817 lines
40 KiB
Plaintext
817 lines
40 KiB
Plaintext
|
Episode: 559
|
||
|
|
Title: HPR0559: Hack Radio Live 3
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0559/hpr0559.mp3
|
||
|
|
Transcribed: 2025-10-07 23:05:42
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
This train is sort of inbound.
|
||
|
|
Some frame from sectors.
|
||
|
|
My crime is that of outsmarting you.
|
||
|
|
If you have not yet submitted your identity to the Retinal Clearance System.
|
||
|
|
Communications interface online.
|
||
|
|
You're not dealing with AT&T.
|
||
|
|
Automatic medical systems engaged.
|
||
|
|
Welcome to the Internet, my friend.
|
||
|
|
How can I help you?
|
||
|
|
Defense of a weapon selection system activated.
|
||
|
|
Has a very safe day.
|
||
|
|
From San Diego, California.
|
||
|
|
I'm Drake Anubis.
|
||
|
|
And from sunny or not so sunny Florida, it's an eggmark.
|
||
|
|
So it's again, almost midnight my time.
|
||
|
|
So how are you doing, Drake?
|
||
|
|
Oh, I'm so tired.
|
||
|
|
Last night I was up, I didn't get back into forks.
|
||
|
|
I went to a movie screening premiere thing.
|
||
|
|
And that was a lot of fun, but it was probably ill advised.
|
||
|
|
What movie did you go see?
|
||
|
|
We went and saw the room.
|
||
|
|
And we usually go up to LA to see it.
|
||
|
|
But the producer and cast and such were down here.
|
||
|
|
So we went and hobnob with the celebrities.
|
||
|
|
About what?
|
||
|
|
It's called the room.
|
||
|
|
You're not familiar with the room. It's a cult classic.
|
||
|
|
I am not familiar with the room.
|
||
|
|
I thought you were the movie guy.
|
||
|
|
I am the movie guy, but that's why I asked you to say it again.
|
||
|
|
Because it didn't ring a bell.
|
||
|
|
OK, we'll look into it.
|
||
|
|
I'll look into it.
|
||
|
|
What do you have, Tim?
|
||
|
|
Being annoyed by the Verizon person trying to send me internet
|
||
|
|
when I have a write house, but cable.
|
||
|
|
But that's bad.
|
||
|
|
He's trying to sell you files.
|
||
|
|
And you said, no, I don't want faster, better internet.
|
||
|
|
I just don't want to deal with it at this point.
|
||
|
|
I'm just not one who likes quality.
|
||
|
|
I like eating dirt, for example.
|
||
|
|
It's a better deal.
|
||
|
|
It's a better package for the TV than for a bright house than it is for files.
|
||
|
|
Just for the record.
|
||
|
|
Look, I'm tired.
|
||
|
|
All you're going to get tonight is witty resentment.
|
||
|
|
That's all I have to offer.
|
||
|
|
Well, I actually better make the best of it.
|
||
|
|
In my show topic, I'm going to actually make you think.
|
||
|
|
So, or at least pretend to think.
|
||
|
|
I'll pretend.
|
||
|
|
So I do all day.
|
||
|
|
Yeah, I know.
|
||
|
|
I told you I was a consultant.
|
||
|
|
You know this.
|
||
|
|
Yes, and you pretend to think that's OK.
|
||
|
|
I'm cool with that.
|
||
|
|
So...
|
||
|
|
What are we doing today?
|
||
|
|
You've been so excited about it.
|
||
|
|
I'm not excited about it.
|
||
|
|
Well, I was going to give a...
|
||
|
|
Someone has to be better for you.
|
||
|
|
Thanks.
|
||
|
|
So I'm going to give a security 101 for you.
|
||
|
|
I'm going to teach you some concepts and some terminology from a security professional standpoint.
|
||
|
|
We talk mostly on the show about what the hacking community relates to and what that terminology is.
|
||
|
|
And sometimes we'll venture on to the security professional sides.
|
||
|
|
And that's my degree and stuff.
|
||
|
|
Potentially interesting.
|
||
|
|
Potentially interesting.
|
||
|
|
And potentially boring.
|
||
|
|
So this is either going to go really bad or it's going to have really bad ratings.
|
||
|
|
I feel like I'm wasting a lot of space here.
|
||
|
|
Because I'm actually on the edge of my seat.
|
||
|
|
So maybe I'll scoop back a little bit.
|
||
|
|
You're on the edge of your seat.
|
||
|
|
OK.
|
||
|
|
So I guess two concepts that I wanted to go over.
|
||
|
|
And then we'll throw in some extras to fill time if we need to.
|
||
|
|
Do you know what the CIA triad is or that term?
|
||
|
|
I'm not familiar with the term.
|
||
|
|
Does it involve the NSA and some other organizations?
|
||
|
|
I knew you were going to say that.
|
||
|
|
And I was going to cut you off and say it does not have anything to do with our government.
|
||
|
|
It is a term that pretty much if you take any security course or any type of information security or computer security recourse.
|
||
|
|
You're going to run into this term and it's the acronym is confidential.
|
||
|
|
It means confidentiality and integrity and availability.
|
||
|
|
Those are three terms you're going to hear throughout any computer security or any information security.
|
||
|
|
Oh, I get it.
|
||
|
|
It wasn't the letter agency.
|
||
|
|
It was that I was going to go briefly go over that and place play question and answer with you.
|
||
|
|
So when you hear the term confidentiality, what do you think of?
|
||
|
|
Hold on, I think recording just stopped on my side.
|
||
|
|
You're killing me.
|
||
|
|
No, no, it was going never mind.
|
||
|
|
I'm sorry, go ahead.
|
||
|
|
Jeez.
|
||
|
|
Boy, the thing frozen, it said your USB bandwidth has been exceeded and I'm like, what the hell?
|
||
|
|
Do we have to go over that again?
|
||
|
|
No, no.
|
||
|
|
When I hear whatever you just said, I usually think of security and integrity and the NSA.
|
||
|
|
No, the NSA.
|
||
|
|
Okay, so when I say confidentiality, what do you think that means?
|
||
|
|
Oh, that.
|
||
|
|
Yeah, that confidentiality.
|
||
|
|
I assume it means that only the people who need to know or are permitted to know know.
|
||
|
|
Very good.
|
||
|
|
Basically, this is your user authentication portion of the triad, meaning that only the people who need to know about the information know.
|
||
|
|
And like they go over breaches in that, going from a hacking side, breaches in that would be like social engineering.
|
||
|
|
It doesn't necessarily have to be technical.
|
||
|
|
So social engineering would be covered in that shoulder surfing, things like that that aren't necessarily, you know, a technical attack against the system would also be in there included in the breach of confidentiality.
|
||
|
|
Okay.
|
||
|
|
So any any leak of information.
|
||
|
|
So integrity, what do you think that would be?
|
||
|
|
Integrity in this context.
|
||
|
|
I imagine would be that the data persists to be as it was when it was last created.
|
||
|
|
Yes, basically, avoiding tampering of any type of data.
|
||
|
|
So a good example would be like sequel injection where you're making a page do something that it's not intended to do.
|
||
|
|
So you're modifying the data or your or like you breach a system and you were to, you know, change.
|
||
|
|
User name and passwords or or from a WPA or or wireless standpoint, you know, breaking either web or WPA going in and taking data, modifying it and putting it back.
|
||
|
|
It's not necessarily stealing data. It's modifying data.
|
||
|
|
Sure. A lot of encryption methods have integrity checks and digital signature so that you can after the fact go through and say, no, no, this person definitely sent this because no one else would have that key and that key, that sort of thing.
|
||
|
|
Right. And we're going to actually go over that later. So you're jumping ahead of me, but we're going to talk about like controls for each of the three setups.
|
||
|
|
So we went over confidentiality. Basically, that's the whole disclosure of information integrity is the information not being modified and then availability is our last of the three.
|
||
|
|
And that would be that the website is up and or the database is available or things that in nature availability comes in when we talk about attacking like DOS attacks would it would be attacking the availability portion of the triad they would be or let's say power outages hardware failures system upgrades.
|
||
|
|
That is not necessarily attacking, but compromising the availability of because it doesn't have necessarily have to be an illegitimate attack on this on this portion of the triad.
|
||
|
|
You know hardware failures and system upgrades are a good legitimate or maintenance windows are good legitimate concern for the availability.
|
||
|
|
Oh, before you move on, there was one router that I should mention just so funny, there's a Cisco catalyst, which is one of those big enterprise riders that can handle hundreds of connections.
|
||
|
|
And there was something you could do where if you did something really simple, I just send a malformed packet to like the telnet port.
|
||
|
|
The thing would just crash and it would fail open. So you can go right into the you could SSH into the configuration and start making changes. It was a it was a big deal. It's pretty funny.
|
||
|
|
Yeah, and misconfiguration is a big concern on some of the switches too, because the monitor reports, for example, the the manage ports, the ones that the use for the management of the were of the of the switch or device.
|
||
|
|
If they're misconfigured, those can be a good vector of attack too. And you'd be surprised how often switches are left misconfigured because no, I would not be surprised.
|
||
|
|
No, because what happens and you can try to test it so that you have something configured the way it's supposed to be and someone says, oh, but I need my email to sync with my blackberry.
|
||
|
|
And you have to do some kind of complicated network thing that you just can't do right now in the boss is pissed so you have to make some quick change.
|
||
|
|
And then you never have time to go back and do it the way you're supposed to.
|
||
|
|
Yeah, my environment at work is shockingly like that. I mean, we were understaffed and you know, there's never never enough man hours to go around.
|
||
|
|
So we're constantly cutting corners and you know, so you tell your boss he doesn't get email in his blackberry where you have some insecure for a while.
|
||
|
|
Right. Exactly. So which is more dangerous to you as a person.
|
||
|
|
Yes, it makes me feel you know, a little dirty and so I guess the next concept we want to want to talk about is going along with the integrity portion.
|
||
|
|
What you love integrity what you alluded to earlier non-repeatiation. Do you know that of that term?
|
||
|
|
Well, if I alluded to it earlier, I'd hope so.
|
||
|
|
Well, do you know what non-repeatiation is?
|
||
|
|
I would imagine that it's involved.
|
||
|
|
I wish I was more articulate this evening.
|
||
|
|
You can't forge messages would be an aspect of that.
|
||
|
|
Basically, yes. Non-repeatiation is in layman's terms proving that you are you or the message proves that the originator of the message.
|
||
|
|
Basically, what I wanted to talk about here is the cryptography portion of non-repeatiation with certificates and digital signatures.
|
||
|
|
And along with that, the suite of or the infrastructure PKI, have you heard of that term?
|
||
|
|
I have heard of PKI, public key infrastructure.
|
||
|
|
Yes, and that's...
|
||
|
|
I've sent you encrypted emails before and you never want to like, how hypocritical?
|
||
|
|
Well, how dare you?
|
||
|
|
Well, let's let's in front of the entire internet.
|
||
|
|
Let's let's time out here.
|
||
|
|
I don't believe in sending sensitive data over email.
|
||
|
|
No, but the point is that if you send everything encrypted, then you can because then no one's going to know.
|
||
|
|
Because you can say, oh no, I just sent everything encrypted so you can't say, oh that one encrypted email and you know, target that.
|
||
|
|
So you're saying security through obscurity?
|
||
|
|
No, I'm saying that if everything's secure and someone wants to go back and say, oh, if I'm selling credit cards, right?
|
||
|
|
When I'm talking to you on aim, I should have all of my conversations encrypted with OTR.
|
||
|
|
That way, if I only encrypted the parts we were talking about credit cards, they know exactly when we were talking about credit cards.
|
||
|
|
And they can go in and target just those areas and find some kind of way to exploit the way OTR string encryption ever have.
|
||
|
|
You can find logs for just those times or look at alibis.
|
||
|
|
If you have the entire thing encrypted, there's no way to prove that you had a motive for encryption.
|
||
|
|
Right, but I don't believe in encryption.
|
||
|
|
Well, no, let's rephrase that.
|
||
|
|
I don't believe in sending email with sensitive information.
|
||
|
|
I believe in getting it to them by other means.
|
||
|
|
I believe.
|
||
|
|
So in other words, I didn't jpeg or something.
|
||
|
|
That's an option.
|
||
|
|
I was thinking more of pgping a file, sending a file via sftp or scp or some secure means to get there.
|
||
|
|
You know, I go old school.
|
||
|
|
I trick newspapers into writing stories that have code words and the headlines.
|
||
|
|
And that's how I tip off my ring of spies.
|
||
|
|
Yeah, that would be cool.
|
||
|
|
I saw that on Chuck the other night.
|
||
|
|
Just around that just was interesting how they did the little do you watch Chuck?
|
||
|
|
I don't watch TV.
|
||
|
|
Oh, you don't watch TV. Never mind.
|
||
|
|
Anyway, back to my.
|
||
|
|
So I'm so on hip. Go ahead.
|
||
|
|
You are on hip.
|
||
|
|
So back to my cryptography side.
|
||
|
|
PKI is the infrastructure for which applications are built upon such as pgp.
|
||
|
|
Well, it stands for public key infrastructure, doesn't it?
|
||
|
|
Correct.
|
||
|
|
That is the.
|
||
|
|
And then pgp is what's that acronym?
|
||
|
|
You know, that one.
|
||
|
|
Okay.
|
||
|
|
Oh, pgp.
|
||
|
|
It's pretty good privacy.
|
||
|
|
There you go.
|
||
|
|
You're good.
|
||
|
|
I'm making you think tonight.
|
||
|
|
Okay.
|
||
|
|
Pick a bad night.
|
||
|
|
So pgp is the pretty much the standard encryption nowadays.
|
||
|
|
At least that's what, you know, most people use at least in my opinion.
|
||
|
|
Do you know of anybody that uses, I mean, pgp and certificates are really the norm or the hip thing these days, right?
|
||
|
|
I do rot 13, but otherwise, yeah.
|
||
|
|
Oh, geez.
|
||
|
|
You know, there actually is rot 13 being used in the Windows registry for certain keys.
|
||
|
|
Yeah.
|
||
|
|
And that's remind me what rot 13 is.
|
||
|
|
Rot 13 is when you have like the alphabet and a stands for like x and b stands for z and d stands for y.
|
||
|
|
It's where you take the letters and you do a shift by a number of places.
|
||
|
|
Yeah, it's just a shift of characters.
|
||
|
|
And you get, you just give the offset.
|
||
|
|
Yes.
|
||
|
|
And rot 13 is special because there's 26 letters in the alphabet.
|
||
|
|
So it's exactly the halfway point.
|
||
|
|
So you can use the same number of shifts to encrypt and decrypt.
|
||
|
|
Got it.
|
||
|
|
Yeah.
|
||
|
|
And it's been a while since I've dealt with rot 13.
|
||
|
|
Anyway.
|
||
|
|
So I'd hope so.
|
||
|
|
I hope it's not part of your daily encryption activities.
|
||
|
|
No, but like, you know, back in college, we went over all of the like a s, rot 13, you know, md5,
|
||
|
|
and rot 13 run a bell that I couldn't remember exactly what it was.
|
||
|
|
I knew there was, I knew there was one that did the shift, but I couldn't remember which one.
|
||
|
|
Yeah, that's rot.
|
||
|
|
Go ahead.
|
||
|
|
No, I was just going to say, like, if you were to take a security certification, like security
|
||
|
|
plus or, you know, the CDH certified ethical hacker or some terminology like that or some
|
||
|
|
certification like that, you would need to know that, by the way.
|
||
|
|
Yeah, rot is just short for rotation.
|
||
|
|
Ah, okay.
|
||
|
|
The type of member.
|
||
|
|
Gotcha.
|
||
|
|
So the other, including PGP, the next thing is the certificates.
|
||
|
|
Do you know how like the public and private keys work?
|
||
|
|
Like, you want to explain that?
|
||
|
|
Absolutely not.
|
||
|
|
Well, I'll just give the overview.
|
||
|
|
Basically, you have a public key that you share out on the internet.
|
||
|
|
And that is basically paired with a private key that you keep private.
|
||
|
|
This key should never go out of your hands and nor should you share it with anyone.
|
||
|
|
That's meaning a private usually?
|
||
|
|
Yes.
|
||
|
|
Well, I'll get to my meaning there in a minute.
|
||
|
|
So people were to, are to encrypt with your public key.
|
||
|
|
And then only your private key can decrypt that message.
|
||
|
|
So that's the whole, like you were saying about sending me a message.
|
||
|
|
If I had, if I gave you my public key, you could encrypt the message with my public key.
|
||
|
|
And then only I would be able to view that message.
|
||
|
|
Yes.
|
||
|
|
The other, the reverse is for going back to my non-repeatiation talk, is if I were to encrypt with my private key,
|
||
|
|
you could decrypt it with my public key.
|
||
|
|
And that is what's called a digital signature.
|
||
|
|
Because it could only have come from you because only you have your private key?
|
||
|
|
Correct.
|
||
|
|
Gotcha.
|
||
|
|
So that is why I insisted that, you know, the private key remain private,
|
||
|
|
because then you have, you know, the non-repeatiation on top of the security of having your,
|
||
|
|
if someone were to encrypt with your public key, only you could decrypt it.
|
||
|
|
So there's the security there plus the non-repeatiation going in the other direction.
|
||
|
|
And certificates basically work the, you know, the same way, sort of,
|
||
|
|
like a server will have a, you know, a server certificate.
|
||
|
|
And this would be, like, you know, sent out to Verassign. Verassign would issue you a certificate saying that you or you,
|
||
|
|
you would install it on said web server.
|
||
|
|
And then that is a form of non-repeatiation saying that I am Microsoft.com or I am, you know, Google.com or whatever.
|
||
|
|
That's how, that's the basis of how, you know, SSL works on the web server.
|
||
|
|
You know, the certificate for the HPR server has expired.
|
||
|
|
Oh, thank you.
|
||
|
|
Yeah.
|
||
|
|
Or it's in valid or something.
|
||
|
|
Now an Apple mail freaks out every time I try to check for it.
|
||
|
|
It may be because we did a self-signed because I doubt, yeah, that's, that could be.
|
||
|
|
I doubt we went out and purchased a certificate for HPR from Verassign.
|
||
|
|
And I'm just doubly.
|
||
|
|
Yeah, they're very expensive.
|
||
|
|
You can get one from GoDaddy for like 12 bucks, but that doesn't really.
|
||
|
|
I don't know why you won't bother.
|
||
|
|
We just did a big thing at work and I can't remember what the difference is.
|
||
|
|
But there is, there is a difference between the GoDaddy certs and the Verassign certs.
|
||
|
|
And I can't remember.
|
||
|
|
Yeah, I'm sure the Verassign ones are like legitimate.
|
||
|
|
Well, no, the GoDaddy's are legitimate, but I can't remember what the difference is.
|
||
|
|
Anyway, they're probably not, they're probably not signed by some other higher authority or some other route.
|
||
|
|
Oh, the Verassign ones are inherent because Microsoft ships windows with the Verassign certs installed.
|
||
|
|
So you don't have to install anything on your, on your machines.
|
||
|
|
That's very important.
|
||
|
|
So does your office do like these all lame office celebrations?
|
||
|
|
Like, well, we're Verassign certified or when were I so 9,100 was an ISO 9, what is the lame ISO certification?
|
||
|
|
ISO 9,000 ISO.
|
||
|
|
Nice and like 9,000 one.
|
||
|
|
Yeah, 9,000 one or something like that.
|
||
|
|
Yeah, did your office have these lame parties? Like, oh, thank you Verassign for making our business a success.
|
||
|
|
No, we, we have, we don't have the ISO certification.
|
||
|
|
We have the SAS certification, which, which I'm going to go off topic here and rant.
|
||
|
|
That's fine.
|
||
|
|
So this SAS certification was kind of lame because basically there's two parts to it.
|
||
|
|
It's an accounting portion of it and then a computer security.
|
||
|
|
So they bring in a CPA and they bring in like a CPU, a CISSP to do the security set.
|
||
|
|
So they bring in two guys and they go over a crap ton of documentation and, you know, certify that you're in compliance with their standards and blah, blah, blah.
|
||
|
|
And a lot of banks, my business caters toward a lot of financial institutions and they wanted this certification.
|
||
|
|
So we went out and got it and we paid a crap ton of money for the certification.
|
||
|
|
Anyway, that's.
|
||
|
|
Yeah, imagine so.
|
||
|
|
That's not what, what I'm ranting about.
|
||
|
|
So this gentleman that was a CISSP, which is a very high security certification, by the way, if the, the cert is certified information system specialist or I can't remember the acronym.
|
||
|
|
Now you're pretty close.
|
||
|
|
Okay, it's certified information security system specialist.
|
||
|
|
Yeah, there we go.
|
||
|
|
There we go.
|
||
|
|
Sorry.
|
||
|
|
Anyway, so this, this gentleman came in and looked over our documentation and we gave him screenshots and stuff of like various things like, you know, our logging or we gave him pictures of our, our fireball logs and things like that in the documentation himself.
|
||
|
|
We spent, you know, months on this documentation.
|
||
|
|
It was very well done in my opinion.
|
||
|
|
I am not part of the IT staff at my work.
|
||
|
|
I am a, I am a janitor, an operations, I am an operations guy.
|
||
|
|
I make sure things run, but I am not directly involved in the IT side of things.
|
||
|
|
Make sure the water's running.
|
||
|
|
No, I make sure, never mind.
|
||
|
|
I make sure my monkeys do what they're supposed to do.
|
||
|
|
And they won't listen to this so I can call them monkeys on the air.
|
||
|
|
Anyway, so this guy came in and basically looked at our documents, spent, you know, hours asking us questions and looking, never set foot into the server room.
|
||
|
|
That just boggled my mind. I could have put anything in that document.
|
||
|
|
I could have said, you know, we were the most secure person on the planet and he never validated it.
|
||
|
|
That's okay.
|
||
|
|
No, that's not okay. Not my opinion. Not okay in my opinion.
|
||
|
|
I was like, this is worthless.
|
||
|
|
You should put that dot, it doesn't have to be worthless.
|
||
|
|
Put that documentation online and sell it to other companies who need to pass this bullshit certification.
|
||
|
|
And then there you go.
|
||
|
|
Yeah, but this is just, it's just absolutely worthless to me.
|
||
|
|
Oh, you probably could have bribed this guy then.
|
||
|
|
Probably.
|
||
|
|
And that just seems very unethical to me that you can walk into a place of business and do that and not validate anything they say.
|
||
|
|
Oh, most certifications are scams.
|
||
|
|
That's why, you know, you see those joke ones, like, you know, that hacker safe logo, you see that occasionally?
|
||
|
|
Yeah, yeah.
|
||
|
|
I like the ones that are protected by JPEG. That's my favorite.
|
||
|
|
Yeah. Anyway, so that was my rant for tonight.
|
||
|
|
All right. So get going back to my back to the, back to my original topic.
|
||
|
|
Okay. So now we're going to talk about controls.
|
||
|
|
So we went through, you know, the, a few of the main topics.
|
||
|
|
And now we're going to talk about like authentication controls.
|
||
|
|
So have you ever heard the term Drake of the, like, three factor authentication or multi factor authentication?
|
||
|
|
I'm glad you addressed me by name.
|
||
|
|
I wasn't sure who you were talking to.
|
||
|
|
Yeah.
|
||
|
|
But yes.
|
||
|
|
Sorry.
|
||
|
|
Pulling your leg.
|
||
|
|
I told you I'm tired.
|
||
|
|
All you get is witty.
|
||
|
|
Witty banter.
|
||
|
|
Okay. So.
|
||
|
|
Yeah.
|
||
|
|
The terms you'll hear a lot.
|
||
|
|
And again, if you take any type of security courses are what you have, what you know, and who you are.
|
||
|
|
What you know, what would that have anything to do in an authentication?
|
||
|
|
Maybe a password.
|
||
|
|
Oh, maybe a password.
|
||
|
|
Yeah. That's pretty much the, the only thing that it could be.
|
||
|
|
There are examples like, well, that would be what you have, nevermind.
|
||
|
|
I'll get to that in a minute.
|
||
|
|
Okay. So what you have.
|
||
|
|
What you have.
|
||
|
|
I'm going to say a fingerprint or a token of some kind, like a key fob.
|
||
|
|
Fingerprints? No.
|
||
|
|
Fingerprints aren't what you have.
|
||
|
|
No.
|
||
|
|
What you have is not a fingerprint.
|
||
|
|
That is not what you have.
|
||
|
|
Is it what you are?
|
||
|
|
Is what you are?
|
||
|
|
What you are?
|
||
|
|
Is it an option?
|
||
|
|
Yes.
|
||
|
|
What you are?
|
||
|
|
Or who you are?
|
||
|
|
Yes.
|
||
|
|
Oh.
|
||
|
|
What you are?
|
||
|
|
Who you are?
|
||
|
|
I think what you have should be a fingerprint because I, because I can have what you have.
|
||
|
|
I can take your finger off.
|
||
|
|
And I can, James Bond moving.
|
||
|
|
You just open a door.
|
||
|
|
So now it's what I have.
|
||
|
|
That, that, no.
|
||
|
|
That is odd.
|
||
|
|
Who can I write a letter to?
|
||
|
|
I'm going to happy about this.
|
||
|
|
I'm sorry.
|
||
|
|
So going back to what you have.
|
||
|
|
What you have would be.
|
||
|
|
Pist off Drake.
|
||
|
|
A, a token of some sort.
|
||
|
|
You know, those, those tokens that have the, the passwords on them.
|
||
|
|
Yeah.
|
||
|
|
That generate a, a one-time token.
|
||
|
|
Mm-hmm.
|
||
|
|
That would be what you have.
|
||
|
|
A, a card, an ATM card.
|
||
|
|
A debit card.
|
||
|
|
It would be what you have.
|
||
|
|
Plus the pin would be, you know, what you know.
|
||
|
|
So that would be multifactor authentication.
|
||
|
|
So.
|
||
|
|
And from a security standpoint, you know, one factor authentication would be most likely a password.
|
||
|
|
Two factor would be like a debit card to pin.
|
||
|
|
Mm-hmm.
|
||
|
|
And then three factor authentication is, well.
|
||
|
|
Yeah.
|
||
|
|
Here's where it all falls apart.
|
||
|
|
All, all three, meaning a fingerprint, a token, and a password.
|
||
|
|
You know, you can have a password too.
|
||
|
|
You know, because if you can give it, you can have it.
|
||
|
|
Just stop.
|
||
|
|
Just stop right now.
|
||
|
|
All right.
|
||
|
|
So, so who you are or what you are would be a fingerprint, a hand scan, an eye, you know, a retina scan, an iris scan, things like that.
|
||
|
|
You started to say eye because you recognize deep down you can, in fact, have an eye.
|
||
|
|
I can ensure, hold it up to the thing.
|
||
|
|
It happens to James Bond.
|
||
|
|
Shut up.
|
||
|
|
Shut up.
|
||
|
|
So, getting into the password, let's just take passwords alone.
|
||
|
|
So, this is the-
|
||
|
|
That's what you have, right?
|
||
|
|
That is.
|
||
|
|
Stop it.
|
||
|
|
What you know.
|
||
|
|
See, now even you're getting confused.
|
||
|
|
Like, well, yeah, I guess it is.
|
||
|
|
We need to check your notes.
|
||
|
|
Oh, that's all right.
|
||
|
|
Just just stop it.
|
||
|
|
Why are you corrupting the audience with this?
|
||
|
|
You're going to start a whole generation of people who believe that you can't have a finger, but you can only know a password.
|
||
|
|
All right.
|
||
|
|
All right.
|
||
|
|
So, going back to my original line of thinking.
|
||
|
|
So, what you know, passwords.
|
||
|
|
So, one factor authentication, passwords, isn't necessarily-
|
||
|
|
Let me make a distinction here.
|
||
|
|
One factor authentication isn't necessarily just passwords.
|
||
|
|
It could be any of the three.
|
||
|
|
Most of the time, however, if it's one factor authentication, it is a password.
|
||
|
|
Because that's the cheapest alternative.
|
||
|
|
Sure.
|
||
|
|
It could be like a key in a lock or like an RFID tag or something, sure.
|
||
|
|
Yeah.
|
||
|
|
But most of the time, it is a password.
|
||
|
|
I agree.
|
||
|
|
So, passwords, as I said, are the cheapest option, but they're the least secure option.
|
||
|
|
Because passwords can be broken in various means or just be weak passwords in the sense of, you know, your dog's name or your mother's maiden name.
|
||
|
|
Or whatever you would like to be, you know, the-
|
||
|
|
Oh, my God.
|
||
|
|
I saw one of those ones that was-
|
||
|
|
You know how I can get a website and you can pre-select certain options.
|
||
|
|
One of the pre-select options was this was for UPS.com was, what color are your eyes?
|
||
|
|
That is the worst security question ever.
|
||
|
|
Look over here.
|
||
|
|
Are your eyes green or hazel green?
|
||
|
|
Okay, thanks.
|
||
|
|
Not at all.
|
||
|
|
Thanks, thanks.
|
||
|
|
What I usually do with those pre-selected questions is I answer them wrong.
|
||
|
|
Yeah, I make things up.
|
||
|
|
Like, what's your favorite color, plaid?
|
||
|
|
Yeah.
|
||
|
|
Favorite sport, checkers.
|
||
|
|
Yeah.
|
||
|
|
So I'll do that intentionally just in case, you know, someone were to know me really well.
|
||
|
|
Yeah.
|
||
|
|
They wouldn't be able to guess my secret question because I think there are very insecure in the sense that, you know, most websites nowadays have the same secret questions.
|
||
|
|
Like, you know, what's your mother's maiden name, what's your pets, you know, what's your first pet's name.
|
||
|
|
The ones I kind of like are the ones where you put in your own question and answer.
|
||
|
|
I'll make things up.
|
||
|
|
Like on the windows, if you missed time and passed a couple of times, the past reminders, the first thing Obama said to me.
|
||
|
|
And I'm never talking to Obama.
|
||
|
|
But that way, if someone's breaking into my computer, they go, my God, he's like the president's best friend.
|
||
|
|
But yeah, passwords, going back to passwords, most, you know, it's the most common form of authentication.
|
||
|
|
Yes.
|
||
|
|
Moving on to what you have with the smart cards, we have at work the RFID proximity tags.
|
||
|
|
That we swipe in the door and, you know, can go in the door.
|
||
|
|
And that's all our door controls are our RFID.
|
||
|
|
At your place?
|
||
|
|
Mm-hmm.
|
||
|
|
But it's not like Raytheon, it's just that company you work for.
|
||
|
|
It's just that company I work for.
|
||
|
|
And they have this back company?
|
||
|
|
Yes.
|
||
|
|
Yeah.
|
||
|
|
And we're actually fairly stable yard when it comes to, you know, that type of stuff.
|
||
|
|
But we have our problems too.
|
||
|
|
But anyway.
|
||
|
|
Like your lack of correct certification methods?
|
||
|
|
Yes.
|
||
|
|
So what you have would be that.
|
||
|
|
And usually what you have or the second form of authentication is coupled with the first.
|
||
|
|
So usually it's a what you have plus what, you know, what you know.
|
||
|
|
So those usually are paired together.
|
||
|
|
Okay.
|
||
|
|
And most instances.
|
||
|
|
So I wanted to briefly talk about biometrics.
|
||
|
|
And do you know much about our scanning?
|
||
|
|
I did several years ago.
|
||
|
|
So everything I know is probably outdated.
|
||
|
|
Okay.
|
||
|
|
Two different types of eye scanning.
|
||
|
|
Good and bad.
|
||
|
|
Well, actually, yes.
|
||
|
|
Redness scanning and eye scanning.
|
||
|
|
Redness scanning is not nearly as reliable as eye scanning is.
|
||
|
|
Oh, I didn't know about this distinction.
|
||
|
|
Redness scanning is pretty good.
|
||
|
|
It's better than like hand geometry scanning and fingerprint scanning.
|
||
|
|
Well, let's let's talk about biometrics in general.
|
||
|
|
So fingerprint hand geometry.
|
||
|
|
There's like type where it will calculate your the speed of your type or the I can't think of the word.
|
||
|
|
Do you know what I'm talking about that?
|
||
|
|
Yeah.
|
||
|
|
There have been things where like, you know, you could have your password.
|
||
|
|
And if you're passed with Coca-Cola, you can type Coke in a pause and then Cola.
|
||
|
|
And it keeps track of the whole thing.
|
||
|
|
Yeah, it keeps track of your emotions.
|
||
|
|
Yeah, not a person alive that uses that.
|
||
|
|
Yeah, it's not very reliable.
|
||
|
|
There's voice activation, which again is not very reliable.
|
||
|
|
There's face recognition, again, not very reliable because, you know,
|
||
|
|
you can throw it a picture up to it.
|
||
|
|
Well, grow a beard and it throws it off.
|
||
|
|
And this brings up a good point.
|
||
|
|
There are what's called false negatives and false positives with all biometrics or with all authentication methods.
|
||
|
|
So you can have a false positive, but you can't have a finger?
|
||
|
|
Stop that.
|
||
|
|
Stop confusing me.
|
||
|
|
A false positive would be at granting access to someone that doesn't, shouldn't have access.
|
||
|
|
A false negative would be the reverse where you're locking out your boss.
|
||
|
|
Which brings back a good point back to the password thing.
|
||
|
|
I know I'm jumping around here, but have you ever heard of the birthday attack?
|
||
|
|
The birthday attack?
|
||
|
|
Is that related to the birthday thing where if you have a bunch of people in a room, you can quickly guess how many people need to have so that two have the same birthday?
|
||
|
|
Exactly.
|
||
|
|
But the birthday attack is more generated until the way the old...
|
||
|
|
Is that where you have a list of users and a list of passwords and you don't have to find...
|
||
|
|
As long as you don't want to break into a specific user account, you can just break into the account with the weakest password.
|
||
|
|
No, this is more of how the old land manager used to hash passwords.
|
||
|
|
Back in NT and I believe...
|
||
|
|
Yeah, I think it's just an NT.
|
||
|
|
But the hash was short enough where you could, or actually in the new one as well, you don't necessarily have to guess the right password.
|
||
|
|
You can guess something that matches the hash of the password that you are...
|
||
|
|
So there were hash collisions back then?
|
||
|
|
Yes.
|
||
|
|
Wow, that's good.
|
||
|
|
You could theoretically have a different password, but it hashed out to be the same.
|
||
|
|
So your password could be dog or it could be Ken, and they had the same hash.
|
||
|
|
Well, that sucks. How likely were hash collisions?
|
||
|
|
That is likely as you being in a room with this person with the same birthday.
|
||
|
|
So like one in 36 or something?
|
||
|
|
It was more than that, but I don't know the numbers.
|
||
|
|
It's a very small number.
|
||
|
|
Yeah, it's a very small number, but it's still theoretically what could happen.
|
||
|
|
Also going to the passwords.
|
||
|
|
It also depending on how short your password was.
|
||
|
|
Like the way...
|
||
|
|
The old land manager used to do it is if it was shorter than I believe seven characters,
|
||
|
|
it would put zeros or put like a specific hash value in the rest of the password
|
||
|
|
to fill it out to a specific length.
|
||
|
|
So that was a known hash.
|
||
|
|
So you could figure it out based on if you looked at the hash.
|
||
|
|
You could figure out how long their password was, and then only have to worry about that set of characters.
|
||
|
|
Wow, that's lame.
|
||
|
|
So anyway, what if your password was by any chance the single letter S?
|
||
|
|
The single letter S would be like S, and then whatever the string was.
|
||
|
|
I think it was like OF, OF, I have to look at my notes, but...
|
||
|
|
Because I told you my friend's laptop password was S, right?
|
||
|
|
Yes, yes you did.
|
||
|
|
That's a point of contention for me.
|
||
|
|
I'm sorry.
|
||
|
|
That's...
|
||
|
|
It was possible.
|
||
|
|
Yeah, if you turn off the...
|
||
|
|
Well, I knew in 2003, at least server, you could turn off the complex password.
|
||
|
|
Yeah, you could turn them all off.
|
||
|
|
Yeah, but I installed Windows on this laptop for them.
|
||
|
|
I didn't make a point to turn off the complexity requirements.
|
||
|
|
Anyway, so moving back to biometrics.
|
||
|
|
Back to my iris and retina thing.
|
||
|
|
So do you know what the difference between retina and iris scanning is?
|
||
|
|
I know what the difference is between the parts on the eye.
|
||
|
|
Okay, well that's basically what it scans.
|
||
|
|
Oh, okay.
|
||
|
|
So the retina scans the front of the eye, the iris scans the back of the eye?
|
||
|
|
Did I get that right?
|
||
|
|
No, the iris...
|
||
|
|
I thought that was the area around your eye where the actual color is.
|
||
|
|
Yeah, I flipped it.
|
||
|
|
I flipped it.
|
||
|
|
I'm sorry.
|
||
|
|
I flipped it.
|
||
|
|
That's okay.
|
||
|
|
Yeah, it's the reverse.
|
||
|
|
The retina would be the back of the eye.
|
||
|
|
The iris would be the front of the eye.
|
||
|
|
Do you have an eye?
|
||
|
|
I can give you an eye because you can have an eye if you want to study this issue further.
|
||
|
|
You know, shut up.
|
||
|
|
Okay, so...
|
||
|
|
You know, humans have five fingers on each hand.
|
||
|
|
Did you know that?
|
||
|
|
So the retina or iris scan is the most reliable form of biometrics.
|
||
|
|
But it brings up a good security or a good privacy issue when we're talking about iris scanning.
|
||
|
|
Do you know what that would be?
|
||
|
|
Well, yeah.
|
||
|
|
Imagine that if one company has a good scan if your iris and then they get compromised.
|
||
|
|
Now your iris is over the place.
|
||
|
|
So now any other company that relies on that technology can't employ you because your iris is floating around on the internet.
|
||
|
|
Nope.
|
||
|
|
I'm thinking more of a privacy issue for the female gender.
|
||
|
|
It emulates to eyes and returns to eyes.
|
||
|
|
People artificially color their eyes.
|
||
|
|
Negative.
|
||
|
|
So I'll just tell you whether you floundering.
|
||
|
|
You can actually tell if someone is pregnant by their iris scan.
|
||
|
|
Oh, is that right?
|
||
|
|
The way there's some type of hormones that affect the iris and the female body when she's pregnant versus when she's not pregnant.
|
||
|
|
You're sure of this?
|
||
|
|
Yeah.
|
||
|
|
Look it up.
|
||
|
|
I'm going to have to later.
|
||
|
|
Okay.
|
||
|
|
Anyway, there was a big privacy issue with this because, you know, for department of defense or government agencies.
|
||
|
|
I think it was a department of defense.
|
||
|
|
The female gender has to let them know, like in field duty, if they're pregnant or not, obviously for reasons.
|
||
|
|
And the iris was telling.
|
||
|
|
Let's put it that way.
|
||
|
|
I'm sure there's a big deal with companies that, you know, if you plan to take nine months off from maternity leave or whatever,
|
||
|
|
and the company wants to fire you at beforehand, they'd be able to save a lot of money that way.
|
||
|
|
Yep.
|
||
|
|
Exactly.
|
||
|
|
Yeah, that's ethical.
|
||
|
|
So yeah, it's unethical and that's why there was this article a few years back and you can look it up.
|
||
|
|
And I'll try to find the link and put it in the show notes.
|
||
|
|
But anyway, so that's my whole spiel on what you have, what, you know, who you are.
|
||
|
|
Any questions from the audience?
|
||
|
|
Or you, Jerry?
|
||
|
|
You know, I have questions. Why, why even inside them?
|
||
|
|
Go ahead.
|
||
|
|
I'm just going to make fun of the whole thing or not being something that you can possess thing.
|
||
|
|
If you want to cut off the finger, be my guest.
|
||
|
|
Have you, have you heard of the gummy bear trick?
|
||
|
|
I've heard of doing it with silly putty.
|
||
|
|
You could do it with silly putty.
|
||
|
|
You could do it with gummy bears back in the day.
|
||
|
|
Nicholas Cage did it in that movie.
|
||
|
|
That wasn't that great.
|
||
|
|
That face off?
|
||
|
|
No, national treasure.
|
||
|
|
Oh, yeah.
|
||
|
|
I was thinking face off where he took the hole.
|
||
|
|
Where is face with something he had?
|
||
|
|
Where he's physically the face he had.
|
||
|
|
Yeah.
|
||
|
|
It's not really helping your point here.
|
||
|
|
I know.
|
||
|
|
So what would you think the difference between authentication and authorization would be that term?
|
||
|
|
Authentication.
|
||
|
|
Well, authentication is just is something.
|
||
|
|
So what do you think it is?
|
||
|
|
An authorization is, does it have permission?
|
||
|
|
So authentication is, are you you and authorization?
|
||
|
|
Do you have permission?
|
||
|
|
You're just killing my, my thunder here.
|
||
|
|
But yes, you're absolutely, you're absolutely right.
|
||
|
|
I'm all like minorly hungover too.
|
||
|
|
This was like, man, this was suck if it was last weekend for you when I was all hyped up on monster.
|
||
|
|
Yeah, yeah.
|
||
|
|
Well, authorization also includes services like IP filtering, route assignment.
|
||
|
|
Basically, it also includes like IP filtering, you know, address assignment, route assignments, things like that.
|
||
|
|
Bandwidth control.
|
||
|
|
But anyway, and then the last bit of controls we can talk about is accounting.
|
||
|
|
And accounting is basically logging, logging everything, checking your logs, having some type of structure in place where you can view your logs easily.
|
||
|
|
That is the pain of everyone's existence.
|
||
|
|
We can log everything until we're blue in the face.
|
||
|
|
But if nobody checks the log, then what's the point?
|
||
|
|
You know, there's a software called Kerplunk that is supposed to be great with this kind of stuff.
|
||
|
|
For Plunk? Never heard of it.
|
||
|
|
Yeah, remember it's Splunk.
|
||
|
|
It's Splunk.
|
||
|
|
I think it's Splunk actually.
|
||
|
|
Yeah, it does thing.
|
||
|
|
You know, there's one cool tool I used once, I have to, I have to find it, put in the shortcuts.
|
||
|
|
But you can import like a huge lot, which is, you know, hundreds of thousands of lines.
|
||
|
|
And then you put in filters and it will colorize each line based on the filter.
|
||
|
|
So you can say, you know, if this line has this IP address, turn it blue.
|
||
|
|
So then you can see like, you know, a graphical representation of events.
|
||
|
|
So you can just quickly get down to the section that's all blue and go, that's when that stuff happened.
|
||
|
|
That's when that stuff happened.
|
||
|
|
It makes it very easy to jump around.
|
||
|
|
We use it work a software package called GFI, which basically dumps out
|
||
|
|
grabs all of the event viewers from every machine, the event logs.
|
||
|
|
Great, fantastic information.
|
||
|
|
Yeah, so much great.
|
||
|
|
And then we can set where we can get emailed on certain events.
|
||
|
|
So it goes through the logs and finds like, you know, when we have low-dispaced warnings or, you know, drives failing, things like that.
|
||
|
|
And emails us to it.
|
||
|
|
I think it goes by the severity level on the event logs.
|
||
|
|
So if it's like a severe, or I don't know what the categories are, but there's like a category structure in the event viewer.
|
||
|
|
How do you have a low-disp space?
|
||
|
|
Oh, we have low-disp space all the time.
|
||
|
|
A terabyte drive is like, I found one in a box of cereal the other day.
|
||
|
|
Yeah, and we go through, we've got 42 terabytes on our sand and it's full.
|
||
|
|
Oh, man.
|
||
|
|
I thought this company only had like 10 people with one virtual.
|
||
|
|
We have about 30 in the hand.
|
||
|
|
And each person needs more than the terrible?
|
||
|
|
Well, we have, you know, certain five financials.
|
||
|
|
Oh, yeah, the nature of your business.
|
||
|
|
The nature of our business requires us to have a crap ton of storage.
|
||
|
|
Yeah, I'm thinking about companies that I worked for.
|
||
|
|
It's like all the storage was just what you needed to do the job.
|
||
|
|
So each computer had like, you know, 500 gig drives and only needed like a 10.
|
||
|
|
Oh, well, our local discs have our pointy storage.
|
||
|
|
It's just our servers that do all the big crunching.
|
||
|
|
Yeah, I forgot about that.
|
||
|
|
Big crunching seems to run out space.
|
||
|
|
Anyway, so the last point was the accounting point where, you know,
|
||
|
|
log everything, check your logs, check your logs a second time.
|
||
|
|
You know, that's the, the bane of the SIS admins existence is, you know,
|
||
|
|
something happens and they don't check the logs.
|
||
|
|
What is your company's position on log retention?
|
||
|
|
Because some people argue you should keep the logs as long as possible in case something happens
|
||
|
|
and other companies say, no, get rid of them as soon as possible.
|
||
|
|
So that if anything happens, there's no logs to go back in and shut the company down
|
||
|
|
from negligence or anything.
|
||
|
|
We keep logs for a while.
|
||
|
|
Not just the bare minimum legal requirement.
|
||
|
|
Depends on what type we do a lot of logging, a lot of different logging.
|
||
|
|
System logs, we don't keep that long.
|
||
|
|
The firewall logs and access logs.
|
||
|
|
We keep, I believe, six months or a year or something like that.
|
||
|
|
And then there, we have reporting that has to go out to specific vendors that, like,
|
||
|
|
we have a one that goes to the USPS that we have to keep for seven years.
|
||
|
|
So really, yeah.
|
||
|
|
There, it involves like the national change of address stuff.
|
||
|
|
So it's, we have to keep those logs for seven years.
|
||
|
|
And we have to have a paper copy of all of the forms that the clients send.
|
||
|
|
What?
|
||
|
|
Yeah, paper copies.
|
||
|
|
I thought that meant that you had to keep all your logs for seven years in a paper format.
|
||
|
|
No, no, we have to keep the electronic ones.
|
||
|
|
And then there's a form that every client signs to go through this process.
|
||
|
|
And they, they have to be kept for seven years.
|
||
|
|
That's like, you know, I had a professor of art once in college who was complaining about how
|
||
|
|
it's actually the policy of either the school or the state.
|
||
|
|
I think it's the state that any, any school that received state funding,
|
||
|
|
the professors have to keep the students tests for seven years after the class in case you want to go back and dispute it.
|
||
|
|
And if anyone actually complied with this, you'd have literally rooms full of student papers.
|
||
|
|
Because you teach what like 300 students a year over seven years.
|
||
|
|
That's just in, it's like four tests a semester easy.
|
||
|
|
That's, it's, oh my God.
|
||
|
|
That's insane.
|
||
|
|
Yeah.
|
||
|
|
That's a lot of paper.
|
||
|
|
That's like an entire small room full of just paper.
|
||
|
|
Anyway, we done for the night.
|
||
|
|
I think we are.
|
||
|
|
Okay.
|
||
|
|
Go to the website hackradiolive.org.
|
||
|
|
Oh, there's a new thing on the website.
|
||
|
|
The feedback thing is really bad.
|
||
|
|
So you can leave feedback to have a hit in the feedback button.
|
||
|
|
It's really cool.
|
||
|
|
I did that.
|
||
|
|
We really, we really have a feedback button now.
|
||
|
|
Yeah, go look at the site.
|
||
|
|
Look at the feedback thing is so cool.
|
||
|
|
Feedback and constant.
|
||
|
|
Oh, that's cool.
|
||
|
|
Isn't that cool?
|
||
|
|
That's cool.
|
||
|
|
What does it do?
|
||
|
|
It sends me an email.
|
||
|
|
Oh, well, that's kind of lame.
|
||
|
|
What did you want to do?
|
||
|
|
I wanted to like put like, like the, the HPR comments where it puts it underneath the show.
|
||
|
|
Well, we're going to have comments, but after I made fun of you for having the worst comments ever,
|
||
|
|
I wanted to make sure that my comment system was better before I published it.
|
||
|
|
Oh, okay.
|
||
|
|
So you're going to bust on me for, for hacker public radio having some spam.
|
||
|
|
Well, some spam.
|
||
|
|
There were 38 spam messages on our last show.
|
||
|
|
There were not.
|
||
|
|
Yes, there are.
|
||
|
|
Not were are.
|
||
|
|
There are not.
|
||
|
|
Present to tense.
|
||
|
|
There are not.
|
||
|
|
I'm going to look.
|
||
|
|
Go to going look.
|
||
|
|
What the hell?
|
||
|
|
Look at me still talking when this science will do.
|
||
|
|
And I look up there.
|
||
|
|
It makes me glad I love you.
|
||
|
|
I've experimented too long.
|
||
|
|
Where is research going to be done?
|
||
|
|
I know people who are still alive.
|