Suppressing Dissent
I once heard it said (and I can’t find the quote) that a society’s level of freedom isn’t determined by how it treats its normal citizens – it’s determined by how it treats those who dissent and don’t adhere to society’s norms.
Nowhere do I find this more evident than in the Byron case.
Look, let’s be blunt: from everything we know about what Byron was doing, it was kind of stupid. He was acting as an agitator to the G20 security establishment. He wasn’t being particularly subtle. He was trying to stir up a response, and he did.
I think it’s clear that he’s guilty of mischief. He’s certainly an agent provocateur (def: “a person or group that seeks to discredit or harm another by provoking them to commit a wrong or rash action.”)
Joshua Errett over at NOW Toronto described it best:
“What Sonne was actually trying to do is expose security inadequacies of the G20, as is the role of the hacker. His intent was never to harm, and any crimes he allegedly committed were entirely victimless.
That the justice system can’t see the deep shades of difference between Sonne detailing security lapses and petty vandalism is an outright shame. And, in some ways, discrimination. If Sonne had been a cowardly Blac Blocker, bail would have already been set. There certainly seems a different set of rules for hacking.”
With the ruling yesterday that Byron will remain in jail until his trial and be unable to have any contact with his wife during that time (unless in the presence of lawyers), there’s little question that he got the “rash action”.
And it’s clear that Canadian society has made its statement on how it intends to deal with dissent – zero tolerance.
In contrast to Byron’s crimes, those who steal $30-$50 million, dangerous offenders, those who kill while drinking and driving and crack dealers all go free on bail.
This is one of the more disturbing issues with the case – not that Byron wasn’t guilty of being annoying, but that the treatment he is receiving at the hands of the justice system in Canada is far more harsh than those who commit far more significant crimes that leave people hurt, dead or destitute.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
No Comments »| 
Personal, Security | Tagged: byron sonne, canada, dissent, free byron, overreaction, politics, stupidity, supression | 
Permalink
Posted by mmurray
Byron (and influence through the media)
If you’re following the Toronto news today, one of the main stories out there is about a former team member of mine, Byron Sonne. The news coverage (CNN, Yahoo) paints Byron to be one step this side of Timothy McVeigh… explosives, threatening police, etc.
And that doesn’t even mention that the picture that they’re using makes him look that way. (As an aside: in my 11th grade journalism class, we spent a lot of time talking about how pictures frame the news story that you’re reading. Before you ever even start the Globe and Mail coverage of this story, you’re greeted with a blurry, grainy picture of Byron looking like he’s about to blow up a building. Regardless of whether the facts support the charge, our minds are primed with all of the times that we’ve seen a terrifying looking psychopath looking very similarly to this picture… and we read the story with that bent.)
Unfortunately, the reality seems a little less glamorous. If you read Byron’s Twitter account, you’ll find that Byron was being little more than the opinionated activist that he is. “An agent provocateur”, as someone told The Star. He talked about investigating the fences and posted video of the fences. He talked about how the cameras were being set up in locations that were likely to be used by activists. And he was pointing out that the amount of money spent on “security” for this conference was a little out of range.
One of the things that Byron has been most pilloried for in the news was the talk he gave a few months back on radio surveillance (a decent account can be found here).
Amazingly, Byron even posted the slides to that supposedly “provocative” talk on his Twitter feed. (I’ve put the same slides here for the BitTorrent challenged). Read them… there’s nothing in there that suggests anything but a security professional talking about insecure radio transmission.
Let’s give a different picture of the guy that used to work for me. Byron’s a very smart and well-rounded engineer. While he wasn’t the top producer on the team, he was someone who I valued a great deal from a management perspective. He was vocal and would push others to come to the table with their best (even when he wasn’t up to their level). He was the member of the team most willing to call out others in a meeting. It wasn’t just internal… he was even willing to call out a vendor in a blog post. (Note that since I wrote this, nCircle took the orginal post down)
Above all, Byron Sonne was always an ethical person and someone who I trusted a great deal. And I agree with the assessment that Jesse Hirsh made in an interview with The Toronto Star:
“I suspect that this may just be a stunt and perhaps a stunt that got out of hand,” Hirsh said.
Regardless, it’s a shock to me that this would lead to an arrest and incarceration. None of the posts made threats or suggested potential for harm. His talk is innocuous. And this all looks like a very large over-reaction from a police service that felt somewhat embarrassed that someone was publicly calling them out on their failure to encrypt their communications and poor placement of security cameras.
No Comments »| Personal, Security | Tagged: arrest, byron sonne, inappropriate pictures, influence | Permalink Posted by mmurray
Influence and Failing Kindergarten
Had a great chat with my friend Drawk Kwast recently that he recorded for his list of users (which was an honor given the people he usually interviews). As expected, we rambled all over the map and talked about a million different topics around influence, living an adventurous and successful life, and always being willing to have fun and do the things that most people won’t do.
The thought that stuck out to both of us during the chat was the idea that we’d fail kindergarten if we were subjected to another year – that the things that has made each of us successful to this point would have caused utter failure in the current school system. We both have a nearly chronic inability to follow the rules, stay in single-file lines, refrain from asking “why?” about a million times too often and ensure that we always make the sky blue when we color.
As Drawk said: “we’d in the corner eating the paste.”
I realized later that I should have corrected him… so I will now… “we’d be in the corner figuring out how to take the paste, turn it in to some crazy 5-star dish involving liquid nitrogen and debating about how to market a nationwide line of “frozen paste” shops.“.
It’s a trait that a lot of my friends seem to share.
The MP3 is worth a listen – Drawk had some great stories on there and I talked about random stuff that some people might find interesting.
(Aside: if you haven’t picked up Drawk’s “Domination Basics” ebook, you need to – it’s free and one of the better reads of the last year. The last person who I convinced to read it immediately sent me the message that “OMG! Drawk Kwast is the UberMan!!!!”. All I can say is that you should read it yourself and find out what all the exclamation points are all about.)
1 Comment| Security | Permalink Posted by mmurray
Return-to-Barry-White Human Exploitation
Spent a weekend in early October hanging out with Tom and Kim at their rapport and anchoring bootcamp. And I was talking in email with my friend Cris Neckar afterward where we were talking about the large number of pre-existing anchors that exist within someone’s already vast consciousness.
Cris’s comment was that using pre-existing material for anchors is “sort of like exploiting around DEP” – basically, the idea of a "Return-to-libc” exploit. You have pre-existing functions that perform the task that you’re hoping to do.
This reminded me of something that Tom did to me during the weekend. Tom walked up to me this weekend and said:
"So, you’re a hypnotist right? You’ve been in trance before, you know what that feels like, don’t you?" And, as soon as I think about it (which I have to do to understand his question), he achors it.
Tom then proceeded to spend the rest of the weekend enjoying firing off the trance anchor at opportune times.
So, in our email conversation, Cris and I were talking about some good elicitations to anchor that many people would already have:
“Hey… remember that scene from Say Anything where John Cusack was standing outside with the boom-box on his head? How romantic was that? What was the most romantic movie scene you remember… one that just made your heart melt?"
Or: "As you wish" (for anyone who has seen the Princess Bride).
Or: "What’s the song that gets you most in the mood?”
In other words, the "Return-to-Barry-White" exploit.
Note: I’m well aware that this isn’t at all new. Neither’s ret2libc, really. But it’s a great example that hopefully drives some new ideas and new thinking.
No Comments »| Security | Permalink Posted by mmurray
NLP for Social Engineers
Anybody in the industry who has talked to me about NLP has understood my utter frustration about the state of NLP learning and its application to social engineering. It got me riled up enough to do a post on NLP and science a few months ago.
And, for the past few months, I’ve been pondering the idea of doing a free education series for the industry on what NLP is and how to use it as a social engineer. But, as anybody who knows me knows, I’ve been a bit busy. Foreground is taking off, having made the INC 5000 due to the phenomenal amount of growth (and corresponding amount of work for each of us). And my own projects (Connected Career, Information Security Leaders, and the projects we do through Michael Murray and Associates) have added an even bigger load.
But I got really riled up when I read the NLP section of the new Social Engineering framework. Because, while true, it doesn’t teach the reader anything useful about how to use NLP in SE. (That shouldn’t be taken as a criticism – I believe strongly in the project and will be helping to edit and correct deficiencies and gaps over the coming months… the guys over there are doing the community a phenomenal service).
So, I sat down and started recording the material I had been putting together over the previous months. It’s going to come out to about 10 hours of audio, video and a whole pile of exercises. I even did a video to explain what you’re going to get.
Check out the video and sign up here.
No Comments »| NLP, social engineering | Tagged: Hypnosis, NLP, social engineering, social-engineer.org | Permalink Posted by mmurray
Hacker Halted Redux
I had a blast at Hacker Halted last week, and I did a talk that I was incredibly excited about. It was the first time I was going to talk about some of the new research I’ve done and, while I didn’t plan to give out a huge number of details on the methods, I hoped that the talk was going to be well received.
Well, I’m sure that it would have been, had it actually finished. Because I didn’t read the program nearly closely enough, and I prepared a normal 80 minute talk, only to realize that my speaking slot was 45 minutes.
So, I only got about 1/2 way through my slides, and much of the meat was lost. A couple of audience members talked to me afterwards and seemed a bit disappointed, so I promised I’d provide the talk another way.
I do like to keep promises. So I sat down at my computer this morning and recorded the slides and the audio. The entirety of the talk that the audience would have seen is below.
Let me know your thoughts and opinions and ask questions if you have them (since I didn’t get to take audience questions at the conference, either).
3 Comments| social engineering | Tagged: hacker halted, social engineering | Permalink Posted by mmurray
Recap: The Hope Symposium
This past weekend, I had the privilege of speaking at The Hope Symposium. It was a small conference put on by my friends over at NLP Canada.
I was actually lucky enough to speak twice at the conference – I was the opening speaker and the final speaker before Chris and Linda closed out the conference.
More (including video of my talks) in the coming days, but for now, just a picture of me, Chris Ron Verreggen of RapidSuccessCoach.com.
No Comments »| Security | Permalink Posted by mmurray
Social Engineering Abounds
I’ve been ranting for years that we need more exposure about the threat that is Social Engineering. As time goes on, we move more toward a model where the human is the prime exploit target.
I just found out that some other people are thinking the same way. Today launches the first Social Engineering Framework. I’ve recently become a contributor, as have many incredible names in this industry.
I expect great things from that crew and hope to be part of some of them. Also, keep your eyes out for new developments here – I’ve been head-down working on some SE-related projects that all will hit in Q3 and Q4.
No Comments »| social engineering | Permalink Posted by mmurray
Greed as a prime motivator
I found this article the other day about the teen in Great Britain who managed to completely dupe a bunch of airline executives in believing that he was a millionaire who was looking to buy into their company and expand it. The key to the attack is that greed was the prime motivator in the attack. From the article:
“When asked how he had managed to fool them, one of the airline execs in Jersey stated:
“If they were real then there would have been opportunities for us to expand our business and that’s not the sort of thing we are going to ignore.””
That quote is the key to it all – we can all learn something from this executive. The problem is that the higher ups in this company were willing to throw caution to the wind when granted a potential for monetary gain. Of course they’d love to expand their company, but at the cost of ignoring security and inviting the con-artist into their inner sanctum?
The question is would this executive also be answering a phishing email like the one I got from Jassay Goran in the Solomon Islands that promised me I’d get $8.5 million if I followed a few simple steps? People involved in social engineering are often extremely bright, inventive and ingratiating – as I have said repeatedly in talks, social engineering is primarily a crime of the imagination. Note that in his explanation and defense of his actions, the executive used the phrase, “if they were real,” as the pretext for his action. Anytime someone does that, they’re taking a big chance with that little word “if.”
I’ll comment more on this article and overall story in a later blog. I think there’s something to be learned from a fact that’s recently been reported about this 17-year old—he has Autism. Also, this story really makes me reconsider the whole topic of user education. More thoughts after the pre-Blackhat rush settles a tad.
2 Comments| Security, social engineering | Tagged: con artist, con man, security awareness, social engineering | Permalink Posted by mmurray
Constraints and The Bandwidth Problem
I got in a conversation last week about the upcoming bandwidth crisis in the core. I’ve managed to forget about those issues more and more over the past few months. I’ve spent a lot of time thinking about vulnerability research and social engineering lately at the expense of a lot of other security thinking. But that conversation and this article brought my thinking back to the infrastructure side of security. From the article:
“The super-high-speed cable is now hidden under six feet of Cornish beach-which is just as well, because if it were discovered and damaged, the entire web in Britain could turn to treacle. Warren Pole reports on the fragile network of ocean cabling that keeps the modern world turning, the madcap economics of internet supply-and why it will run out of space by 2014 unless scientists think of something… fast.”
While we’re pushing bandwidth at the final mile (I’m able to get 25Mbps down, and that’s not even on FIOS), we’re going to run in to significant snags at the key chokepoints – the core internet infrastructure and the transoceanic cables.
According to the article, there are nine cables joining the US and England that have a capacity over 39Tbps.
When I started in security in the 90s, we spent a lot of time talking about infrastructure and the core. Then, we “solved” a lot of the bandwidth problems in the late 90s and got ahead of the game.
And now we’re deploying video across the net. I watched UFC 100 the other night through Yahoo. All of my TV is via iTunes/AppleTV.
We’re not prepared for users like me. And that doesn’t even consider the idea of wholesale IPTV. No question – the idea of trying to lay cable to solve this problem is going to be difficult to keep up with. These cable links, which can be seen simultaneously as being tenuous and formidable, retro and high tech and innovative and shortsighted, are a model for the often unpredicted but possibly anticipated challenges that keep us in business.
No Comments »| Security | Tagged: Fiber Optics, Internet security, Security, security awareness | Permalink Posted by mmurray