the cups blog


Thinking Evil Tutorial Part 2

The Think Evil tutorial (slides) talks about how attackers and defenders react to each other.


When security people want to measure the network?

The speaker’s group built a system called Netalyzr which tests “your Internet connection for signs of trouble.” The application test for many different things to determine if there is anything sitting between the user and the Internet. The tests are specifically intended to push boundaries and send back inconsistent responses to get information on what is sitting on the connection. Some of the things tested for are:

  • Tests for connectivity of different protocols
  • Deliberately violates the protocols in an attempt to cause a malfunction
  • Tests for caches by pulling a changing image twice
  • Tests for lack of connectivity to specific sites to determine if Malware has changed anything
  • Tests for connectivity to Windows Update

The list of websites that Netalyzr checks connectivity to were generated by a set of security researchers “thinking evil.” Sites like IM chat clients and search pages may be proxied to get passwords. The tool has resulted in some interesting things. For example one ISP redirects to a proxy of Googles web page.

style=”text-align: left;”>Netalyzr needs some usability work in how to explain some of the results to normal users. Things such as buffering in conjunction with BitTorrent and Skype can result in latencies that can confuse end users.

Security in my Everyday life

The speaker spent this section talking about the complex set of financial protocols he uses for his everyday life.

(Blogger note: Check out the Personal Data Privacy blog for tips on how to do security for normal people.)


Someone please fix passwords! I don’t like remembering them. I don’t like RSA keys. I love SSH but typing the password into is dangerous because if someone compromised the server they have my password. As a result I always use public key authentication. I also use agent key forwarding even though I know it is horribly insecure for similar reasons.

The speaker stores his passwords in his wallet because his wallet is almost never stolen and he is not too concerned about loosing it. An audience member also comments that the passwords are probably the least valuable thing in your wallet if it is lost.

Credit Cards

The speaker is not too concerned about credit cards and he uses them for most of his purchases. He is not concerned because he is not the one who takes the damage

An audience member commented that in Europe the laws are different and that the burden and risk is on the user. In the UK there is a law that states that you have protection if you use the credit card online. If the chip and pin is used then it is the consumer that is on the line. If it goes through the chip and pin network then the burden is on the user to prove the charge was fraudulent. However, chip and pin cards also have magnetic stripe to use if no chip and pin system is available for use. An audience member says they had a chip and pin card cloned and used in another country through the magnetic stripe and in that case they were not considered to be liable. The speaker commented that if he was forced to use such a card where the damages and responsibility is on the user he would either 1) always pay cached 2) put it in the microwave.

Debit Cards

The speaker is very concerned about debit cards and is very selective about where he uses one. He also always checks the ATMs for any sign of tampering. This is because though he may not be liable eventually his money is at stake initially wich is a strong modivator.

Online Banking

The speaker doesn’t do online banking. All bills are paid by mail because even though it is not overly secure it is an O(n) attack that requires physical access to the letter. Sometimes I pay via phone with a credit card.

Audience Discussion

There is general audience disagreement that the use of checks is more usable than using a credit card. The speaker argues that the use of checks is the result of a cost benefit analysis of the security risks and implementation costs and he is deliberately sacrificing usability in this case to gain security.

We are here because security is difficult and because it is not useable. The speaker would like to do banking online but he needs a secure channel where he can personally verify every single transaction because there is always a non-zero chance that the host is compromised especially on public terminals. He wants a push button that basically approves transactions only when the user expressly pushes a button to approve the transaction. An audience member comments that this is very difficult from a usability standpoint because you have to install software on the user’s machine.