Act 1 of 5 is now out for Windows and Mac. I’m intrigued by this, but I’ll be holding out for the Linux version (promised “soon”) before I move on this. If you’re bold enough to give this point-and-click a spin, be sure to share your impressions with me!
Notice: This post contains mild spoilers, but it’s nothing you can’t gather from the trailer.
The fact that Skyfall is in theatres right now is pretty impressive, considering that MGM died and came back to life just to bring us more Craig-Bond. Still, it’s a pretty good movie. Except for how it deals with technology.
Given the day and age we live in, it’s hard to ignore technology in modern movie plots. This makes it all the more bewildering that so few writers manage to do it well. Much, much more commonly they do a terrible job with it. Skyfall is a perfect example.
Here’s a rundown of the top ten things that went wrong with technology in Skyfall’s script.
1.) IP Tracing Backwards
At one point early on, the folks at MI6 have the opportunity to trace a computer attack in progress. They run through it like a phone trace. The attack is coming from the UK, specifically London. Gasp! The attack is coming from inside MI6!
Here’s the problem: that fact would have been immediately obvious. There are only three ranges of IP space reserved for private networks, whether it’s your home wifi or a first-world intelligence agency. If the attack had originated from inside the private network, they would be able to identify the asset it came from instantly.
Egregiousness factor: Minimal. They arrived at the same conclusion with a bit more pizzaz. Something happens that precludes the next phase of the investigation (who’s connected to that asset as a relay point?) on-screen, but in the real world this investigation would have continued into containment and then prevention.
2.) Don’t Click Shit!
Later, M receives another fun little message from the hacker-sauce villain. The theme of the message follows on one that punctuates the scene I described above, which was a personalized multimedia presentation designed to her to incite a response. This time, the message includes a link.
Naturally, M clicks it.
Oh, it’s only a link to an online video; that’s lucky! Granted, the attacker already has enough control over M’s system to steal focus on an active console session. It’s unlikely he would actually need human interaction to do further harm on that system (or, following on the previous scene, that network). Still…
Egregiousness factor: Irritating, but plausible. As the head of an organization that certainly traffics independently in information and security, this kind of thick-headed ignorance to information security is shocking. Has she neither the training nor the sense that clicking on an obvious hacker payload is a terrible idea? Why was the IT department not her first phone call after clicking it?
3.) Let’s Plug It In, I’m Sure It’s Safe!
At one point, the villain is captured and brought to MI6’s headquarters. They do the sensible thing with his meatworks — they put him into a holding cell where his captors have access to him to interrogate, but he does not access to anything outside of the cell. That’s how holding cells work, generally.
Meanwhile, they are far less sensible about his laptop. They plug it into the network to explore its contents. Not an isolated DMZ for untrusted or possibly malicious assets. A trusted network! With access to important subsystems, like the controls to the physical holding cell.
Predictably, things do not go well for MI6.
Egregiousness factor: Idiotic. Q is not a genius.
4.) It Takes Two
The aforementioned laptop has not one, but two ethernet interfaces. It’s a really, really beefy machine. I bet one is for all the packets in and the other is for the packets out. Computers work like that, right?
Egregiousness factor: No. Computers do not work like that. Not without unnecessarily a very convoluted environment-specific configuration, but this does not and should not convey that the machine is any more super. It just makes #3 twice as dumb.
On the heels of the scene I described in #3, there’s a frantic hacking scene. The good guys are trying to unravel the loot from the villain’s laptop. Technical terms are flying back and forth, regardless of whether it fits or not. The screen is a mess of nonsense visualization, mostly just to try (and mostly fail) to represent how hard this is.
I’ll dig into some of the finer points of awfulness, but this scene is a classic example of throwing as much jargon as the writers could find at the script and hoping beyond hope that something sticks.
Egregiousness factor: This is slightly less bad than the horrifying programming/hacking sequence of Swordfish.
6.) Polymorphic Encryption
One of the more irritating examples of nonsense jargon to come out of #5 was the following utterance from Q: “He’s using a polymorphic encryption algorithm. It keeps changing!”
Let me be clear. This is not a thing. This doesn’t even make sense.
Whether you’re using symmetric or asymmetric encryption, the point is that the key will decrypt the cipher text. That key doesn’t change. If there’s an active system re-encrypting the cipher, it’s still using the same key pair in the end, so you haven’t changed that the same key unlocks it all in the end. If you’re worried about the integrity of the cipher text itself without the presence of the key, your algorithm isn’t very good — it doesn’t matter if you keep changing it with a derivative key.
Egregiousness factor: High. This is entirely unnecessary. If I start talking about ACTUAL ENCRYPTION THAT REALLY EXISTS, I will make most people zone out within minutes. You don’t have to invent bullshit to tech-impress the audience.
7.) Gibberish != Hexadecimal
During the same hacking sequence I described in #5, Bond’s contribution is to identify non-hexadecimal pairs of characters in a block of what is otherwise clearly a hexadecimal block. This isn’t a great observation - these couplets are literally in a different color on screen.
Egregiousness factor: This is utter nonsense. The stuff you’re putting on screen, it’s either hexadecimal or it’s not. Anything that isn’t 0-9 or A-F is not hexadecimal. Make up your mind. This was not a clue, it was stupid.
8.) An Ultimately Weak Lock
Those non-hexadecimal characters I mentioned in #7 quickly anagram out to form a word, a name. “Try that as a password,” Bond suggests. It works. The tangled knot of nodes and edges quickly unscrambles into the protected data.
Egregiousness factor: My brain is exploding because of the bullshit.
Given how they pointed out in #6 that the bad guy is using mythical encryption functions to protect his data, you would expect the key to rival the effort he’s put into protecting his data.
No, that might make sense. Instead he’s using a password. A case-insensitive password of a single character class and about 10 characters. A password that is barely better than “password”. A password he left lying around in his data on the device.
The more believable setup to this whole moronic scenario would be if he’d written the password on a post-it on the bottom of the laptop. Oh, I forgot; he’s a spy. Maybe put the post-it in a secret compartment.
9.) Radio is Awesome Technology
Skyfall has no hesitation expressing its love for radio. This might be touching, if they spent any amount of time thinking about how radio works (or at least how it doesn’t work).
First is the tracking transmitter Bond if given by Q early on in the film. It’s one of the only two “gadgets,” if you can indeed call them that, that he’s given. It’s not a GPS tracker — that point is made amply clear through dialog from multiple characters.
The thing is the size of a keychain, which means it’s powered by a watch battery. Let’s go nuts and assume it’s powered by two watch batteries. That’s not enough power to transmit a signal from a remote area of China to one listening stations where MI6 could receive it, let alone the three it would take to triangulate a signal.
Later on, Bond finds himself chasing our super villain through Underground tunnels. Meanwhile, back at MI6, a little icon labeled “Bond” zips through a 3D map of the tunnels. How is he being tracked? Presumably it’s the same radio transmitter. But it turns out radio waves don’t travel all that effectively through rock — there are physical limits to how radio travels through dense material like rock and concrete. So, apparently I was wrong before: that transmitter is powered by magic.
Egregiousness factor: Forgivable. If this were the worst of the movie’s offenses against science, it would hardly be worth mentioning. I bring it up largely because the script goes out of its way to applaud low tech, even while abusing it as thoroughly as it does high tech.
10.) “There’s only 6 people in the world who could code this.”
No. You’re wrong, Q. This statement is foolish and you’re an egotistical ass.
It might be true (though a stretch) that only a handful of people in the world could originally come up with a programming trick, but once it’s been done it can be replicated. Despite everything Hollywood has tried to convince you of, the world has no shortage of very smart people who are very good at expanding good ideas if not cooking them up on their own. In fact, there’s entire sub-industries within IT of them.
Pro tip: almost none of the aforementioned very smart people work for governments during peace time because the pay is dirt.
Skyfall may be the least Bond-like Bond film I’ve seen. With Daniel Craig in the suit, MGM has been reaching for a grittier Bond. They’ve added a few dashes of John McClaine in the mix. I would say this experiment has been a mixed bag but is mostly successful. It’s with disappointment (and a fair amount of catharsis) that I write this post because I want to see Hollywood do tech well and even when it’s doing other things right, so much goes awry with the wrong consultants on the job. So, Hollywood! Bubbe! Give me a call next time, alright?
I decided to give lock picking a spin at DerbyCon. I bought a basic set of picks from the Fraternal Order of Locksport (FOOLS) crew and sat down to begin my first attempts at picking a padlock.
It turns out the Master Lock No. 4 laminated locks are ridiculously easy to pick — I was able to tackle those as a complete novice in a matter of minutes. The Master Lock No. 3 proved more of a challenge. I was able to defeat the lock just once before the end of the conference, and only then after a half hour of trying and some pointers from a more experienced lock picker. When I got home, I bought a No. 3 to continue practicing.
As you can see from the video here, I’ve gotten pretty handy with it. I can pretty reliably pop this padlock in a matter of seconds anymore. I’m looking to progress onto some more difficult locks; perhaps a 5- or 6-pin cylinder before attempting something with security pins? Any suggestions on what locks to look for next?
Last night, NIST announced the winner of the SHA-3 competition that began back in 2007. The algorithm being standardized is the Keccak (pronounced “catch-ack”). The function was designed by programmers from Belgium and Italy, most notably Joan Daemen who co-designed the Rijndael cipher we’ve come to know as AES. Keccak is not derrived from SHA-2. The advantage here is that any future attack on SHA-2 does not extend into an attack - hypothetical or manifested - on SHA-3.
The thing to keep in mind when considering this news is that SHA-3 is neither replacing a broken algorithm nor providing a one-stop-shop for protecting sensitive data. If we’ve learned just one thing since the advent of the GPU, it should be that hashing functions are deterministic unidirectional compression functions and not what we should think of as encryption. These things are so fast that use of a hashing function to protect your data is undone simply by exhaustively compressing comparison messages until we’ve found a matching hash.
Why am I on a soap box about it? Two reasons.
First, I’m already seeing people eager about “upgrading” existing security functions that currently employ SHA-2 to SHA-3. This is nonsense; SHA-3 is not quantifiably more secure than SHA-2. Please don’t do this. It’s a waste of your time and your employer’s money.
Second - and more troubling - I’ve seen some folks excited about “upgrading” from bcrypt to SHA-3. This isn’t nonsense, it’s absurd. An algorithm like bcrypt is valueable and useful for applications like salted password storage because it is a memory-hard key derivation function. It is slow and when it comes to storing passwords, slow is secure. To the person who already knows the password, an evaluation of a few thousand milliseconds is less than a hiccup. But it renders that mode of attack wildly impractical for someone who wants to brute force your stolen password hash. The Keccak function does not compare to this; if you eschew something int he bcrypt/scrypt/PBKDF2 family for simple SHA-3, you’re regressing back into GPU-assailable territory.
The round-about point I’m making here is that the NIST announcement does not radically change the landscape. If this news has you thinking about radical change in your software already, you’ve probably not got your feet planted firmly on the ground. Best to consider SHA-3 an option to, but not a replacement for SHA-2.
Postscript: Please tell me you’re not still using SHA-1. Please, please tell me you’re not still using SHA-0 or MD5.
A security conference is usually a pretty good time and place to drop some new software (or the occasional 0-day) on the world and this year’s DerbyCon in Louisville, KY was no disappointment. Over the next few days, I’ll cover some of the new shinies that saw their first dawn at the conference as well as some of my general take-aways and talking points.
First up is a nifty piece of software called CookieCadger. Drawing its name from the verb to cadge - meaning to obtain by imposing on another’s generosity - CookieCadger is a spiritual successor to FireSheep.
FireSheep is a security toy released as a Firefox extension back in 2010 to demonstrate the need for SSL channels at the social networking sites that have become the backbone of our daily web consumption. It implemented a session impersonation attack by lifting session identifiers from cookies being transmitted over unencrypted web traffic. The project caught the attention of the intended parties, HTTPS traffic was enabled for the big players, and FireSheep drifted into the obscurity of vaporware.
Two years later, enter CookieCadger. Started by as a Iowa State graduate project by Matthew Sullivan, CookieCadger expands on the legacy of FireSheep and builds a considerably more robust toolkit from the same concept.
An attacker runs the software (written in Java, so it’s cross-platform from day one) on one or more network interfaces, presumably on older wireless or unswitched wired networks. For instance let’s say he’s in the corner of Joe’s Coffee Shack, a local draw known for its free wifi and open mic nights. All around him people are conducting web traffic happily over port 80, blissfully unaware or unconcerned with the truth that their data is literally flying through the air. The attacker’s machine is sniffing this traffic and extracting vulnerable session data from a packet capture. He doesn’t even need to be sniffing traffic live — he can load in a pcap file to do it, so don’t think you’re safe just because your traffic’s running through switched hardware.
As a blue team member, I’ve already started to come up with some practical applications for this application. The most obvious is to use it for your company’s web applications to verify whether you’re leaving yourselves vulnerable to this exact method of exploitation. I can also see this being used in layperson presentations to demonstrate what SSL encryption is, why it’s important, and what can happen if you believe it doesn’t matter to you.
CookieCadger is not free, but it’s a very modest $10 and that money goes direct to Hackers for Charity. I’ve already got my copy and I’ve been tinkering around with this at home. I recommend checking it out. The source code will be released in the near future (supposedly mid-October) after undergoing a post-hackfest code cleanup.
Check out Matthew Sullivan’s slides for the presentation here.
TAG Heuer Carrera 1887 “SpaceX” Watch
Omega and NASA have always had a long lasting relationship and now another luxury watch manufacturer is getting in the space game. This TAG Heuer Carrera 1887 features the SpaceX logo and both the Falcon 9 launch rocket and Dragon spacecraft - two of their most notable projects.
For those unaware of what SpaceX is, it’s a space transportation company founded by Elon Musk - the genius behind PayPal and Tesla Motors. The guy is basically a real life Tony Stark. Don’t be surprised if he starts fighting off super villains in near future.
I don’t commonly like chronograph-style watches because they violate every principle of simplicity ever uttered. This watch, however, peaks in epic territory on multiple levels. It’s an incredible stylish, understated chronograph that isn’t brazen with its window dressing. It commemorates one of the more important initiatives in modern space travel as well.