follow me on Twitter

    Friday, March 27, 2009

    What should the OpenOtto demo car NOT be

    Rob T Firefly suggested we get a DeLorean for the OpenOtto demo. Awesome idea! Love it. If we come across one, we'll make a go for it.

    However, here are some suggestions of what the demo should NOT be. Although they might attract more girls to the computer hacker scene, these cars are not cool.

    Even though the guy with the 89' Oldsmobile Cutlass Sierra Louis Vuitton Limited Edition looks pretty fly, this doesn't quite say, "Give us VC funding, please" but, instead, "I'm a bad knock-off."

    The's just so wrong. This doesn't say, "I'm so hot, give me a speeding ticket," as Ferrari's should, but, "This is my teenage daughter's car." Instead, this is the Ferrari OpenOtto would be willing accept as a donation to the open source project. If you've ever ridden in a Ferrari and driven so fast along winding mountaintop roads in Italy that there is FIRE coming out of the tailpipe and you're pinned into the racing seat, you'd understand why my vote is for a sports car. I like fast cars that go boom.

    The last picture is one I took of a wimpy Jeep Liberty on my driveway during mud season. Indeed, it took TWO Land Rovers to tow out the Liberty. No wimpy SUVs--this is a going-to-the-mall car. Thank goodness it was a rental. It had mud coming in the doors by the time we got it out of there. I was told that, when it was returned to the Portland, Maine airport car rental office, the guys receiving the car stood in disbelief as they saw the mud on and in the car. Instead, we vote for an H1 as our off-roading vehicle demo car. If we can't have that, we'll stick with the 2003 Land Rover Discovery it's in now because it really can go anywhere. In fact, we've taken it there and back.

    Thursday, March 26, 2009

    If OpenOtto could have a demo car, what should it be?

    We’ve been watching Knight Rider. (Actually, we have been since the 80s, so that probably dates us.) We’ve recently been having some fun debates about a dream demo car for OpenOtto. Of course, we’re just scraping by now and absconding with junk parts from cast-offs and running OpenOtto on a 2003 Land Rover, but if a dream could come true, what would be the coolest car OpenOtto’s software and hardware could control? Would it be an off-roading SUV, a sports car, or a muscle car?

    Because Knight Rider was an inspiration, one of the demos has to be an American muscle car. There will always be some who believe the original Knight Rider¸ a 1982 Pontiac Firebird Trans Am, will be the only true KITT. If you ever wondered if KITT really had a blood analyzer, Ski Mode, or an electromagnetic field generator, here are all of the technical specs for KITT from the 1980s series. We should have attended the Knight Rider Festival last week in Las Vegas. Both the new and old KITTs were demoed along with hobbyists displaying their tribute cars.

    The new Knight Rider series features a Ford Shelby GT 500 KR Mustang. With Val Kilmer as the new KITT voice, the car sounds and looks HOT. If you want to keep watching the new Knight Rider TV series, you must be proactive and sign a petition to keep the show going. Why not? It’s cooler, hacker-ish, and more techie than the dozens of boring doctor and lawyer shows now on prime time TV.

    But one thing is for sure, when we do professionally demo a car controlled by OpenOtto, the developers must wear their Michael Knight costumes. (Sorry, these hokie things are part of what start-ups make their employees do). But I think I’ll opt for Daisy Duke’s outfit even though the 1969 Dodge Charger General Lee always seemed to be broken down, didn’t it? KITT would leave General Lee in the dust and then go on to hack some wicked encrypted world computer networks any day! Hack on, KITT!

    Sunday, March 22, 2009

    SOURCE Boston 2009 – Part Four

    The second day started with getting up “early” so I could see Christofer Hoff discuss the vulnerabilities associated with outsourcing your prized possessions to cloud computing networks. It was definitely worth dragging myself out of bed. Chris is another AWESOME presenter. Peppered with a few early morning f-bombs (which, according to one of my students, is KEY to getting venture capital financing [?]), it was a riveting presentation and had visually appealing slides. I can take guidance from his method of presenting when he spoke to Twitterers in the crowd declaring that none of his 75 slides contained more than 160 characters per slide (and eerie, cool pictures of frogs). Most significantly, what I took from his presentation were some ideas about securely storing and accessing intellectual property from cloud computing networks. Some of those ideas I abstracted into search and seizure principles and incorporated some new research ideas into the CFP abstract for Brucon which, incidentally, was submitted at a witching hour Sunday night by me and my research partner, Myrcurial, in Toronto. Thanks for the inspiration, Chris!

    Later that day, the disclosure panel was one of the talks I really wanted to see at Source. I have done research on this topic and was delighted to hear Ryan Laraine asking Dan Kaminsky, Ivan Arce, Dino Dai Zovi, Alexander Sotirov, and Katie Moussouris debatable topics such as:

    · What’s enough time to give the vendor?

    · Should there be a partial disclosure committee to prevent the purgatory Kaminsky endured with his DNS bug?

    · Should there be civil liability for companies putting out insecure products?

    · What about disclosing security vulnerabilities that effect devices where lives could be at stake?

    · What if people discover vulnerabilities in safety-critical software such as in cars?

    o What if someone reverse engineers the protocols in cars and hacks car computer networks? (gasp!)

    These are all topics I have researched and debated with my colleagues. That’s another blog posting, but I was delighted to see some independent researchers debating this issues along side representatives from large companies. The resources and vulnerability response time small and large companies can respectively allocate toward patching a vulnerability is significantly different and was evident in the way the panelists answered these questions.

    I left the panel after an hour into it so that I could show off OpenOtto’s hacked car computer that was in the garage of the Seaport. (I had to silently laugh and saw Dan steal a glance at me in the crowd during all of the hacked car computer discussion during the disclosure panel when, all along, there was one sitting in the hotel’s garage! The “what if” discussion is now moot.) I drove the hacked Land Rover to the Source conference to share this open source project with some like minded hackers like Joe Grand and Travis Goodspeed and demoed it before Joe left for the airport.

    I showed Joe and Travis how the OpenOtto team reverse engineered the protocols in car computers allowing us to access any car’s computer. Automotive networks follow an OSI model, so OpenOtto was designed to be like an operating system for the car—all developers have to do is write high-level applications on top of the stack and they will operate with the car’s computer using OpenOtto hardware and software.

    Source was the debut of OpenOtto’s prototype board which successfully outputted a handful of performance characteristics to a laptop connected, via the prototype board, to the OBD 2 port. This is more than a scan tool and can be used to tweak performance and output A LOT of real-time parameters about the performance and error codes for all cars. This particular prototype board could output 1 of 4 of the ISO 9141 physical layer. In a couple of weeks, a device will be complete that will run all 4 physical layers using an ARM processor. (Note: At the conference, it was MOST car computers except for GM, Ford, Chevy and cars newer than 2008, but soon it’s EVERY car. Only 1 of 4 physical layers were done at the conference, but all are being done now).

    After the disclosure panel, I dumped my computer equipment in Dan Kaminsky’s room and went to join him, Travis, Ian Robertson and a co-worker from RIM for dinner at the Atlantic Beer Garden. I/O Active’s party with free drinks and food immediately followed, so we stayed there until almost closing time. From there, we went to Lucky’s Bar until that place closed. At that late hour and with the Rover on almost “Empty”, I doubted I could safely find a gas station open at that hour, so I decided to stay in Boston until dawn.

    We didn’t get to see Dan Kaminsky, savior of the Internet…in his super hero tights, but we did finish the night by getting my computer equipment and busting in on Dan in his hotel room while he was dorking out on his computer just a few hours before he had to catch a flight somewhere. From there, I was happy to crash for an hour of sleep on a couch in a suite before I had to drive back to Maine at the ungodly hour of 5 am. (Thank you, suite host, for your hospitality, your pillows, and your duvet.)

    Until next year, thanks SOURCE Boston organizers for making it such an interesting, informative, and fun conference!

    (Picture, by Travis Goodspeed, is of OpenOtto's demo board on the upper left corner on console. Toy Story Alien is not part of OpenOtto)

    Wednesday, March 18, 2009

    SOURCE Boston 2009, Part Three

    Later during the first day, two of my friends, Dan Kaminsky and Travis Goodspeed, were presenting at Source, but at the same time! Similar to the only two higher-education talks, either I had to make a tough choice or do a 50/50 split which is what I did—I started with Travis and finished with Dan.

    Belt buckle! When I think of Travis, this is what comes to mind including the word and the philosophy behind “neighborly” which is what Travis truly is. In addition to having established a reputation for the party mode on his belt buckle in the shape of Tennessee (the only neighborly state, he says) and having notable people holding the belt buckle (anywhere BUT as a belt buckle), he’s one of the most brilliant hardware hackers I’ve encountered. If there is a hardware device that can be sniffed or fuzzed, you know that Travis can do it. Want to talk about hacking the Clipper Chip encryption? Travis is probably already working on it.

    His presentation at Source was about how the private sector or governments can use wireless technologies for good applications. One interesting example is having smart land mines that will only turn on during the advance of an enemy and can turn off or be signaled to self destruct after their need is over thus eliminating the danger of live mines. I caught the beginning of his presentation and then ducked out half-way through to hear the end of Dan’s. What I missed was Travis discussing new exploits on the TI chip. I’m eagerly waiting for more info. about this on his blog.

    Dan Kaminsky is best described as a mix of brilliance and “let’s get this party started” when you see those horns thrown up. There are numerous articles describing his DNS vulnerability research and discussions about how he handled it using partial disclosure, but for someone who described how he “broke the Internet”, he is exemplary for giving vendors time to fix it and showing them how. When I describe to my computer science students the kind of hacker that’s actually doing something about making stuff more secure and not just trying to find the next big vulnerability to boost his credibility in the community, Dan is it. Humble, friendly and one of the best public speakers I’ve ever seen, he’s able to engage the audience about something as specific and technical as DNS for a full two + hours. His analogies are also legendary. Seriously, how many technical people do you know who can do all that? If he can describe DNS to his grandmother, he can tell you (the US government, SysAdmins, and your company’s recalcitrant IT guy) why it’s a big deal and you should patch today. No, really yesterday.

    The first day of sessions ended after Dan’s and Travis’ presentations, but the day didn’t end there and went long into the evening. I met a group of other conference attendees at the Atlantic Beer Garden for dinner. From there, we went to the Source party which included techno, strobe lights, and a smoke machine like any good hacker party should! I got to meet some of the other (five, I think!) women at the conference including Stacy Thayer, conference founder and organizer. Dan Guido’s potato made some rounds and got decorated with feathers, signatures, and carvings. When that party wound down, I joined Travis Goodspeed, Dan Kaminsky, Marty Roesch, Jennifer Steffens (from I/O Active) in a quest for a mythical party at MIT, but ended up closing the bar, appropriately, at The Miracle of Science in the MIT vicinity with Dan and Travis.

    (Photos, taken by Travis Goodspeed, is a screen shot of tcp dump output from the network on the OpenOtto Project Land Rover at Source. Right now, it's running on a laptop on the dash, but we're scrambling for cash to buy a touch screen dash mounted monitor.)

    Tuesday, March 17, 2009

    SOURCE Boston 2009, Part Two

    From Dan Guido’s presentation, I went to Marty Roesch’s talk titled, “From NASDAQ to the Garage with Open Source: Sourcefire’s Experience.” Not only is Marty a fantastic speaker, but his experience with open sourcing Snort is the best example I can find answering the question of how a company that embraces sharing code can be successful.

    I am constantly asked by investors: “Where is the money with open source/free software?” Instead of my usual retort which used to be, “RedHat”, I’m now going to say, “Sourcefire!” Marty’s open source release of Snort’s code is a great business model and better in the sense that it’s applicable to companies that do not have as much of a service component to generate revenue but who want to produce a product. There is significant value in putting out a box containing your code that’s akin to a plug and play device as opposed to downloading the open version and having to have more of a technical background to fully make use of all of the features.

    There is is also value and, as Travis Goodspeed would say, a neighborly interest in sharing your code and hardware designs to spark innovative products that will work with your code and, hopefully, foster something akin to an industry standard if you’re lucky. If not that lucky, you still have a product that a lot of people are using which creates a built-in user base, contribution to bug reports (and, I argue, better security because of this) and a reputation based upon a community that cares about quality code and hardware design.

    Later that night at the Source party, I spent at least an hour talking with Marty about other lessons learned about organizing and funding an open source company. One of the most important aspects about which we both agree is the necessity to defensively patent. I know that many in the open source/free software community don’t think that patents are useful and are the antithesis of open/free releases, but if you talk to Marty about how a patent troll almost messed up their IPO, you’ll see how unethical patent attorneys buying up IP at fire sales are part of the problem with the patent system because they inhibit innovation and entrepreneurship. I know of a few companies this happened to and they ended up going out of business as a result of patent trolls. My advice to entrepreneurs with open source/free software: Patent and then license with GPL version 2! Defend yourself against evil trolls.

    (Photo is of Travis Goodspeed doing a demo at SOURCE Boston using hypodermic needles as oscilloscope leads to sniff a Zigbee wireless sensor’s SPI port. Wireless traffic relies upon an encrypted key being sent to the CC2420 radio chip and tapping two pins [see Travis’ detailed photo] exposes the key)

    SOURCE Boston 2009, Part One

    Recently returning from Source Boston 2009, I am still basking in enlightenment and the excitement of meeting brilliant computer security professionals in the relaxed, small atmosphere at the Seaport Hotel. Without fail, I’d sit down at lunch or in the lounge and be discussing computer architecture or be debating how information security professionals can improve their craft.

    After a high speed dash in the snow from Southern Maine to Boston, I just made Joe Grand’s presentation and didn’t regret white-knuckle driving. Joe was a co-host of Prototype This on the Discovery Channel. Who wouldn’t want his job?! Having a hacker space warehouse near the water in San Francisco with a group of buddies making stuff—how cool! However, hearing about the behind-the-scenes difficulties that the viewers didn't see was informative. With only about $13,000. in cash per build which was to take two weeks, after knowing this, I have even more appreciation for the engineering feat with which those guys pulled off those builds. What would you do if you had Joe’s job and the producers wanted things that had never been done before, for a little amount of cash, and in two weeks? Sounds like a lot of stress, but beautiful stress. If I had his job, I think I’d have long days—some frustrating when my stuff didn’t work—but I’d go to bed every night thinking, “Yes…I am paid to tinker with stuff in a workshop that’s every geek’s dream--life is good!” By seeing Joe’s enthusiasm and broad smile when he’d describe the design and build stages and his co-host team, I suspect he feels similarly.

    Right after Joe’s presentation, I went to hear Dan Guido from NYU/Poly present on “So You Want to Train an Army of Ninjas...” The way in which he has added penetration testing into a traditional computer science curriculum is exemplary and a model I hope to adopt for the University of Maine’s computer science curriculum. Teaching about the importance of engineering security from the first line of code to the final testing phase is crucial to providing computer science professionals with the skills they need to compete in this competitive employment environment and to responsibly design better software and hardware products for the market.

    I’m tired of hearing about ridiculous vulnerabilities that were the fault of a lazy software engineering where the most important aspect in the design was, “Does it work?” Going beyond just making the code work is what Dan teaching his students. By hands–on methods teaching students how vulnerable stuff can be broken and then learning how to fix it, he’s not only teaching them about what happens if you design broken crap and its vulnerability is exposed, but consequences if you’re the one who put the crap out there in the first place. Better yet, he has released all of his course materials online to share with anyone interested in creating a better computer science curriculum. Thank you, Dan! As a side note, he has also started something of a crazy tradition at Source Boston (or so he told me!) with a potato being passed around. Dan Kaminsky (in the background in photo) got it next. Ah, the fun of hanging with the techie crowd—it’s funny that after hours the humor is often associated with anything BUT technical things. But I still don’t get it—why a potato?