t. They get trained fast to deal with criticism.The mainstream press doesn’t have this tradition. To be fair, it couldn’t. Tech forums have techies with knowledge and experience, while the mainstream press has ignorant readers with opinions. Regardless of the story’s original content it’ll devolve into people arguing about whether Epstein was murdered (for example).Nicole Perlroth is a mainstream reporter on a techy beat. So you see a conflict here between the expectation both sides have for each other. Techies expect a tech journalist who’ll respond to factual errors, she doesn’t expect all this criticism. She doesn’t see techie critics for what they are — subject matter experts that would be useful sources to make her stories better. She sees them as enemies that must be ignored. This makes her stories sloppy by technical standards. I hate that this sounds like a personal attack when it’s really more a NYTimes problem — most of their cyber stories struggle with technical details, regardless of author.This problem is made worse by the fact that the New York Times doesn’t have “news stories” so much as “narratives”. They don’t have neutral stories reporting what happened, but narratives explaining a larger point.A good example is this story that blames the Baltimore ransomware attack on the NSA’s EternalBlue. The narrative is that EternalBlue is to blame for damage all over the place, and it uses the Baltimore ransomware as an example. However, EternalBlue wasn’t responsible for that particular ransomware — as techies point out.Perlroth doesn’t fix the story. In her book, she instead criticizes techies for focusing on “the technical detail that in this particular case, the ransomware attack had not spread with EternalBlue”, and that techies don’t acknowledge “the wreckage from EternalBlue in towns and cities across the country”.It’s a bizarre response from a journalist, refusing to fix a falsehood in a story because the rest of the narrative is true.Some of the book is correct, telling you some real details about the zero-day market. I can’t say it won’t be useful to some readers, though the useful bits are buried in a lot of non-useful stuff. But most of the book is wrong about the zero-day market, a slave to the narrative that zero-days are going to end the world. I mean, I should say, I disagree with the narrative and her political policy ideas — I guess it’s up to you to decide for yourself if it’s “wrong”. Apart from inaccuracies, a lot is missing — for example, you really can’t understand what a “zero-day” is without also understanding the 40 year history of vuln-disclosure.I could go on a long spree of corrections, and others have their own long list of inaccuracies, but there’s really no point. She’s already defended her book as being more of a memoir than a work of journalistic integrity, so her subjective point of view is what it’s about, not facts. Her fundamental narrative of the Big Bad Cyberarms Market is a political one, so any discussion of accuracy will be in service of political sides rather than the side of truth.Moreover, she’ll just attack me for my “bruised male ego”, as she has already done to other expert critics. • No, 1,000 engineers were not needed for SolarWinds by Robert Graham on February 26, 2021 at 1:09 am Microsoft estimates it would take 1,000 to carry out the famous SolarWinds hacker attacks. This means in reality that it was probably fewer than 100 skilled engineers. I base this claim on the following Tweet: When asked why they think it was 1,000 devs, Brad Smith says they saw an elaborate and persistent set of work. Made an estimate of how much work went into each of these attacks, and asked their own engineers. 1,000 was their estimate.— Joseph Cox (@josephfcox) February 23, 2021 Yes, it would take Microsoft 1,000 engineers to replicate the attacks. But it takes a large company like Microsoft 10-times the effort to replicate anything. This is partly because Microsoft is a big, stodgy corporation. But this is mostly because this is a fundamental property of software engineering, where replicating something takes 10-times the effort of creating the original thing.It’s like painting. The effort to produce a work is often less than the effort to reproduce it. I can throw some random paint strokes on canvas with almost no effort. It would take you an immense amount of work to replicate those same strokes — even to figure out the exact color of paint that I randomly mixed together.Software EngineeringThe process of software engineering is about creating software that meets a certain set of requirements, or a specification. It is an extremely costly process verify the specification is correct. It’s like if you build a bridge but forget a piece and the entire bridge collapses.But code slinging by hackers and open-source programmers works differently. They aren’t building toward a spec. They are building whatever they can and whatever they want. It takes a tenth, or even a hundredth of the effort of software engineering. Yes, it usually builds things that few people (other than the original programmer) want to use. But sometimes it produces gems that lots of people use.Take my most popular code slinging effort, masscan. I spent about 6-months of total effort writing it at this point. But if you run code analysis tools on it, they’ll tell you that it would take several millions of dollars to replicate the amount of code I’ve written. And that’s just measuring the bulk code, not the numerous clever capabilities and innovations in the code.According to these metrics, I’m either a 100x engineer (a hundred times better than the average engineer) or my claim is true that “code slinging” is a fraction of the effort of “software engineering”.The same is true of everything the SolarWinds hackers produced. They didn’t have to software engineer code according to Microsoft’s processes. They only had to sling code to satisfy their own needs. They don’t have to train/hire engineers with the skills necessary to meet a specification, they can write the specification according to what their own engineers can produce. They can do whatever they want with the code because they don’t have to satisfy somebody else’s needs.HackingSomething is similarly true with hacking. Hacking a specific target, a specific way, is very hard. Hacking any target, any way, is easy.Like most well-known hackers, I regularly get those emails asking me to hack somebody’s Facebook account. This is very hard. I can try a lot of things, and in the end, chances are I cannot succeed. On the other hand, if you ask me to hack anybody’s Facebook account, I can do that in seconds. I can download one of the many hacker dumps of email addresses, then try to log into Facebook with every email address using the password “Password1234”. Eventually I’ll fine somebody who has that password — I just don’t know who.Hacking is overwhelmingly opportunistic. Hackers go into it not being sure who they’ll hack, or how they’ll hack. They just try a bunch of things against a bunch of targets and see what works. No two hacks are the same. You can’t look at one hack and reproduce it exactly against another target.Well, you reproduce things a bit. Some limited techniques have become “operationalized”. A good example is “phishing”, sending emails tricking people into running software or divulging a password. But that’s usually only the start of a complete attack, getting the initial foothold into a target, rather than the full hack itself.In other words, hacking is based a lot on luck. You can create luck for yourself by trying lots of things. But it’s hard reproducing luck.This principle of hacking is why Stuxnet is such an incredible achievement. It wasn’t opportunistic hacking. It had a very narrow target that could only be hacked in a very narrow way, jumping across an “airgap” to infect the controllers into order to subtly destabilize the uranium centrifuges. With my lifetime experience with hacking, I’m amazed at Stuxnet.But SolarWinds was no Stuxnet. Instead, it shows a steady effort over a number of years, capitalizing on the lucky result of one step to then move ahead to the next step. Replicating that chain of luck would be nearly impossible.BusinessNow let’s talk about big companies vs. startups. Every month, big companies like Apple, Microsoft, Cisco, etc. are acquiring yet another small startup that has done something that a big company cannot do. These companies often have small (but growing) market share, so it’s rarely for the market share alone that big companies acquire small ones.Instead, it’s for the thing that the startup produced. The reason big companies acquire outsiders is again because of the difficulty that insiders would have in reproducing the work. The engineering managers are asked how much it would cost insiders to reproduce the work of the outsiders, the potential acquisition candidate. The answer is almost always “at least 10-times more than what the small company invested in building the thing”.This is reflected by the purchase price, which is often 10-times what the original investors put into the company to build the thing. In other words, Microsoft regularly buys a company for 10-times than all the money the original investors put into the company — meaning much more than 10-times the effort it would take for their own engineers to replicate the product in question.Thus, the question people should ask Brad Smith of Microsoft is not simply how many skilled Microsoft engineers it would take to reproduce SolarWinds, but also how many skilled Microsoft engineers it would take to reproduce the engineer effort of their last 10 acquisitions.ConclusionI’ve looked at the problem three different ways, from the point of view of software engineering, hacking, or business. If it takes 1,000 Microsoft engineers to reproduce the SolarWinds hacks, then that means there’s fewer than 100 skilled engineers involved in the actual hacks.SolarWinds is probably the most consequential hack of the last decade. There are many eager to exaggerate things to serve their own agenda. Those types have been pushing this “1,000 engineer” claim. I’m an expert in all three these areas, software engineering, hacking, and business. I’ve written millions of lines of code, I’ve well known for my hacking, and I’ve sold startups. I can assure you: Microsoft’s estimate means that likely fewer than 100 skilled engineers were involved. • The deal with DMCA 1201 reform by Robert Graham on December 9, 2020 at 8:25 pm There are two fights in Congress now against the DMCA, the “Digital Millennium Copyright Act”. One is over Section 512 covering “takedowns” on the web. The other is over Section 1201 covering “reverse engineering”, which weakens cybersecurity.Even before digital computers, since the 1880s, an important principle of cybersecurity has been openness and transparency (“Kerckhoff’s Principle”). Only through making details public can security flaws be found, discussed, and fixed. This includes reverse-engineering to search for flaws.Cybersecurity experts have long struggled against the ignorant who hold the naive belief we should instead coverup information, so that evildoers cannot find and exploit flaws. Surely, they believe, given just anybody access to critical details of our security weakens it. The ignorant have little faith in technology, that it can be made secure. They have more faith in government’s ability to control information.Technologists believe this information coverup hinders well-meaning people and protects the incompetent from embarrassment. When you hide information about how something works, you prevent people on your own side from discovering and fixing flaws. It also means that you can’t hold those accountable for their security, since it’s impossible to notice security flaws until after they’ve been exploited. At the same time, the information coverup does not do much to stop evildoers. Technology can work, it can be perfected, but only if we can search for flaws.It seems counterintuitive the revealing your encryption algorithms to your enemy is the best way to secure them, but history has proven time and again that this is indeed true. Encryption algorithms your enemy cannot see are insecure. The same is true of the rest of cybersecurity.Today, I’m composing and posting this blogpost securely from a public WiFi hotspot because the technology is secure. It’s secure because of two decades of security researchers finding flaws in WiFi, publishing them, and getting them fixed.Yet in the year 1998, ignorance prevailed with the “Digital Millennium Copyright Act”. Section 1201 makes reverse-engineering illegal. It attempts to secure copyright not through strong technological means, but by the heavy hand of government punishment.The law was not completely ignorant. It includes an exception allow what it calls “security testing” — in theory. But that exception does not work in practice, imposing too many conditions on such research to be workable.The U.S. Copyright Office has authority under the law to add its own exemptions every 3 years. It has repeatedly added exceptions for security research, but the process is unsatisfactory. It’s a protracted political battle every 3 years to get the exception back on the list, and each time it can change slightly. These exemptions are still less than what we want. This causes a chilling effect on permissible research. It would be better if such exceptions were put directly into the law.You can understand the nature of the debate by looking at those on each side.Those lobbying for the exceptions are those trying to make technology more secure, such as Rapid7, Bugcrowd, Duo Security, Luta Security, and Hackerone. These organizations have no interest in violating copyright — their only concern is cybersecurity, finding and fixing flaws.The opposing side includes the copyright industry, as you’d expect, such as the “DVD” association who doesn’t want hackers breaking the DRM on DVDs.However, much of the opposing side has nothing do with copyright as such.This notably includes the three major voting machine suppliers in the United States: Dominion Voting, ES&S, and Hart InterCivic. Security professionals have been pointing out security flaws in their equipment for the past several years. These vendors are explicitly trying to coverup their security flaws by using the law to silence critics.This goes back to the struggle mentioned at the top of this post. The ignorant and naive believe that we need to coverup information, so that hackers can’t discover flaws. This is expressed in their filing opposing the latest 3-year exemption:The proponents are wrong and misguided in their argument that the Register’s allowing independent hackers unfettered access to election software is a necessary – or even appropriate – way to address the national security issues raised by election system security. The federal government already has ways of ensuring election system security through programs conducted by the EAC and DHS. These programs, in combination with testing done in partnership between system providers, independent voting system test labs and election officials, provide a high degree of confidence that election systems are secure and can be used to run fair and accurate elections. Giving anonymous hackers a license to attack critical infrastructure would not serve the public interest. Not only does this blatantly violate Kerckhoff’s Principle stated above, it was proven a fallacy in the last two DEF CON cybersecurity conferences. These conferences bought voting machines off eBay and presented them at the conference for anybody to hack. Widespread and typical vulnerabilities were found. These systems were certified as secure by state and federal governments, yet teenagers were able to trivially bypass the security of these systems.The danger these companies are afraid of is not a nation state actor being able to play with these systems, but of teenagers playing with their systems at DEF CON embarrassing them by pointing out their laughable security. This proves Kerckhoff’s Principle.That’s why the leading technology firms take the opposite approach to security than election systems vendors. This includes Apple, Amazon, Microsoft, Google, and so on. They’ve gotten over their embarrassment. They are every much as critical to modern infrastructure as election systems or the power grid. They publish their flaws roughly every month, along with a patch that fixes them. That’s why you end up having to patch your software every month. Far from trying to coverup flaws and punish researchers, they publicly praise researchers, and in many cases, offer “bug bounties” to encourage them to find more bugs.It’s important to understand that the “security research” we are talking about is always “ad hoc” rather than formal.These companies already do “formal” research and development. They invest billions of dollars in securing their technology. But no matter how much formal research they do, informal poking around by users, hobbyists, and hackers still finds unexpected things.One reason is simply a corollary to the Infinite Monkey Theorem that states that an infinite number of monkeys banging on an infinite number of typewriters will eventually reproduce the exact works of William Shakespeare. A large number of monkeys banging on your product will eventually find security flaws.A common example is a parent who brings their kid to work, who then plays around with a product doing things that no reasonable person would every conceive of, and accidentally breaks into the computer. Formal research and development focuses on the known threats, but has trouble of imagining unknown threats.Another reason informal research is successful is how the modern technology stack works. Whether it’s a mobile phone, a WiFi enabled teddy bear for the kids, a connected pacemaker jolting the grandparent’s heart, or an industrial control computer controlling manufacturing equipment, all modern products share a common base of code.Somebody can be an expert in an individual piece of code used in all these products without understanding anything about these products.I experience this effect myself. I regularly scan the entire Internet looking for a particular flaw. All I see is the flaw itself, exposed to the Internet, but not anything else about the system I’ve probed. Maybe it’s a robot. Maybe it’s a car. Maybe it’s somebody’s television. Maybe it’s any one of the billions of IoT (“Internet of Things”) devices attached to the Internet. I’m clueless about the products — but an expert about the flaw.A company, even as big as Apple or Microsoft, cannot hire enough people to be experts in every piece of technology they use. Instead, they can offer bounties encouraging those who are experts in obscure bits of technology to come forward and examine their products.This ad hoc nature is important when looking at the solution to the problem. Many think this can be formalized, such as with the requirement of contacting a company asking for permission to look at their product before doing any reverse-engineering.This doesn’t work. A security researcher will buy a bunch of used products off eBay to test out a theory. They don’t know enough about the products or the original vendor to know who they should contact for permission. This would take more effort to resolve than the research itself.It’s solely informal and ad hoc “research” that needs protection. It’s the same as with everything else that preaches openness and transparency. Imagine if we had freedom of the press, but only for journalists who first were licensed by the government. Imagine if it were freedom of religion, but only for churches officially designated by the government.Those companies selling voting systems they promise as being “secure” will never give permission. It’s only through ad hoc and informal security research, hostile to the interests of those companies, that the public interest will be advanced.The current exemptions have a number of “gotchas” that seem reasonable, but which create an unacceptable chilling effect.For example, they allow informal security research “as long as no other laws are violated”. That sounds reasonable, but with so many laws and regulations, it’s usually possible to argue they violated some obscure and meaningless law in their research. It means a security researcher is now threatened by years in jail for violating a regulation that would’ve resulted in a$10 fine during the course of their research.Exceptions to the DMCA need to be clear and unambiguous that finding security bugs is not a crime. If the researcher commits some other crime during research, then prosecute them for that crime, not for violating the DMCA.The strongest opposition to a “security research exemption” in the DMCA is going to come from the copyright industry itself — those companies who depend upon copyright for their existence, such as movies, television, music, books, and so on.The United States position in the world is driven by intellectual property. Hollywood is not simply the center of American film industry, but the world’s film industry. Congress has an enormous incentive to protect these industries. Industry organizations like the RIAA and MPAA have enormous influence on Congress.Many of us in tech believe copyright is already too strong. They’ve made a mockery of the Constitution’s statement of copyrights being for a “limited time”, which now means works copyrighted decades before you were born will still be under copyright decades after you die. Section 512 takedown notices are widely abused to silence speech.Yet the copyright-protected industries perceive themselves as too weak. Once a copyrighted work is post to the Internet for anybody to download, it because virtually impossible to remove (like removing pee from a pool). Takedown notices only remove content from the major websites, like YouTube. They do nothing to remove content from the “dark web”.Thus, they jealously defend against any attempt that would weaken their position. This includes “security research exemptions”, which threatens “DRM” technologies that prevent copying.One fear is of security researchers themselves, that in the process of doing legitimate research that they’ll find and disclose other secrets, such as the encryption keys that protect DVDs from being copied, that are built into every DVD player on the market. There is some truth to that, as security researchers have indeed publish some information that the industries didn’t want published, such as the DVD encryption algorithm.The bigger fear is that evildoers trying to break DRM will be free to do so, claiming their activities are just “security research”. They would be free to openly collaborate with each other, because it’s simply research, while privately pirating content.But these fears are overblown. Commercial piracy is already forbidden by other laws, and underground piracy happens regardless of the law.This law has little impact on whether reverse-engineering happens so much as impact whether the fruits of research are published. And that’s the key point: we call it “security research”, but all that’s meaningful is “published security research”.In other words, we are talking about a minor cost to copyright compared with a huge cost to cybersecurity. The cybersecurity of voting machines is a prime example: voting security is bad, and it’s not going to improve until we can publicly challenge it. But we can’t easily challenge voting security without being prosecuted under the DMCA.ConclusionThe only credible encryption algorithms are public ones. The only cybersecurity we trust is cybersecurity that we can probe and test, where most details are publicly available. That such transparency is necessary to security has been recognized since the 1880s with Kerckhoff’s Principle. Yet, the naive still believe in coverups. As the election industry claimed in their brief: “Giving anonymous hackers a license to attack critical infrastructure would not serve the public interest”. Giving anonymous hackers ad hoc, informal access to probe critical infrastructure like voting machines not only serves the public interest, but is necessary to the public interest. As has already been proven, voting machines have cybersecurity weaknesses that they are covering up, which can only be revealed by anonymous hackers.This research needs to be ad hoc and informal. Attempts at reforming the DMCA, or the Copyright Office’s attempt at exemptions, get modified into adding exemptions for formal research. This ends up having the same chilling effect on research while claiming to allow research.Copyright, like other forms of intellectual property, is important, and it’s proper for government to protect it. Even radical anarchists in our industry want government to protect “copyleft”, the use of copyright to keep open-source code open.But it’s not so important that it should allow abuse to silence security research. Transparency and ad hoc testing is critical to research, and is more and more often being silenced using copyright law.

• Why Biden: Principle over Party
by Robert Graham on October 26, 2020 at 1:05 am

• No, that’s not how warrantee expiration works
by Robert Graham on October 17, 2020 at 2:59 am

• No, font errors mean nothing in that NYPost article
by Robert Graham on October 16, 2020 at 9:44 pm

• Yes, we can validate leaked emails
by Robert Graham on October 14, 2020 at 11:13 pm

• Factcheck: Regeneron’s use of embryonic stem cells
by Robert Graham on October 9, 2020 at 1:42 am

• Cliché: Security through obscurity (yet again)
by Robert Graham on September 12, 2020 at 11:30 pm

• How CEOs think
by Robert Graham on July 19, 2020 at 9:07 pm

• In defense of open debate
by Robert Graham on July 13, 2020 at 11:22 pm

• Apple ARM Mac rumors
by Robert Graham on June 16, 2020 at 7:43 pm

The latest rumor is that Apple is going to announce Macintoshes based on ARM processors at their developer conference. I thought I’d write up some perspectives on this.It’s different this timeThis would be Apple’s fourth transition. Their original Macintoshes in 1984 used Motorola 68000 microprocessors. They moved to IBM’s PowerPC in 1994, then to Intel’s x86 in 2005.However, this history is almost certainly the wrong way to look at the situation. In those days, Apple had little choice. Each transition happened because the processor they were using was failing to keep up with technological change. They had no choice but to move to a new processor.This no longer applies. Intel’s x86 is competitive on both speed and power efficiency. It’s not going away. If Apple transitions away from x86, they’ll still be competing against x86-based computers.Other companies have chosen to adopt both x86 and ARM, rather than one or the other. Microsoft’s “Surface Pro” laptops come in either x86 or ARM versions. Amazon’s AWS cloud servers come in either x86 or ARM versions. Google’s Chromebooks come in either x86 or ARM versions.Instead of ARM replacing x86, Apple may be attempting to provide both as options, possibly an ARM CPU for cheaper systems and an x86 for more expensive and more powerful systems.ARM isn’t more power efficient than x86Every news story, every single one, is going to repeat the claim that ARM chips are more power efficient than Intel’s x86 chips. Some will claim it’s because they are RISC whereas Intel is CISC.This isn’t true. RISC vs. CISC was a principle in the 1980s when chips were so small that instruction set differences meant architectural differences. Since 1995 with “out-of-order” processors, the instruction set has been completely separated from the underlying architecture. At most, instruction set differences can’t account for more than 5% of the difference between processor performance or efficiency.Mobile chips consume less power by simply being slower. When you scale mobile ARM CPUs up to desktop speeds, they consume the same power as desktops. Conversely, when you scale Intel x86 processors down to mobile power consumption levels, they are just as slow. You can test this yourself by comparing Intel’s mobile-oriented “Atom” processor against ARM processors in the Raspberry Pi.Moreover, the CPU accounts for only a small part of overall power consumption. Mobile platforms care more about the graphics processor or video acceleration than they do the CPU. Large differences in CPU efficiency mean small differences in overall platform efficiency.Apple certainly balances its chips so they work better in phones than an Intel x86 would, but these tradeoffs mean they’d work worse in laptops.While overall performance and efficiency will be similar, specific application will perform differently. Thus, when ARM Macintoshes arrive, people will choose just the right benchmarks to “prove” their inherent superiority. It won’t be true, but everyone will believe it to be true.No longer a desktop companyVenture capitalist Mary Meeker produces yearly reports on market trends. The desktop computer market has been stagnant for over a decade in the face of mobile growth. The Macintosh is only 10% of Apple’s business — so little that they could abandon the business without noticing a difference.This means investing in the Macintosh business is a poor business decision. Such investment isn’t going to produce growth. Investing in a major transition from x86 to ARM is therefore stupid — it’ll cost a lot of money without generating any return.In particular, despite having a mobile CPU for their iPhone, they still don’t have a CPU optimized for laptops and desktops. The Macintosh market is just to small to fund the investment required. Indeed, that’s why Apple had to abandon the 68000 and PowerPC processors before: their market was just too small to fund development to keep those processors competitive.But there’s another way to look at it. Instead of thinking of this transition in terms of how it helps the Macintosh market, think in terms of how it helps the iPhone market.A big reason for Intel’s success against all its competitors is the fact that it’s what developers use. I can use my $1000 laptop running Intel’s “Ice Lake” processor to optimize AVX-512 number crunching code, then deploy on a billion dollar supercomputer.A chronic problem for competing processors has always been that developers couldn’t develop code on them. As a developer, I simply don’t have access to computers running IBM’s POWER processors. Thus, I can’t optimize my code for them.Developers writing code for ARM mobile phones, either Androids or iPhones, still use x86 computers to develop the code. They then “deploy” that code to mobile phones. This is cumbersome and only acceptable because developers are accustomed to the limitation.But if Apple ships a Macbook based on the same ARM processor as their iPhone, then this will change. Every developer in the world will switch. This will make development for the iPhone cheaper, and software will be better optimized. Heck, even Android developers will want to switch to using Macbooks as their development platforms.Another marketing decisions is to simply fold the two together in the long run, such that iOS and macOS become the same operating system. Nobody knows how to do this yet, as the two paradigms are fundamentally different. While Apple may not have a specific strategy on how to get there, they know that making a common hardware platform would be one step in that direction, so a single app could successfully run on both platforms.Thus, maybe their long term goal isn’t so much to transition Macintoshes to ARM so much as make their iPads and Macbooks indistinguishable, such that adding a bluetooth keyboard to an iPad makes it a Macintosh, and removing the attached keyboard from a Macbook makes it into an iPad.All tech companiesThe model we have is that people buy computers from vendors like Dell in the same way they buy cars from companies like Ford.This is now how major tech companies work. Companies like Dell don’t build computers so much as assemble them from commodity parts. Anybody can assemble their own computers just as easily as Dell. So that’s what major companies do.Such customization goes further. Instead of an off-the-shelf operating system, major tech companies create their own, like Google’s Android or Apple’s macOS. Even Amazon has their own version of Linux.Major tech companies go even further. They design their own programming languages, like Apple’s Swift or Google’s Golang. They build entire “stacks” of underlying technologies instead of using off-the-shelf software.Building their own CPUs is just the next logical step.It’s made possible by the change in how chips are made. In the old days, chip designers were the same as chip manufacturers. These days, that’s rare. Intel is pretty much the last major company that does both.Moreover, instead of designing a complete chip, companies instead design subcomponents. An ARM CPU is just one component. A tech company can grab the CPU design from ARM and combine it without other components, like crypto accelerators, machine learning, memory controllers, I/O controllers, and so on to create a perfect chip for their environment. They then go to a company like TSMC or Global Foundries to fabricate the chip.For example, Amazon’s$10,000 Graviton 1 server and the $35 Raspberry Pi 4 both use the ARM Cortex A72 microprocessor, but on radically different chips with different capabilities. My own microbenchmarks show that the CPUs run at the same speed, but macrobenchmarks running things like databases and webservers show vastly different performance, because the rest of the chip outside the CPU cores are different.Apple is custom ARMWhen transitioning from one CPU to the next, Apple computers have been able to “emulate” the older system, running old code, though much slower.ARM processors have some problems when trying to emulate x86. One big problem is multithreaded synchronization. They have some subtle difference which software developers are familiar with, such that multicore code written for x86 sometimes has bugs when recompiled for ARM processors.Apple’s advantage is that it doesn’t simply license ARM’s designs, but instead designs its own ARM-compatible processors. They are free to add features that make emulation easier, such as x86-style synchronization among threads. Thus, while x86 emulation is difficult for their competitors, as seen on Microsoft’s Surface Pro notebooks, it’ll likely be easier for Apple.This is especially a concern since ARM won’t be faster. In the previous three CPU changes, Apple went to a much faster CPU. Thus, the slowdown in older apps was compensated by the speedup in new/updated apps. That’s not going to happen this time around, as everything will be slower: a ton slower for emulated apps and slightly slower for ARM apps.ARM is doing unto IntelIn the beginning, there were many CPU makers, including high-end systems like MIPS, SPARC, PA-RISC, and so on. All the high-end CPUs disappeared (well, essentially).The reason came down the fact that often you ended up spending 10x the price for a CPU that was only 20% faster. In order to justify the huge cost of development, niche CPU vendors had to charge insanely high prices.Moreover, Intel would come out with a faster CPU next year that would match yours in speed, while it took you several more years to produce your next generation. Thus, even by the time of your next model you were faster than Intel, the moment in time right before hand you were slower. On average, year after year, you didn’t really provide any benefit.Thus, Intel processors moved from low-end desktops to workstation to servers to supercomputers, pushing every competing architecture aside.ARM is now doing the same thing to Intel that Intel did to its competitors.ARM processors start at the insanely low end. Your computer likely already has a few ARM processors inside, even if it’s an Intel computer running Windows. The harddrive probably has one. The WiFi chip probably has one. The fingerprint reader probably has one. Apple puts an ARM-based security chip in all it’s laptops.As mobile phones started getting more features, vendors put ARM processors in them. They were incredibly slow, but slow meant they consumed little power. As chip technology got more efficient, batteries held more charge, and consumers became willing to carry around large batteries, ARM processors have gotten steadily faster.To the point where they compete with Intel.Now servers and even supercomputers are being built from ARM processors.The enormous volume of ARM processors means that ARM can put resources behind new designs. Each new generation of ARM Cortex processors gets closer and closer to Intel’s on performance.ConclusionARM is certainly becoming a competitor to Intel. Yet, the market is littered with the corpses of companies who tried to ride this wave and failed. Just Google “ARM server” over the last 10 years to see all the glowing stories of some company releasing an exciting new design only to go out of business a year later. While ARM can be “competitive” in terms of sometimes matching Intel features, it really has no “compelling” feature that makes it better, that makes it worth switching. The supposed power-efficiency benefit is just a myth that never pans out in reality.Apple could easily make a desktop or laptop based on its own ARM CPU found in the iPhone. The only reason it hasn’t done so already is because of marketing. If they just produce two notebooks like Microsoft, they leave the customer confused as to which one to buy, which leads to many customers buying neither.One market differentiation is to replace their entire line, and make a complete break with the past as they’ve done three times before. Another differentiation would be something like the education market, or the thin-and-light market, like their previous 12-inch Macbook, while still providing high-end system based on beefy Intel processors and graphics accelerators from nVidia and AMD. • What is Boolean? by Robert Graham on May 31, 2020 at 9:35 pm My mother asks the following question, so I’m writing up a blogpost in response.I am watching a George Boole bio on Prime but still don’t get it.I started watching the first few minutes of the “Genius of George Boole” on Amazon Prime, and it was garbage. It’s the typical content that’s been dumbed-down so much that any useful content has been removed. It’s the typical sort of hero worshipping biography that credits the subject with everything that it plausible can.Boole was a mathematician who tried to apply the concepts of math to statements of “true” and false”, rather than numbers like 1, 2, 3, 4, … He also did a lot of other mathematical work, but it’s this work that continues to bear his name (“boolean logic” or “boolean algebra”).But what we know of today as “boolean algebra” was really developed by others. They named it after him, but really all the important stuff was developed later. Moreover, the “1” and “0” of binary computers aren’t precisely the same thing as the “true” and “false” of boolean algebra, though there is considerable overlap.Computers are built from things called “transistors” which act as tiny switches, able to turn “on” or “off”. Thus, we have the same two-value system as “true” and “false”, or “1” and “0”.Computers represent any number using “base two” instead of the “base ten” we are accustomed to. The “base” of number representation is the number of digits. The number of digits we use is purely arbitrary. The Babylonians had a base 60 system, computers a base 2, but the math we humans use is base 10, probably because we have 10 fingers.We use a “positional” system. When we run out of digits, we put a ‘1’ on the left side and start over again. Thus, “10” is always the number of digits. If it’s base 8, then once you run out of the first eight digits 01234567, you wrap around and start agains with “10”, which is the value of eight in base 8.This is in contrast to something like the non-positional Roman numerals, which had symbols for ten (X), hundred (C), and thousand (M).A binary number is a string of 1s and 0s in base two. The number fifty-three, in binary, is 110101.Computers can perform normal arithmetic computations on these numbers, like addition (+), subtraction (−), multiplication (×), and division (÷).But there are also binary arithmetic operation we can do on them, like not (¬), or (∨), xor (⊕), and (∧), shift-left («), and shift-right (»). That’s what we refer to when we say “boolean” arithmetic.Let’s take a look at the end operation. The and operator means if both the left “and” right numbers are 1, then the result is 1, but 0 otherwise. In other words: 0 ∧ 0 = 0 0 ∧ 1 = 0 1 ∧ 0 = 0 1 ∧ 1 = 1There are similar “truth tables” for the other operators.While the simplest form of such operators are on individual bits, they are more often applied to larger numbers containing many bits, many base two binary digits. For example, we might have two 8-bit numbers and apply the and operator: 01011100 ∧ 11001101 = 01001100The result is obtained by applying and to each set of matching bits in both numbers. Both numbers have a ‘1’ as the second bit from the left, so the final result has a ‘1’ in that position.Normal arithmetic computations are built from the binary. You can show how a sequence of and and or operations can combine to add two numbers. The entire computer chip is built from sequences of these binary operations — billions and billions of them.ConclusionModern computers are based on binary logic. This is often named after George Boole, “boolean logic”, who did some work in this area, but it’s foolish to give him more credit than he deserves. The above Netflix documentary is typical mass-market fodder that gives their subject a truly astounding amount of credit for everything they could plausibly tie to him. • Securing work-at-home apps by Robert Graham on May 19, 2020 at 10:03 pm In today’s post, I answer the following question:Our customer’s employees are now using our corporate application while working from home. They are concerned about security, protecting their trade secrets. What security feature can we add for these customers?The tl;dr answer is this: don’t add gimmicky features, but instead, take this opportunity to do security things you should already be doing, starting with a “vulnerability disclosure program” or “vuln program”.GimmicksFirst of all, I’d like to discourage you from adding security gimmicks to your product. You are no more likely to come up with an exciting new security feature on your own as you are a miracle cure for the covid. Your sales and marketing people may get excited about the feature, and they may get the customer excited about it too, but the excitement won’t last.Eventually, the customer’s IT and cybersecurity teams will be brought in. They’ll quickly identify your gimmick as snake oil, and you’ll have made an enemy of them. They are already involved in securing the server side, the work-at-home desktop, the VPN, and all the other network essentials. You don’t want them as your enemy, you want them as your friend. You don’t want to send your salesperson into the maw of a technical meeting at the customer’s site trying to defend the gimmick.You want to take the opposite approach: do something that the decision maker on the customer side won’t necessarily understand, but which their IT/cybersecurity people will get excited about. You want them in the background as your champion rather than as your opposition.Vulnerability disclosure programTo accomplish this goal described above, the thing you want is known as a vulnerability disclosure program. If there’s one thing that the entire cybersecurity industry is agreed about (other than hating the term cybersecurity, preferring “infosec” instead) is that you need this vulnerability disclosure program. Everything else you might want to do to add security features in your product come after you have this thing.Your product has security bugs, known as vulnerabilities. This is true of everyone, no matter how good you are. Apple, Microsoft, and Google employ the brightest minds in cybersecurity and they have vulnerabilities. Every month you update their products with the latest fixes for these vulnerabilities. I just bought a new MacBook Air and it’s already telling me I need to update the operating system to fix the bugs found after it shipped.These bugs come mostly from outsiders. These companies have internal people searching for such bugs, as well as consultants, and do a good job quietly fixing what they find. But this goes only so far. Outsiders have a wider set of skills and perspectives than the companies could ever hope to control themselves, so find things that the companies miss.These outsiders are often not customers.This has been a chronic problem throughout the history of computers. Somebody calls up your support line and tells you there’s an obvious bug that hackers can easily exploit. The customer support representative then ignores this because they aren’t a customer. It’s foolish wasting time adding features to a product that no customer is asking for.But then this bug leaks out to the public, hackers widely exploit it damaging customers, and angry customers now demand why you did nothing to fix the bug despite having been notified about it.The problem here is that nobody has the job of responding to such problems. The reason your company dropped the ball was that nobody was assigned to pick it up. All a vulnerability disclosure program means that at least one person within the company has the responsibility of dealing with it.How to set up vulnerability disclosure programThe process is pretty simple.First of all, assign somebody to be responsible for it. This could be somebody in engineering, in project management, or in tech support. There is management work involved, opening tickets, tracking them, and closing them, but also at some point, a technical person needs to get involved to analyze the problem.Second, figure out how the public contacts the company. The standard way is to setup two email addresses, “[email protected]” and “[email protected]” (pointing to the same inbox). These tare the standard addresses that most cybersecurity researchers will attempt to use when reporting a vulnerability to a company. These should point to a mailbox checked by the person assigned in the first step above. A web form for submitting information can also be used. In any case, googling “vulnerability disclosure [your company name]” should yield a webpage describe how to submit vulnerability information — just like it does for Apple, Google, and Microsoft. (Go ahead, google them, see what they do, and follow their lead).Tech support need to be trained that “vulnerability” is a magic word, and that when somebody calls in with a “vulnerability” that it doesn’t go through the normal customer support process (which starts with “are you a customer?”), but instead gets shunted over the vulnerability disclosure process.How to run a vuln disclosure programOne you’ve done the steps above, let your program evolve with the experience you get from receiving such vulnerability reports. You’ll figure it out as you go along.But let me describe some of the problems you are going to have along the way.For specialty companies with high-value products and a small customer base, you’ll have the problem that nobody uses this feature. Lack of exercise leads to flab, and thus, you’ll have a broken process when a true problem arrives.You’ll get spam on this address. This is why even though “[email protected]” is the standard address, many companies prefer web forms instead, to reduce the noise. The danger is that whoever has the responsibility of checking the email inbox will get so accustomed to ignoring spam that they’ll ignore legitimate emails. Spam filters help.For notifications that are legitimately about security vulnerabilities, most will be nonsense. Vulnerability hunting is fairly standard thing in the industry, both by security professionals and hackers. There are lots of tools to find common problems — tools that any idiot can use.Which means idiots will use these tools, and not understanding the results from the tools, will claim to have found a vulnerability, and will waste your time telling you about it.At the same time, there are lots of non-native english speakers and native speakers who are just really nerdy, who won’t express themselves well. They will find real bugs, but you won’t be able to tell because their communication is so bad.Thus, you get these reports, most of which are trash, but a few of which are gems, and you won’t be able to easily tell the difference. It’ll take work on your part, querying the vuln reporter for more information.Most vuln reporters are emotional and immature. They are usually convinced that your company is evil and stupid. And they are right, after a fashion. When it’s a real issue, it’s probably something that in their narrow expertise that your own engineers don’t quite understand. Their motivation isn’t necessarily to help your engineers understand the problem, but to help you fumble the ball to prove their own superiority and your company’s weakness. Just because they have glaring personality disorders doesn’t mean they aren’t right.Then there is the issue of extortion. A lot of vuln reports will arrive as extortion threats, demanding money or else the person will make the vuln public, or given to hackers to cause havoc. Many of these threats will demand a “bounty”. At this point, we should talk about “vuln bounty programs…”.Vulnerability bounty programsOnce you’ve had a vulnerability disclosure program for some years and have all the kinks worked out, you may want to consider a “bounty” program. Instead of simply responding to such reports, you may want to actively encourage people to find such bugs. It’s a standard feature of big tech companies like Google, Microsoft, and Apple. Even the U.S. Department of Defense has a vuln bounty program.This is not a marketing effort. Sometimes companies offer bounties that claim their product is so secure that hackers can’t possibly find a bug, and they are offering (say)$100,000 to any hacker who thinks they can. This is garbage. All products have security vulnerabilities. Such bounties are full of small print such that any vulns hackers find won’t match the terms, and thus, not get the payout. It’s just another gimmick that’ll get your product labeled snake oil.Real vuln bounty programs pay out. Google offers \$100,000 for certain kinds of bugs and has paid that sum many times. They have one of the best reputations for security in the industry not because they are so good that hackers can’t find vulns, but so responsive to the vulns that are found. They’ve probably paid more in bounties than any other company and are thus viewed as the most secure. You’d think that having so many bugs would make people think they were less secure, but the industry views them in the opposite light.You don’t want a bounty program. The best companies have vuln bounty programs, but you shouldn’t. At least, you shouldn’t until you’ve gotten the simpler vuln disclosure program running first. It’ll increase the problems I describe above 10 fold. Unless you’ve had experience dealing with the normal level of trouble you’ll get overwhelmed by a bug bounty program.Bounties are related to the extortion problem described above. If all you have a mere disclosure program without bounties, people will still ask for bounties. These legitimate requests for money may sound like extortion for money.The seven stages of denialWhen doctors tell patients of their illness, they go through seven stages of denial: disbelief, denial, bargaining, guilt, anger, depression, and acceptance/hope.When real vulns appear in your program, you’ll go through those same stages. Your techies will find ways of denying that a vuln is real.This is the opposite problem from the one I describe above. You’ll get a lot of trash that aren’t real bugs, but some bugs are real, and yet your engineers will still claim they aren’t.I’ve dealt with this problem for decades, helping companies with reports where I believe are blindingly obvious and real, which their engineers claim are only “theoretical”.Take “SQL injection” as a good example. This is the most common bug in web apps (and REST applications). How it works is obvious — yet in my experience, most engineers believe that it can’t happen. Thus, it persists in applications. One reason engineers will deny it’s a bug is that they’ll convince themselves that nobody could practically reverse engineer the details out of their product in order to get it to work. In reality, such reverse engineering is easy. I can either use simple reverse engineering tools on the product’s binary code, or I can intercept live requests to REST APIs within the running program. Security consultants and hackers are extremely experienced at this. In customer engagement, I’ve found impossible to find SQL vulnerabilities within 5 minutes of looking at the product. I’ll have spent much longer trying to get your product installed on my computer, and I really won’t have a clue about what your product actually does, and I’ll already have found a vuln.Server side vulns are also easier than you expect. Unlike the client application, we can assume that hackers won’t have access to the product. They can still find vulnerabilities. A good example are “blind SQL injection” vulnerabilities, which at first glance appear impossible to exploit.Even the biggest/best companies struggle with this “denial”. You are going to make this mistake repeatedly and ignore bug reports that eventually bite you. It’s just a fact of life.This denial is related to the extortion problem I described above.  Take as an example where your engineers are in the “denial” phase, claiming that the reported vuln can’t practically be exploited by hackers. The person who reported the bug then offers to write a “proof-of-concept” (PoC) to prove that it can be exploited — but that it would take several days of effort. They demand compensation before going through the effort. Demanding money for work they’ve already done is illegitimate, especially when threats are involved. Asking for money before doing future work is legitimate — people rightly may be unwilling to work without pay. (There’s a hefty “no free bugs” movement in the community from people refusing to work for free).Full disclosure and Kerckhoff’s PrincipleYour marketing people will make claims about the security of your product. Customers will ask for more details. Your marketing people will respond saying they can’t reveal the details, because that’s sensitive information that would help hackers get around the security.This is the wrong answer. Only insecure products need to hide the details. Secure products publish the details. Some publish the entire source code, others publish enough details that everyone, even malicious hackers, can find ways around the security features — if such ways exist. A good example is the detailed documents Apple publishes about the security of its iPhones.This idea goes back to the 1880s and is know as Kerckhoff’s Principle in cryptography. It asserts that encryption algorithms should be public instead of secret, that the only secret should be the password/key. Such secrecy prevents your friends from pointing out obvious flaws but does little to discourage the enemy from reverse engineering flaws.My grandfather was a cryptographer in WW II. He told a story how the Germans were using an algorithmic “one time pad”. Only, the “pad” wasn’t “one time” as the Germans thought, but instead repeated. Through brilliant guesswork and reverse engineering, the Allies were able to discover that it repeated, and thus were able to completely break this encryption algorithm.The same is true of your product. You can make it secure enough that even if hackers know everything about it, that they still can’t bypass its security. If your product isn’t that secure, then hiding the details won’t help you much, as hackers are very good at reverse engineering. I’ve tried to describe how unexpectedly good they are in the text above. All hiding the details does is prevent your friends and customers from discovering those flaws first.Ideally, this would mean publishing source code. In practice, commercial products won’t do this for obvious reasons. But they can still publish enough information for customers to see what’s going on. The more transparent you are about cybersecurity, the more customers will trust you are doing the right thing — and the more vulnerability disclosure reports you’ll get from people discovering you’ve done the wrong thing, so you can fix it.This transparency continues after a bug has been found. It means communicating to your customer that such a bug happened, it’s full danger, how to mitigate it without a patch, and how to apply the software patch you’ve developed that will fix the bug.Your sales and marketing people will hate admitting to customers that you had a security bug, but it’s the norm in the industry. Every month when you apply patches from Microsoft, Apple, and Google, they publish full documentation like this on the bug. The best, most trusted companies in the world, have long lists of vulnerabilities in their software. Transparency about their vulns is what make them trusted.Sure, your competitors will exploit this in order to try to win sales. The response is to point out that this vuln means you have a functioning vuln disclosure program, and that lack of similar bugs from the competitor means they don’t. When it’s you yourself who publishes the information, it means you are trustworthy, that you aren’t hiding anything. When the competitors doesn’t publish such information, it means they are hiding something. Everyone has such vulnerabilities — the best companies admit them.I’ve been involved in many sales cycles where this has come up. I’ve never found it adversely affected sales. Sometimes it’s been cited as a reason for not buying a product, but by customers who had already made the decision for other reasons (like how their CEO was a cousin of the salesperson) and were just looking for an excuse. I’m not sure I can confidently say that it swung sales the other direction, either, but my general impression is that such transparency has been more positive than negative.All this is known as full disclosure, the fact that the details of the vuln will eventually become public. The person reporting the bug to you is just telling you first, eventually they will tell everyone else. It’s accepted in the industry that full disclosure is the only responsible way to handle bugs, and that covering them up is irresponsible.Google’s policy is a good example of this. Their general policy is that anybody who notifies them of vulns should go public in 90 days. This is a little unfair of Google. They use the same 90 day timeframe both for receiving bugs in their product as well as for notifying other companies about bugs. Google has agile development processes such that they can easily release patches within 90 days whereas most other companies have less agile processes that would struggle to release a patch in 6 months.Your disclosure program should include timeframes. The first is when the discoverer is encouraged to make their vuln public, which should be less than 6 months. There should be other timeframes, such as when they’ll get a response to their notification, which should be one business day, and how long it’ll take engineering to confirm the bug, which should be around a week. At every stage in the process, the person reporting the bug should know the timeframe for the next stage, and an estimate of the final stage when they can go public with the bug, fully disclosing it. Ideally, the person discovering the bug doesn’t actually disclose it because you disclose it first, publicly giving them credit for finding it.Full disclosure makes the “extortion” problem worse. This is because it’ll appear that those notifying you of the bug are threatening to go public. Some are, and some will happily accept money to keep the bug secret. Others are simply following the standard assumption that it’ll be made public eventually. In other words, that guy demanding money before making a PoC will still go public with his claims in 90 days if you don’t pay him — this is not actually an extortion threat though it sounds like one.After the vuln disclosure programOnce you start getting a trickle of bug notifications, you’ll start dealing with other issues.For example, you’ll be encouraged to do secure development. This means putting security in from the very start of development in the requirements specification. You’ll do threat modeling, then create an architecture and design, and so on.This is fiction. Every company does the steps in reverse order. They start by getting bug reports from the vuln disclosure program. They then patch the code. Then eventually they update their design documents to reflect the change. They then update the requirement’s specification so product management can track the change.Eventually, customers will ask if you have a “secure development” program of some sort. Once you’ve been responding to vuln reports for a while, you’ll be able to honestly say “yes”, as you’ve actually been doing this, in an ad-hoc manner.Another thing for products like the one described in this post is zero-trust. It’s the latest buzzword in the cybersecurity industry and means a wide range of different things to different people. But it comes down to this: that instead of using the product over a VPN that the customer could securely use it without the VPN. It means the application, the authentication, and the communication channel are secure even without the added security protections of the VPN.When supporting workers-at-home, the IT/infosec department is probably following some sort of zero-trust model, either some custom solution, or using products from various companies to help it. They are probably going to demand changes in your product, such as integrating authentication/login with some other system.Treat these features the same as vulnerability bugs. For example, if your product has it’s own username/password system with passwords stored on your application server, then that’s essentially a security bug. You should instead integrate with other authentication frameworks. Actual passwords stored on your own servers are the toxic waste of the security industry and should be avoided.At some point, people are going to talk about encryption. Most of its nonsense. Whenever encryption gets put into a requirement spec, something is added that doesn’t really protect data, but which doesn’t matter, because it’s optional and turned off anyway.You should be using SSL to encrypt communications between the client application and the server. If communications happen in the clear, then that’s a bug. Beyond that, though, I’m not sure I have any clear ideas where to encrypt things.For products using REST APIs, then you should pay attention to the OWASP list of web app bugs. Sure, a custom Windows application isn’t the same as a public web server, but most of the OWASP bugs apply to anything similar to an application using REST APIs. That includes SQL injection, but a bunch of other bugs. Hackers, security engineers, and customers are going to use the OWASP list when testing your product. If your engineers aren’t all knowledgeable about the OWASP list, it’s certain your product has many of the listed bugs.When you get a vuln notification for one of the OWASP bugs, then it’s a good idea to start hunting down related ones in the same area of the product.Outsourcing vuln disclosureI describe the problems of vuln disclosure programs above. It’s a simple process that nonetheless is difficult to get right.There are companies who will deal with the pain for you, like BugCrowd or HackerOne. I don’t have enough experience to recommend any of them. I’m often a critic, such as how recently they seem willing to help cover-up bugs that I think should be fully disclosed. But they will have the experience you lack when setting up a vuln disclosure program, and can be especially useful at filtering the incoming nonsense getting true reports. They are also somebody to blame if a true report gets improperly filtered.ConclusionSomebody asked “how to secure our work-at-home application”. My simple answer is “avoid gimmicks, instead, do a vulnerability disclosure program”. It’s easy to get started, such setup a “[email protected]” email account that goes to somebody who won’t ignore it. It’s hard to get it right, but you’ll figure it out as you go along.

• CISSP is at most equivalent to a 2-year associates degree
by Robert Graham on May 13, 2020 at 7:09 pm

by Robert Graham on April 2, 2020 at 5:23 am

• Huawei backdoors explanation, explained
by Robert Graham on March 6, 2020 at 8:57 pm

• A requirements spec for voting
by Robert Graham on March 4, 2020 at 8:05 pm

• There’s no evidence the Saudis hacked Jeff Bezos’s iPhone
by Robert Graham on January 28, 2020 at 9:51 pm

• How to decrypt WhatsApp end-to-end media files
by Robert Graham on January 28, 2020 at 7:24 pm

## 2 thoughts on “Errata Security”

1. Scarlett says:

I am amazed, I must say. Seldom do I come across a blog
that is both educative and amusing, and without a doubt,
you have hit the nail on the head. Cyber Security is something
that too few men and women are speaking intelligently about.
Now i’m very happy that I stumbled across this in my search for great cyber information.