Full Disclosure

There have been three discreet schools of thought on disclosing vulnerabilities. Totally open, partially open, and no disclosure. Fairly logical that.

No disclosure is the school of thought that the best means of security is no public and limited private dissemination of vulnerabilities is the best means of security. “Security through obscurity” is the primary phrase of this moment. The logic is quite simple on the surface. If “no one knows” about the problem, it doesn’t exist as far as virtually everyone knows. That means there will be less chance of said vulnerability being exploited, as few people will know about it.

Partially open disclosure is that the issue is acknowledged in very general terms, but no details whatsoever are given. In theory, it’s supposed to be a compromise of between the two parties. In practice, the majority hates it.

Full disclosure is just that. Open, complete discussion of vulnerabilities. All or nearly all details in the open to all parties. It’s not considered inconsistent to give the manufacturer or other responsible party a defined period of time to resolve the issue before publication of the vulnerability. The problem is that the vulnerability can be exploited by virtually anyone interested in doing so. Finding a flaw can be difficult, replicating it is often trivial.

Security through obscurity sounds like a very reasonable argument. Only problem is… Knowledge always leaks given enough time. Unless the person who found the vulnerability is a hermit, he or she is going to tell someone else. Or if that person exploits the vulnerability multiple times, it likely will eventually be noticed. A vulnerability that isn’t or can’t be exploited is of limited value to the bad people.

Another consideration is that virtually everyone, including black hats, are motivated by MICE. Money, Ideology, Coercion, and Ego. Black hats are motivated to do what they do. Previously, it was a historical trend that they did their work for ideology or ego. These days, black hats motivated by ego is the minority (in terms of being a threat). The majority are motivated by money, plain and simple. Primarily spam, but also harvesting personal/corporate/government information for resale or private exploitation.

The “individual” non-profit Black Hats are also starting to die off. They still exist, but are an extreme minority compared to the folks acting as independent or dependent contractors or specialists. Specifically, organized groups that have taken to information and electronic exploitation. Organized crime, intelligence services, military units specializing in IEW, paramilitaries (Security Services, terrorists, PMC’s, et al), corporate espionage groups, etc. They have a specific motivation, whatever it is. These motivations (MICE) have existed since the dawn of civilization and will not disappear until humanity does. Electronical medium is a new playing field, but the overall themes are extremely old.

Outlawing full disclosure is akin to outlawing firearms. People will still engage in their behavior and the only people hindered are the victims. Throughout time, people have always reacted to bad news by shooting the messenger in hopes that the underlining information or situation will expire with the messenger. This is never the case, but the mentality survives.

Full disclosure is very painful to virtually every party in some way. The originating manufacturer of the vulnerability must fix it, the researcher who discovered the vulnerability faces legal or reputation liability, the criminal now much deal with a potentially informed and prepared victim, the potential victim must mitigate the vulnerability.

This sounds like a major pain in the fourth point of contact. So why would any sane person advocate it?

Because it has been shown to be the only historical way of gaining real security.

This is not a new debate. The first published debate on full disclosure is traced to the 1850’s, but existed long before that. Guilds had elaborate procedures of restricting information to only acceptable parties in order to maximize profit at the expense of the consumer and public. Often, dangerously restricted. The milk processing guild restricted knowledge of their milk adulterating procedures, which happened to be very dangerous and not infrequently life threatening.

We are in the same boat as the public in the 1850’s. The overwhelming majority of people do not have the time, training or ability to thoroughly examine every bit of their operating system, every aspect of their locks, etc. It can and often does take a decade or more to master just one area of study. As humans are not immortal, it is impossible to have a mastery of all subjects.

It is in the public’s interest, as well as the manufacturer’s long term interest, to openly disclose vulnerabilities. If a batch of milk was contaminated, people who purchased it must be told. If a lock can be bypassed trivially, the owners should know. If a car has faulty brakes, the driver must know. If there is a major hole in a computer system, the operator must know it exists. Without this knowledge, it is impossible to mitigate the risk. The public will suffer. After being burned, they will not trust and will extract retribution (hopefully through the courts) on the responsible party, the manufacturer.

While it is painful, the manufacturer who discloses a vulnerability greatly reduces their long term liability for a defective product. They then build a better product. Short term loss, long term gain.

Unfortunately, the “shoot the messenger” instinct is still very very strong. In the US, there are laws in place that severely restrict reverse engineering. Free speech prohibits blanket bans of security publications, but Congress does its best to infringe on behalf of people who solely focus on the short term. This has extended to the point of security researchers literally being dragged off the podium in handcuffs. (Sklyarov) It is not infrequent for the manufacturer of the vulnerability to threaten or engage in legal proceedings to silence security researchers. (MIT students v MTA metrocard, et al) People just naturally get angry when they are given bad news. Especially if bad news is directly attributable to the person receiving the bad news.

If you think hackers get treated unfairly, try giving open disclosure lectures on locks. People are absolutely shocked, horrified and angry that their $20 pot metal piece of garbage lock is easily bypassed. Rather than accept personal responsibility and make reasonable steps to mitigate the issue, it’s just plain easier to be angry at the person who told you the information. It doesn’t change the reality of the situation. The vulnerability exists, whether folks know about it or not.

Professionals inform each other. Criminals circulate information. When open disclosure is banned, only the consumer or potential victim is in the dark. Exactly like gun control. When you attend to infringe or ban firearms, you do not stop the police or criminals from owning firearms. Only the public is hurt. Information on vulnerabilities is no different.

Read More

Thoughts on Taser C2

Disclaimer: While I believe the Taser is not a product I would own or rely upon for my safety, I am NOT an expert. All of my information is based off the product marketing material, the Taser website, and conversations with Taser users (LE, instructors, etc). You should do your OWN research and make your own choices. The following rant is entirely geared around my own assessment for my own situation and the single case cited in the rant. YOUR situation is entirely different and thus my rant probably does not apply well to you.

Tasers are less lethal weapons. They are not 100% safe (safe being nonlethal), and cannot be. Any weapon capable of incapacitating someone in a semi reliable manner has the chance of killing. This should be drilled into anyone’s head before they use a weapon. If a suspect dies from a tasing, it should be reviewed in exactly the same manner that using a firearm would generate. Lethal force is lethal force, regardless of whether a suspect was shot, tased, or brained with a baton. “But I used a taser!” is not and should not be a defense. Mind you, I’m not saying an officer or non-LE person is automatically in the wrong if any suspect dies (regardless of method used), far from it.

Personally and professionally, I find Tasers to be not a good product. Not from a “don’t tase me bro” anti-police way. Bit of background, I’m a “security specialist” in a generic sense. Information security, IT security, physical security, etc. When I look at something, I ponder all of the strengths and weaknesses.

One day an acquaintance asks me about Tasers. She works with a lot of cash and occasionally has to transport it. Her company allowed and encouraged carrying a Taser. She asked me what I knew about them. Aside from learning about them in a basic sense back in the military along with other less lethal weapons for crowd control, I didn’t know much. Thankfully, there’s a EMS/fire/LE/etc supply store across the street. So I went across the street and learned more about them.

First off, two models. LE and a “civilian” model, the Taser C2. (The clerk didn’t like when I joking pointed out that police are civilians too, which was even more amusing.) I didn’t ask too much about the LE version, as my acquaintance was interested in buying one of the cute looking C2 models. The civvie model is light, curvey and non-threatening looking. It’s called the Taser C2, and is visually packaged to express the impression of “consumer electronics” instead of weapon. But hey, that’s just aesthetics. Nothing wrong with that. So let’s move on to why it’s a bad product that is dangerous to the user.

It fires a single cartridge costing $25, which contains compressed air, wire, barbs, etc. And allegedly some kind of micro-ID thingies that can potentially be used to identify a perp as well as the owner. There is no OEM training cartridge for the civvie model. Which means you CANNOT safely test the device unless you’re handy with electricity and know how to safely ground something conductive. There is no way to turn off the juice, so it is risky to test the Taser on anything that is conductive and improperly grounded. Besides it being insane to never being able to safely test and practice with an allegedly life saving device, why is this worrisome?

If you did not read the manual, did not test the device and need to use it in self-defense, you will quickly learn that you have been hauling around a $350 ish paperweight. See, the device needs activation.

I swear to the gods, I am not lying. A weapon that needs permission before usage. I find the concept horrifying, personally, but I guess certain folks would love it. Here is the proof: https://activate.taser.com/c2activation/ You must pay an additional fee for a private company to conduct a background check. If you do not pass or don’t activate the product, the Taser C2 is disabled. If the person processing the request makes a mistake or the necessary IT equipment malfunctions, you are out $350 for the device and another $10 for the background check. Since it is a private company, there is no oversight or accountability laws to govern its background checks. And since you can’t safely test it, you have no guarantee that your unit will function as it is needed to function. If you somehow can safely test the unit, it is $25 per functionality check.

Why is this? So if a felon buys a Taser, he can’t use it. Yes, that is the company’s exclusive justification for such a radical product flaw. Because no felon would lie and give false information to Taser’s activation folks, or pay someone else to activate the Taser. Felons are known for their scrupulous honesty and for never lying to suit their own needs.

Let’s ignore the fact that you also handed over your name, address, driver’s license and other deeply personal information to a company. An identity thief’s dream. I wonder how much they pay their data entry clerks? Enough that they wouldn’t be tempted to earn some side cash selling your information? This also assumes the company will not give out your personal information or sell it. Let’s also ignore the deeply offensive treatment of their customers. Each and every customer is treated like a potential criminal at best, and like a mindless child at worst. It is their company, and they can make a buck however they choose.

Well, let’s move onto usage. The design is only practical if you have one attacker. It converts to a “stun gun” if the cartridge is expended (and the unit is not disabled), which is a nice thought and only slightly less useful than having a heavy rock. It allows you to zap a person up to 50 times. But the official usage doctrine for the C2 is to press the button (the C2 model gives shocks in 30 second durations), drop the unit, run to a safe location and call 911. So following that logic… the manufacturer specifically suggests the unit is near useless against more than one aggressor. Unless you carry multiple Tasers, of course.

A $2 knife is starting to sound like a more durable, better designed and significantly safer weapon. I’d buy my acquaintance a full auto MP5 and pay an insane retainer to the sharkyist defense lawyer in the region before I could in good conscience pick up a Taser for her. Hell, I’d buy her a rock before I’d buy her a Taser. Thankfully, the tasteful PR DVD included in the product packet was enough to convince her that they are a really bad idea. It’s a dangerous, poorly designed, and hideously expensive weapon with limited functionality. She’s leaning towards a Keltec or a XD compact.

Read More


I was reading Dark Arts for the Good Guys, as linked to by Ms. Tamara K..

Pretty good advice. Thought I’d toss in my own 2 cents on world travel.

If you don’t know what you’re doing, stick to tourist areas. Not “edgy” tourist areas you can brag about. Normal, boring, pretty tourist areas. Don’t go visiting areas outside said tourist areas. Most second or third world countries have tourism police and have a very vested interest in protecting foreign tourist trade from petty criminals. Not you personally. The tourist trade. Most likely, prices will be more than double in tourist areas and you won’t get an authentic experience. So what? If you’re on vacation, you’re burning cash anyways. Authentic experiences suck. Go with the Disney version. Less poverty, less bad food and food poisoning, less lack of hygiene, and the drinks taste better.

Hire a guide. Preferably a reputable guide connected to whomever booked your trip. Said guide will fleece you quite nicely. You’ll go to places where the guide gets a kickback or has a “friend” running the place. So what? If you hired the guide from someone reputable, they don’t care about the guide personally, they just want reliable service. Honest service is not required, so long as it’s not too bad for business. If you pick carefully, having a guide will make your trip significantly more enjoyable. When I was in Bulgaria, I hired an assistant history professor from a local university to give myself and my associates a tour of various historic places. Worth very penny, as I happen to like old castles and whatnot.

While I was in Sofia, I hired a guide/transport/fixer to take me to clubs, mafia casinos, black markets, etc. Not smart if you’re by yourself. Acceptable if you are with three other soldiers and you’re not all complete muppets. Just make sure one of you remains sober at all times and doesn’t drink or eat anything with the rest. Yes, the movie clique of doped drinks does happen. Or you could be ordering bad food or drink, requiring one person to not be projectile vomiting to make arrangements for a medevac. I made up for the costs of my guide by having someone who could haggle in the local lingo when I bought the mandatory useless crap to send back to friends and family in the States.

If your guide is giving you the creeps or bad vibes, ditch them immediately and get another. Your hotel should be able to swing you one in a pitch. Don’t ignore your instincts. On the other hand, be nice to your guide and don’t treat them like a serf. Gifts aren’t a bad idea, but use good judgment.

Don’t bring anything that cannot be replaced overseas. Your wedding ring? Leave it and swap it out for a cheap fake. Same for your watch, wallet, favorite briefcase, everything. Take everything you need out of your regular wallet and transfer it to another thinner wallet. Should just be ID, cash, two credit cards max (unless required for some specific purpose), limited number of checks (NOT the whole friggin book), etc. If your wallet gets stolen or misplaced, best to minimize the damage. Have cash. Keep some in reserve, but not an excessive amount. Don’t wear any jewelry made of gold, silver or precious stones. Not even fakes. Empty your luggage before packing. I mean, completely empty and quadruple check it to make sure it’s really empty. Put everything in your luggage in plastic baggies, smallest ones you can effectively manage. Try not to be clever and hide anything in your packed socks while travelling. After you land? Sure. Going through airport security? Not so smart. Write down all of the important information and phone numbers onto a cheatsheet. Photocopy it. Put one in your wallet, one in each piece of luggage, and put another spare in your carry-on. Include flight numbers, hotel, emergency contacts, embassy info, phone numbers for everything important, health information including blood type and allergies, insurance info, etc.

Carry some trade goods. Cigarettes are the best. Marlboros or Camels are prefered. Don’t go with anything fancy either. Batteries, semicheap watches, LED lights, etc are all good. Don’t carry too many on your person at any one time. Leave the majority of it in your luggage. Two or three packs of smokes on your person will likely get you by. Don’t use booze as a trade good. Don’t even think about touching drugs. It’s either really cheap crap or laced with something you don’t want.

If you are travelling on business, refuse to go unless the company coughs up for travel insurance, kidnap/ransom/extortion insurance and the services of a security/medical company. I have comprehensive membership through International SOS. Corporate membership is dirt cheap (relatively speaking), and can get the company a nice break on their insurance premiums. If you’re going to a country that has even the remotest possibility of going south, do not go without all of the above. Your company may already have it in place. If you’re going on vacation, strongly consider shelling out for it. If you’re going domestic, Western Europe or Australia, it’s not really needed. Anywhere else? You really should spring for it. It’s dirt cheap compared to your life.

Lastly, but not least, do some research on your destination. Learn as much of the local lingo as you can, even if it’s just a handful of memorized phrases. Look up the country on the State Department’s website, google around, etc. While it may be considered overkill, some companies do provide more detailed information. International SOS includes this in their membership, but companies like StratFor or Jane’s Consulting also have very useful information.

Read More

Politicians and Civil Rights Reform

Politicians, bah.    Gods, Hope n’ Change is wearing thin these days.

Folks did not like the NeoCon rule.  The excessive fearmongering, Iraq, excess spending, infringements on civil liberties, creation of entire new beaucracies, etc.  It ended up with Bush having an extraordinarily low popularity, and with Congress having even less popularity.  Comes the election.  Change is promised.  It sells, the bums are thrown out.  Not much changes.  Few if any of the Bush era excesses are repealed.  Certain Republicans are shocked (shocked!) that now the shoe is on the other foot.  They are actually surprised when their base is declared the enemy.  DHS is declaring right wing extremists, primarily veterans, are the most significant threat to the United States.

The difference between Democrats and Republicans is little more than rhetoric and a few unimportant wedge issues.  Both love spending, taxing, controlling and economically destroying US citizens.  The only significant advancements in civil liberties are those that the citizens take for themselves.  Either through the courts or forming special interest groups powerful enough to threaten the politicians.

The US Constitution was written to strictly limit the role and abilities of the federal government to specific activities.  If an activity is not enumerated in the Constitution, they are not allowed to do said activity.  This has been strongly ignored since FDR.  Now, the view is the federal government is allowed to do anything which is not strictly forbidden.  The Bill of Rights is only marginally enforced by the courts.  The Executive and Legislative branch have given up nearly all respect for the Amendments enumerating specific civil liberties, and only bow to it when forced to do so by special interest groups.

A lot of folks in the media are giving the NRA flack for actually trying to have the Second Amendment respected and enforced.  They claim that the NRA is manipulating Congress and the courts for malicious purposes.  The Second Amendment is very clear in its intentions.  The Constitutional arguments that it applies only to the National Guard or only allows government entities to be armed is beyond tortured logic.  There is no government on this planet that has ever existed that has denied itself weapons. None.  Even the Vatican grants weapons to some of its employees.  The sole purpose of the Second Amendment is to ensure the right of the people to keep and bear arms.  Why this is necessary is interesting philosophic debate, but is not essential to the central point.  Folks are allowed to have guns and the government bears a heavy burden in any restrictions they may wish to impose.

My point isn’t to rehash the Second Amendment or RKBA.  It is to point out that the government has a very strong desire to disarm its citizenry.  It is significantly more difficult to oppress a minority group if they are well armed.  It gives the potential for the government to answer to its citizenry.  It’s not a magic wand that grants freedom, liberty and prosperity to all.  It merely gives you a chance.  One you must maintain.  All governments become more restrictive and oppressive as they age.  It is the nature of all governments, as far back as human records go.  The citizenry must hold their own against their own government.  The most intelligent way to do so is to band together for a common goal.  Even if I disagree with the individual actions of a special interest group such as the ACLU or the NRA, I very much agree with the sentiment.  Banding together for mutual protection is the only way to hold your ground, and possibly retake some.

In the last few decades, think of what ordinary citizens have accomplished.  Concealed carry reform has spread.  Obscenity laws have been dismantled.  Income taxes are merely crushing instead of blatantly confiscatory.  The Internet has taken mass information dissemination away from the hands of the few and has given the chance for any one person to get information out to millions.

Despite the plethoria of infringements, there have been a few advances in civil rights directly in spite of our politicians.  Some of these are minor, some are significant.  It grants one hope.  Real hope, not the plandering of a Chicago politician who has never held honest employment in his life.  Get involved, do what you can.  Don’t protest to ‘feel good’, be effective.  Law suits, bribery (the legal kind, campaign contributions), networking, etc.  If what you are doing is not effective, drop it and try a new set of tactics.

Read More