science

, , , ,

Hacking Reno: WebApp Pentesting

, , , ,

Four days in Reno was cerebral overload. 

Attending the Wild West Hack’n Fest presented by Black Hills Information Security, I tried to squeeze as much data into the ole’ brain-box as possible. It’s a small box as far as brain-boxes go, so I’m pretty sure I tore something, and now my personal data is leaking out all over the place. 

The first night there I dreamed I was at a diner and the waitress asked me, “How would you like your brains: Compiled, compressed, encoded, hashed, or salted? When I woke up I discovered I had developed a stutter that lasted most of the day. 

By the time it was all over my brain felt like it had been in a pie-eating contest that never stopped. One of those last idiot-standing contests. Skull stuffed to near bursting and face a slaughter of smeared blueberry confusion. I wonder what drives me. This blog post is the inevitable regurgitation of that cerebral gluttony. 

This is part one of my sloppy attempt at summarizing the 4-day info feast.    

The Nugget Casino hosted the conference. The ringing bells and whirling whistles of the casino floor opened up my dopamine receptors as I walked through the door. The blinking and twirling lights aroused my limbic system which started pumping adrenaline into the mind-mix. My lower brain wasn’t sure if it was supposed to fight, flee, or poop. Casinos have to be one of the apex environments for social engineering. I felt a little like I was about to get on a rollercoaster. Kinda sick to my stomach, kinda excited, I realized the siren song of beer and slot machines were calling to me. I hovered a second or two before managing to gather my withering wits and turn my nose to the scent of nerd and find my flock.

I followed the odor of burnt neurons to the second floor where I heard the enigmatic chatter of cryptologists debating blockchain. My class was in a large conference room that could have fit a hundred people easily, but physically present only ten were seated in front of the giant screen displaying pdf slides of the inner workings of websites. I won’t pretend that I understood everything. In these classes, I often feel like a monkey punching buttons as fast as I can. All the time hoping for a banana that never comes. But at least I keep notes and hope with repetition comes familiarity and competency. 

The very first thing mentioned was situational awareness. 

Be still my sweet martial art heart. He had me at “situational”. I knew no matter how techie this got, the instructor was connected to a narrative I could follow. 

The instructor’s name: BB King. He provided a master’s class in more than just pentesting the delicate membranes between user-input and website interface. This was also, for me at least, a dissection of the complexity of language and its primordial underpinnings. It was a study in the history of technology and communication.

Let me say upfront, I was intimidated by the technical material. I was also very anxious about the travel after being in my Covid bubble for a year and change.  So as was wound uptight. BB’s presents helped melt that away. It felt ok to be in the deep end of the technical pool with BB as the intellectual lifeguard. 

I paraphrase liberally, but he said: One of the keys to mastery of cybersecurity (and life in general) is curiosity. The hunger to know how everything works offers unique leverage. As BB put it, all tools have uses beyond their original design. What can a tool do that it was not intended to do? Ask, what would MacGyver do? For this class, that meant testing the user input fields with a tad bit of sql injection, a dash of URL manipulation, and a smidge of fuzzing.

 BB set up a great VM with Juiceshop and Burpe. He walked us through developer tools in web browsers and the functionality of Burp’s tools to examine websites and by-pass WebApps. BB made multiple rounds around the room to check on each of us individually. He never seemed rushed by the fact that we were stuffing 24-hrs worth of information into 16-hrs. I just tried to keep up as we blew through a dozen labs picking apart the vulnerabilities inherent to the system.

Something that was super valuable was that the class broke down the Top 10 OWASP list into just 3 issues. Not 10 issues. 3 issues. Aside from 1) Malicious Input, there was only: 2) Insufficient Logging and Monitoring; and 3) Sensitive Data Exposure. 80% of attacks are some form of malicious input. The other portion of OWASP is basically people shooting themselves in the foot. 

Midst all that tech talk, BB had a couple of comments about bird songs and body language that really stuck with me. 

The sound of birds chirping, that sound we find lovely and melodic, it’s actually a bird’s warning to other birds. It’s a declaration of territory. I own this tree. This is my branch. Keep your distance. BB added, that the reason humans like the sound of bird songs so much is that the sound informed our ancestors that they were safe in the woods from predators. If the birds ever went silent, if the bird song stopped, then that was a very bad sign. It meant predators were near. Big ones.

The key takeaway: you don’t need to know the whole language to decode useful information. We had no idea that the bird song was a warning to other birds, but the lack of its pattern was a warning to us about nearby threats.

Another nugget BB shared: there are 21 culturally universal emotions that can be communicated with body language. Did he say body language? Totally speaking my language. This was when we were talking about encoding information and it made me wonder about the pros and cons of language. How easily things can be misconstrued or miscommunicated. Use the wrong word in the wrong context, things can get ugly quickly. It matters what you put into the system. 

Or simply put for defenders: Input Sanitization matters. 

The first rule of apps is that they are made for people to use. There must be an interaction between the person and a program. Requests are made. Responses occur. Anywhere a user can add information into the system, and possibly poison the ecosystem, that spot is a dangerous place to be short-sighted about security.

Imagine WebApp testing as a tiger sniffing out a good place to execute an ambush. Once the tiger knows where the animals go to get water (information crossing a boundary), they have discovered a vulnerability in both the environment and the prey’s behavior that can be exploited.

It’s now a matter of just watching and learning the patterns. Lying in the tall grass, hiding in wait for the bird song to return and all the little animals think it’s safe to come out again. Or maybe tigers aren’t the best analogy, but I do like tigers a lot. And if you’ve never read Tiger, you’re missing out. 

Anyway, in my case, it means to sit and practice hacking labs taking advantage of cross-user privacy invasion; client-side controls; faulty assumptions; unlinked items; directory indexing; insecure direct object references; and redirect filters. And that was just the beginning. Did I mention, I developed a muscle tick in my right eye? 

By the end of the 2nd day, the stutter was gone. But on the 3rd day, my right eye started randomly winking closed. I think that means my left brain wasn’t completely up and running just yet.

I grabbed coffee, kept my head down, and got ready for round 2. The final 2-days of lectures included: Red Team Automation, Gamification of MITRE ATT&CK, Cracking Cloud Security, Network Defense Modeling, and Offensive Deception. 

Ever read A Scanner Darkly? The protagonist is a detective hunting a drug dealer. Spoiler: the detective discovers he is the drug dealer. Or Fight Club, in which the unnamed protagonist discovers he alter ego is a cult leader of an anti-civilization urban-guerilla terrorist organization. That’s the feeling I was getting. I was two different people. A double agent moving between the good guy and the bad guy until there was no difference between the good and the bad just knowledge, tools, and leverage. It’s not ethics, it’s actions along a barrier. There is attack and defend the barrier.

Cyber is about controlling the flow and the mastery of the space between all things. Even the space and flow between the many minds that make up our minds (A Thousand Brains Theory).

, , , , , ,

Homo Deus

, , , , , ,

Notes on Homo Deus

Homo Deus: A Brief History of the Future by author Yuval Noah Harari makes you reconsider what you think you know about being human.

Here is my quick review of the book: I loved it! Just like his last two. But instead of just reviewing the book, I want to share my thoughts on some of the things that stand out for me in relationship to pain management.

Real quick though, this book isn’t for everyone. If you’re uncomfortable having your political, religious, philosophical, and general concepts of self challenged, then you will find this book disturbing on more levels than the author intends.

This book is a warning. It is trying to get us to pay attention, Like a passenger in car asking the driver to slow the hell down. You can’t take the turn you need at this speed.

I believe it also is a celebration of how far we have come and how far we can go. So let me throw this out there, if you cling to your belief structures like a life vest in an ocean of myths, this book is going to make you very upset, and it is going to deflate the concepts that keep your ego afloat. However, if you are looking for a better understanding of what are real challenges are right now, then buckle up because the twists and turns of history, science, psychology are going to make your head spin.

For those with short attention spans, below is a glimpse at the highlights of the book. For those who would prefer listening, here is a link (Yuval Noah and Steven Pinker) to a conversation with the author and Steven Pinker. My thoughts on how this applies to pain management follow.

-We’ve conquered- War, Plague, and Famine as the major mortality issues for humanity and next on the agenda for we will conquer death or become God-like in the pursuit.

-Spoilers: There is no soul, self, or free will as far as science is concerned and to believe so is to live in a fantasy world where you will be easily manipulated.

-The brain contains more than one mind and none of them knows what the other is thinking or why; and most of what you believe about the world (which includes yourself) is a confabulation (bullshit rationalizations) of these minds independent operations.

-The religion evolution went kinda like this: from nature to gods to a single god to nationalism to humanism and now data. Long live Data! In algorithms we trust!

-All medical science leads to augmentation science. We will be upgraded. Or at least the rich will be.

-Algorithms are everywhere and will rule us and we will like it because we are blind to the deeper realities of our existence. 

-The AI of the future will know us better than we know ourselves and we will either be their pets (if we are lucky) or their pests (if we are not lucky).

-The next class system will be based on human and super human.


Part 1: 

Why Are We Killing Ourselves?


After reading Homo Sapiens and 21 Lessons for the 21st century, I felt prepared for the author’s diagnosis of the current state of humanity and prognosis for its future. It’s not all doom and gloom by any means, just the end of humanity as we know it. Technically speaking it could be seen more as the continued transformation of humanity.

The book’s opening argument is that humanity has conquered War, Famine, and Plague as the major factors of human mortality. That’s 3 of the 4 horsemen of the apocalypse. Who doesn’t think that’s a good thing? To make its point the book presents some disturbing information on mortality that I had to stop and look into myself. 

1. More people die from suicide then violent deaths.

2. More people die from poor eating habits than starving.

3. By 2050, 50% the population of earth will be considered overweight.

Here are some mortality per year (2017) numbers from the CDC.

Heart disease-647,457 

Diabetes-83,564 

Alcohol related deaths- 72,500

Suicide- 47,085  

Overdoses 47,450

Vs

Homicides- 19,510

Firearm Homicides- 14,542

Mass shootings- 335

The top half of these numbers are all self inflicted.  The CDC website reports: childhood obesity has tripled since 1970; alcohol related deaths have doubled since 1999; suicides have increased by 30% since 1999; and overdoses are up 137% (200% in relation to opioids). 

The articles I came across reported that the majority of criminal acts that lead to violent acts involve the sell or pursuit of drugs. That means for the purpose of buying drugs to alleviate pain or making money by selling drugs to people who are in said pain. What about mass shootings? I think the majority of mass shootings are perpetrated by people who are on one level or another mentally ill and suffering from some sort of psychological and emotional pain. 

The common denominator for all these fall on spectrum of pain management. Drugs are used for (I am including alcohol here) reducing some kind of pain. Mental (emotional or psychological) and/or physical pain. Sure, lots of people use drugs and alcohol recreationally, but if drugs and alcohol are the recreation or needed to have any recreation, then odds are high that there is a hidden suffering not being addressed. What we are really doing is self medicating.

It would seem that a large number of people are under a daily burden that is inescapable without chemical assistance. Drugs and alcohol for the most part are our escape. So is sugar, or in general bad eating habits.

Why are we so sad, anxious, and disturbed when we live in the least violent and most prosperous age of human existence?

How many cavemen do you think killed themselves? I’ve asked this question to a few people and the answer I get back is none (note none of those people were anthropologist). While not scientific, the question makes a point. When life and death were a daily concern, people were to busy figuring out how to stay alive to consider killing themselves. When purpose was easily defined as don’t die today, people worked hard at staying alive everyday.  

It can be argued now that we no longer hunt or are being hunted we are haunted by an inner nature that no longer fits our environment.

The natural state of humans is to be concerned about getting killed, about having enough to eat. So, we naturally worry about things. In fact, its a feature of the brain. When the mind isn’t engaged in a particular task, the Default Mode Network kicks in. This is the part of our brain that has a tendency to ruminate and make us anxious. Its the portion of the brain calmed by meditation and attention training (quick self promotion: this is what I teach).

Worrying is a survival feature. Those who didn’t worry, didn’t live long enough to reproduce. Unfortunately, just because the natural threats no longer stalk us, doesn’t mean this feature for survival is no longer working.

The exterior environment may have changed, but our inner environment hasn’t quite caught up. We were born to solve problems. I mena real concrete problems. As in identifying the best tree to climb to sleep in so your a late night snack. We didn’t evolve to solve math problems or philosophical problems. Those are abstractions made possible by leisure and extreme access to resources. Those are fairly recent add-ons to the humanities skill set. We evolved to solve physical issues.

Our emotional and psychological health is tied more to our physical capacity for adaptation than being able to think your way out of an emotional problem.

In a way, life has become too easy and we have lost our resiliency. Our ability to deal with challenge, discomfort and uncertainty has shriveled like an atrophied muscle. Much like cell deteriorating effect of zero gravity on an astronaut’s physiology, the lack of constant physical strain/challenge has made us mentally and emotionally weaker.  

We now suffer from pain that we do not understand how to properly address. We have evolved to solve problems in an environment that no longer exists.

Instead of staying alive as the main function, we now are struggling with staying happy.

Our culture that has provided us a safer world has not prepared us to deal with ourselves. We wrestle and struggle with our thoughts and feelings. This leaves us with deep questions about worth and purpose that need to be addressed.

We are the most resource rich culture in history and we are killing ourselves hand over fist. It would appear that the more prosperous we become, the more likely we are to lose hope. What could possibly save us from ourselves?

This is important to appreciate because Yuval’s argument for humanities next agenda (now that we have conquered war, famine, and plague) is that we are going to conquer Death itself and transform humans into gods. 

Considering how bad we are at handling our feelings now, I wonder what kind of gods we will become.

Part 2

Kill The Gods, Long Live Data (continued in a week or so)

, , ,

Cognitive Bias Codex: Cheat Sheet

, , ,

BigThink has a quick cheat sheet for cognitive bias, reducing them to 4 basic groups.

1-There is too much information

2-We are always missing essential information because of how much there is

3-we Have to act quickly with limited info

4-Its impossible to remember everything

, , , , ,

The Baseline: Happiness Science

, , , , ,

A whole lot of marketing focuses on happiness. Almost every advertisement begins with the assumption that you are not happy enough and what is offered will make you happier. People ask all the time, “Are you happy?” Do we know what we are asking about? What is happiness? What makes you happy? How happy can you get? How long can happiness last? Is it good to be happy all the time?

BigThink has some research on this elusive emotional skill, psychology, practice, currency.

“Activities such as exercise, expressing gratitude, altruism, and taking time to savor or appreciate the good things in life have all been shown to influence short-term wellbeing very much, and there is evidence that they can nudge that hedonic set point up the scale in the long-term as well.

Additionally, the hedonic treadmill is due, in part, to processes of desensitization and adaptation — we get used to things. Because of this, variety is a powerful means of combatting the hedonic set point's inexorable tug. Persistently engaging in a variety of positive activities or varying how one performs a given positive activity can trick your stubborn brain into actually feeling good about things.”


, , ,

Sleep Myths

, , ,

CNN.com has an article that has sleep experts correcting common misconceptions about sleep.

The quick run down is, you should get more sleep, lots more, but not too much. Here are the 10 myths they cover:

1. Adults need five or fewer hours of sleep.

2. It's healthy to be able to fall asleep 'anywhere, anytime'.

3. Your brain and body can adapt to less sleep.

4. Snoring, although annoying, is mostly harmless.

5. Drinking alcohol before bed helps you fall sleep.

6. Not sleeping? Stay in bed with eyes closed and try and try.

7. It doesn't matter what time of day you sleep.

8. Watching TV in bed helps you relax.

9. Hitting snooze is great! No need to get up right away.

10. Remembering your dreams is a sign of good sleep.