Where Scanning the Internet Gets You

From awhile back, Brian Krebs talks to three researchers at U-M about their ZMap tool. An efficient and comprehensive way to scan the Internet, they’ve recently built a search engine called Censys that searches across their daily data collections from the ZMap scans.

From Krebs’ interview with the researchers (Zakir Durumeric, Eric Wustrow, and J. Alex Halderman):

“What we were able to find was by taking the data from these scans and actually doing vulnerability notifications to everybody, we were able to increase patching for the Heartbleed bug by 50 percent. So there was an interesting kind of surprise there, not what you learn from looking at the data, but in terms of what actions do you take from that analysis? And that’s something we’re incredibly interested in: Which is how can we spur progress within the community to improve security, whether that be through vulnerability notification, or helping with configurations.”

Using ZMap allows them to quickly collect this data (compared to other network scanners), but the researchers aren’t just scanning the Internet because they feel like it. They’re taking action based on the scan results—notifying people when their machines are vulnerable to the Heartbleed bug.
Beyond notification, they can take other steps:
“So, that’s the other thing that’s really exciting about this data. Notification is one thing, but the other is we’ve been building models that are predictive of organizational behavior. So, if you can watch, for example, how an organization runs their Web server, how they respond to certificate revocation, or how fast they patch — that actually tells you something about the security posture of the organization, and you can start to build models of risk profiles of those organizations. It moves away from this sort of patch-and-break or patch-and-pray game we’ve been playing. So, that’s the other thing we’ve been starting to see, which is the potential for being more proactive about security.”
Internet scan data can help us better understand organizational security posture and develop different models of risk profiles in organizations. With those risk profiles, improving an organization’s security posture could be a matter of identifying the inefficient elements and focusing on them. Security posture is culture as much as machines. While SIEMs can identify risk factors in your machines, models of organizational security posture can identify the risk factors in your culture.

Prescriptive Design and the Decline of Manuals

Instruction manuals, and instructions in general, are incredibly important. I could be biased, since part of my job involves writing instructions for systems, but really, they’re important!

As this look into the historical importance of manuals makes clear, manuals (and instructions) make accessible professions, tools, and devices to anyone that can read them (which, admittedly, could be a hurdle of its own):

“With no established guild system in place for many of these new professions (printer, navigator, and so on), readers could, with the help of a manual, circumvent years of apprenticeship and change the course of their lives, at least in theory.”

However, as the economy and labor system shifted, manuals did too:

“in the 1980s, the manual began to change. Instead of growing, it began to shrink and even disappear. Instead of mastery, it promised competence.”

And nowadays, manuals are very rarely separate from the devices or systems they seek to explain:

“the help we once sought from a manual is now mostly embedded into the apps we use every day. It could also be crowdsourced, with users contributing Q&As or uploading how-to videos to YouTube, or it could programmed into a weak artificial intelligence such as Siri or Cortana.”

Continue reading

Torture, Ownership, and Privacy

The Senate Intelligence Committee released hundreds of pages (soon available as a book) detailing acts of torture committed by the CIA.

Continue reading

Reading, Drones, and Georgie Washington

Americans are still reading books, Internet and all! Younger Americans are actually reading more than older generations, which could be partially due to the fact that with the rise of texting and social media, so much of our communication is text-based, so everyone is doing a lot more reading (and writing) in order to communicate with their friends. The original study is linked in that article and in this graph:

What are some other ways to get people to read books?

Well it helps a lot if your college library not only tells you the call numbers of the book, but it gives you precise directions to the location of the book, which is pretty awesome. Much more useful when navigating a giant library, like I have access to at the university I work at, as opposed to the smaller library at the university I actually attended.

Continue reading

Heartbleed, Borders, and Cookies

HEARTBLEED heartbleed my heart is bleeding about heartbleed….

How soon until someone writes a country ballad about heartbleed? Knowing the Internet, probably before all the currently vulnerable sites are patched. Researchers at University of Michigan previously produced a tool which was capable of scanning large swaths of the Internet at incredibly fast speeds. They took advantage of this tool to regularly scan the top 1 million sites on the Internet (as categorized by Alexa)(who is not a person) and determine what portion of the sites are vulnerable. Mashable, meanwhile, has compiled a list of the big websites that were vulnerable (but now are not). This bug is the latest and greatest of them….yet (as XKCD points out)

As the NYT points out, as the web gets larger it also gets less secure (and thus, harder to defend):

“If you fix one Internet security bug, you can be sure that attackers will just find another, potentially more dangerous one. “Over all, attackers have the competitive advantage,” said Jen Weedon, who works on the threat intelligence team at the security company Mandiant. “Defenders need to defend everything. All attackers need to find is one vulnerability.””

Continue reading

Bitcoin, Security, and Photography

nananananananananananana BITCOINNNN

I had to talk about it eventually, and Thursday’s news was a good impetus. Newsweek had a big “scoop” potentially unmasking the founder of Bitcoin. The magazine saved this story for the cover of their return-to-print issue. The story features stalking masquerading as investigative journalism, as the author tracked down this man through national records, then tracked his interests to a model train forum, where she emailed him purporting to be interested in trains, then began asking about Bitcoin (at which point he stopped responding).
Then she tracked down his home and family members, and interviewed them extensively about the man and itcoin. She finally paid him a visit at his home, and instead of answering the door he called the cops. This surprised her. Read the article in full, if you’d like to know more about the lengths some people will go to find people who don’t want to be found (and who haven’t done anything wrong).(After some sushi and a car chase the man himself claims he is not involved with Bitcoin).

Continue reading