My private key has been compromised.
This realization hit home and made his knees feel weak. His private key – his identity – his ability to secure communications with, well, everyone. Without any further delay, he began a key revocation, canceling the compromised private key and making it unusable by the thief, but also, unfortunately, unusable by Mick as well. Having done that, he began the laborious process of generating new private keys and their associated public keys and getting the public keys signed by his friends and published in various places on the Internet.
He then read the comments to the blog entry, and needless to say they were not at all complimentary towards him. In fact, it was fair to say his reputation with the open source community was pretty well destroyed by this forged mail, although some of his friends had posted in his defense.
It was only a few hours until sunrise when he went to bed.
The next morning he had a scheduled video call with Sam. He didn't really feel like it, and actually considered canceling it, but went ahead in the end.
“Konichiwa Uncle Alec-san!” she greeted him.
“I'm not in Nihon anymore,” he reminded her.
“I know. You are deep in the Southwest. How is the riding?”
“Very good. The terrain is pretty unique here – even the sky seems somehow different,” he replied.
“Pictures please! I need to decide whether New Mexico should move up on my list of places to visit.”
“Where is it now?”
“I believe it is about 4Øth on the list, but if you say the sky is different, then I may have to move it up into the teens.”
“Understood. Shall we read?”
“Nope. I've got a question for you, if that's OK?” she asked hopefully. Mick smiled to himself.
This girl really knows how to get to me.
“Of course, Sam. What is it?”
“I read that 'peer-to-peer' networks are a security risk. Now, I don't know what they are, but I think I've heard you mention them, and you wouldn't talk about them if they were bad for security.”
“Sam, do you read Slashdot or something? Never mind. You are right: P2P isn’t necessarily insecure. This is a classic piece of clueless FUD,” he started, then paused when Sam raised her eyebrows as if he had said a bad word. He smiled, then continued.
“FUD stands for Fear, Uncertainty, and Doubt. In this case, it means half-truths and falsehoods, peddled by people with an agenda to push. There is nothing inherently threatening or bad about peer-to-peer applications – in fact, they can sometimes be more secure than other applications.”
She looked away from the camera for a moment, then continued. “My mother wants to say hello.”
“Hi Alec,” Jocelyn began, her dark wavy hair and piercing brown eyes coming into the field of view of the camera.
“Hey Jocelyn, how's it going?”
“Oh, I'm fine. Wondered if you were coming to Boston soon?”
“Yes, probably in three weeks,” he replied. She smiled back at him, and he heard Sam shout “Yes!” out of view.
“OK. Let us know, brother. Take care.”
“Will do,” Mick replied, and went back to talking to Sam for a little while longer.
After the video call, Mick felt better, but all day he still found it difficult to concentrate on the work at LeydenTech, but he did anyway. He tried not to think about his own security compromise until the end of the day. Back in his room, he started to carefully examine his own server logs for signs of how someone had stolen his private key. He didn’t find very much, but what little he did find convinced him that his server compromise was linked to the LeydenTech compromise. His own spambot was eerily similar to the one here at LeydenTech.
Now with two examples of the spambot software, he sent both to Kateryna and asked her if she could help.
He heard back from her a few hours later:
Hey Mick,
Hope the weather is good for you in NM. It has been a few years since I visited, but I recall some great archaeological sites, including some amazing petroglyphs near ABQ.
I still can't comprehend your key compromise - you are the most careful person I know. Someone must really have it out for you to do this to you. Do you have any idea who?
I don't know what to tell you about the spambot - I'm not an expert in this area, but we do have a few guys in the office who are. I'll make some unofficial inquiries and let you know what I find out.
So, I have a question for you: if you were born in England to Irish parents, grew up in London then moved to New York, why do you have such a generic American accent? I thought perhaps it was just me but I asked a couple of Americans who knew you and they agreed that there is very little evidence of your heritage in your accent. I only have to open my mouth and say one word and everyone knows I'm from somewhere else (even in Romania today as my accent and vernacular are out of date). What is your secret? ;-)
Regards,
Kat
------BEGIN PGP SIGNATURE-----
ObykTa4b/eD04V+4+xcgoZmS/9Ef7p
qWVcd2m3iXMwlJenGmxoS9K0pwYO3v
vcetJs032/4dajPEq/AK8VJUzcKbF4
v4RS/5n22R8Rh7RWByBJlVMNbuaOGX
zHln0oi3tLZNhMiJXaB8ri8VMTOStK
-------END PGP SIGNATURE------
Mick smiled self-consciously and fired off a quick response. In truth, what accent he had depended on who he was talking to. Talking to his relatives in England and Ireland, he would slip into a light Irish accent. With his school friends, he seemed to be from New York. The only accent he had never really picked up was from the town of his birth, London. It didn't worry him, as in England, accent is used as a class indicator, and any kind of English accent would have made him categorizable, something he tried to avoid. He didn't love everything about America, but he did love that one’s class had nothing to do with accent or birth.
The next few days in Los Alamos passed without incident as he continued the investigation. He received a reply from Kateryna.
Mick,
You know, something strange came up during our investigations into that piece of spamware you sent. It looks like it is from a new codebase - our guys have never seen it before. The spam pattern was also strange - they said it was almost random. That is odd because spammers usually stick with established routes that have worked well in the past. They think that this spamware has a very low success rate as a result. You'd think that a new piece of software would be better than the old ones, but that doesn't seem to be the case here.
Oh, and the second app you sent, it is virtually the same as the first one - definitely written by the same people.
I'll keep you posted. Be careful riding that bike of yours... if I'm going to see you in two weeks in Vegas, you need to stay in one piece.
Regards,
Kat
-----BEGIN PGP SIGNATURE------
h8rYbiC2eK6qDXL43TCP8jRQiK+Ou7
YIgoZ+y+O/cjT7/dMImEvea8KwLzOg
7KFb3c3XPSsKmjieKlwjFcK4Om2tsd
QcijL+HynXNiFMItRF2yqu8ppdJ2kL
Uz7Sld6EErDdLAtAE56C2bhOF1G+qK
------END PGP SIGNATURE-------
The second application or app he had sent Kateryna was the spamware from LeydenTech. The first was the one from his own server. Saying they came from the same codebase meant they were the work of the same set of programmers or came from the same company.
Mick could feel himself getting closer to the truth.
Chapter B.
From the Security and Other Lies Blog:
I've read that open source software is more secure then commercial software. Is this true? raptors4ever
I love this question! :-) Let me start with a good definition of open source software. Software is the instructions that tell a computer what to do. When a computer is turned on, it starts running software, known as the ‘operating system’ or OS. When you start a program such as a web browser, an editor, or a mail program, you are running software. When you use your mobile phone, you are
using software. The actual instructions interpreted by the CPU in a computer are known as machine language, binary files, just binaries (named after the binary format they are stored in), or executable code (since the CPU executes it). If we look at them, we just see a bunch of numbers - it is very difficult to figure out what is happening unless you are a computer.
Source code is a human-friendly way of representing computer instructions. Computer programmers or software developers create and write source code, then that source code is turned into the executable code using a piece of software known as a compiler. Source code is written in different computer languages. They really are languages in that they have vocabulary, syntax, and grammar, and allow one to express ideas and make a computer do what you want it to. Whew! That was a bit long, but hopefully now we're all on the same page.
Normally, when you buy or install computer software, you are using the binary or executable code. You can't actually see what the computer is doing just by looking at it - you can only observe it by running it and seeing what happens. Much of computer software is closed source - that is, the source code is kept a secret. Only people working for the company that created or owns the source code are able to inspect and fix the code.
Open source is the opposite - the source code is freely available for anyone to inspect and examine - usually published on the Internet. In fact, open source is considered 'free' software, sometimes explained as 'free as in speech, not as in beer'. That means that companies can charge money for open source software, but they can't keep the source code secret. Just as free speech allows anyone to express his or her opinion and add to a discussion, anyone can take an open source program, modify it and change it. Only, per the terms of the open source license, they must also publish the changes and alterations they made to the software.
Now, having secret source code might sound great when it comes to software security. After all, bad guys can't look through the code and find the weak points and places where they can try to crash or take over the computer. While it is possible to ‘reverse engineer’ some binaries to get an idea of the source code, the legality of doing this on closed source software is not clear, so only the bad guys do it. Any sufficiently complex piece of software (and today’s software is hugely complex) will have weaknesses and bugs, and bad guys will find them, by trial and error if nothing else. When found, they can then launch attacks using it.
Once these attacks are launched and security experts analyze them, the software will need to be fixed or patched. But only people working at that company can do this, as only they can see and change the source code. Everyone using the software is vulnerable until they fix the bug. Sometimes this can take weeks or even months!
Now, let’s compare this to open source. In an open source project, many programmers and software engineers are able to look over the code. Security researchers from all over the world are able to search for vulnerabilities and possible attacks. When they are found, any programmer can write and upload a patch to fix it. With more eyes on the code, more bugs and potential attacks are found before the bad guys can find them. When an attack happens, open source programmers will immediately analyze the attack and anyone can write the patch and fix it. As a result, in many cases, security holes can be closed more quickly with open source than with closed source software.
The open source software movement is a closely-knit community on the Internet today, encompassing both volunteers and companies. I am proud to be a part of it.
So, you can make up your mind, raptors4ever, which is more secure: closed source or open source? You can probably guess where I stand on this...
-> Your question not answered this week? Argue for your vote on the Shameless Plugging area of our discussion forum.
Chapter C.
Mick O'Malley – greatly appreciates his friends standing by him over the past few days. He can't put into words what it means to him. And rest assured, he will find out who is responsible for this! (19 comments)
Mick left LeydenTech early the next afternoon to take a break and clear his thoughts. His private key compromise had left him feeling off balance, and he felt strangely vulnerable, as if anything might happen to him at any time. He recognized the feeling as illogical, as he had already changed all his passwords and was using a new private key, but the feeling remained.
With his trip to Hiroshima fresh in his mind, Mick visited the Los Alamos Museum to learn more about the Manhattan project. The museum was housed in a building from the Los Alamos Ranch School, which the government acquired to establish the laboratory in 1942. It seemed amazing to Mick that the bomb that devastated Hiroshima was designed and built in this beautiful place. The museum had a small exhibit about the work and the workers who lived there up to 1945.
The grandmother of one of Mick's friends from Columbia had grown up in Los Alamos during this period, and he recalled her stories of life in a town that didn't officially exist. Mick really wanted to visit the White Sands Missile Range, a few hundred kilometers away, where the first atomic device was detonated. He really wanted to see the desert sand fused into glass stones by the detonation (named "trinitite” after the code name for the first bomb – Trinity). However, he knew the site was still an active military base and test site, and it was only open a few times each year. The device tested there was a plutonium device, the prototype of the bomb detonated over Nagasaki. The one dropped on Hiroshima used uranium instead, despite some claims that both were uranium.
The uranium device was not tested before Hiroshima as there was not enough processed uranium for a test detonation. Mick read that some of the uranium was processed in New York, but most of it was produced and refined in Oak Ridge, Tennessee. At peak production during the Manhattan project, Oak Ridge was using about 15% of all the electricity produced in the United States – more than all of New York City!
Mick felt amazed at the amount of work and planning that led up to the detonation. So much design and engineering of the various components: the fission fuel, the detonator, the delivery vehicle. So many parts of the project worked on by different teams in different parts of the country, culminating in one history-changing day 6ØØm above Hiroshima.
Later back at LeydenTech, Mick came to a disturbing conclusion: the compromised server was definitely part of a botnet. This was surprising because all the behaviors seemed wrong; the compromised server was not trying to act stealthily at all. A computer that was a member of a botnet normally would try hard not to give away this fact until it was ready to be used – otherwise, the computer would be disconnected, cleaned, and would be lost to the botnet. Usually, this meant keeping a low profile with Internet activity. This software seemed to be using a different approach – a hiding-in-plain-sight approach, where it pretended to be spamware. He was sure that the spamware wasn't the main purpose of the compromise, but that it served as cover for the real activity of the botnet. One possible reason – and this thought really bounced around in his brain – was to hide with whom the malware was communicating. This was called communication ‘obfuscation’ in the industry, and was one security property that was usually difficult to achieve. There were common approaches for encrypting traffic to make it private, and signing communication so you could prove who sent it, but all these approaches did nothing to hide the fact that two computers on the Internet were exchanging packets and messages.
In telephone network surveillance, a so-called ‘pen tap’ gives law enforcement information about who called whom and for how long, but tells nothing about the contents of the communication; a ‘wiretap’ is needed to listen in and record the conversations. Pen tap data in the hands of a good investigator can often be used to deduce all kinds of useful information, especially when coupled with other observations and facts that can be correlated with it. Without obfuscation, the Internet equivalent of pen tap calling information – which computer is sending messages to other computers – is not difficult to collect. Mick’s own calling patterns – who he communicate
s with and for how long could be determined despite his use of voice and video encryption software.
In this case, Mick determined that the malware was sending out large amounts of traffic in the form of meaningless spam. Buried somewhere in the spam was actual botnet communication, he believed. He hadn't found it yet, but was convinced he would. Looking at the time, Mick summarized his findings so far and prepared for an interim briefing of Vince and his managers.
After the briefing, Mick went back to work. Vince was extremely pleased with his progress. Vince had let slip that it was Mick’s colleague and speaking rival Miles who had taken this job the week before the conference in Hiroshima. Miles had concluded that the compromised server was just a spambot, but Vince was not happy with that conclusion, and had sought Mick out hoping he could do better. He was happy that Vince supported his pursuing the hypothesis and continuing the investigation. If he could prove it, he was sure that it was an entirely unknown type of botnet.
Counting from Zero Page 7