Tuesday, December 16, 2014

The Hacker

Hackers are depicted by the media as criminals.  It's a sad truth that hackers have to live with and will always fight against.  But to better describe the hidden culture that mainstream media has no interest in discovering, here is my own personal analogy.

My original analogy was that Hackers are like Butchers.   They both have skills that most people don't choose to learn.   They are both artists in their own way.    A butcher uses a potentially dangerous set of tools referred to as knives, most typically the butcher knife.    A hacker uses a set of potentially dangerous tools known as code, but most typically referred to as computers.

But why is a Hacker a criminal while a butcher is not?  While some people think it's a stupid question, there are many hackers that are still baffled by this question.   So here is my latest analogy that will be easier on the comic book movie fans.

Hackers are like superheros.   They do things that most everyone cannot do and achieve things that were once thought to be unattainable.

In the computer security profession, we refer to the three hats...
White Hat
Gray Hat
Black Hat

The White hats are the good superheroes...the knights in white satin armor, Captain America and Superman.    They use their powers only for good while doing everything the nice way and playing by all the rules no matter the jurisdiction.

The Gray hats are the vigilante superheroes, like Batman and Rorschach.   They use their powers for the common good, but they don't care about playing by the rules as much as white hats.   Helping out society is more important that following the normal procedure to achieve such results.

The Black Hats are your evil superheroes (or super villains) like Lex Luthor or Mageneto.  They are using their super powers for their own selfish purposes.  In today's world, that purpose is simple monetary gain.

 The media's depiction of hackers typically defines them as Black Hat only.  They are the ones that are making all the bad apps in the App Store or Play Market that steal all of your banking information.  They are the ones that are wearing ski masks in front of the computer doing their best to take down the world with a few "simple" key strokes.   They are reverse engineering the software you love to find a vulnerability they can exploit.  Once they find that exploit, they eventually use it against society for their own selfish gain.

For example, a software vendor releases a new program that everyone likes to use or maybe it's game everyone likes to play.    They do their best to program with security in mind, but there's always something that is overlooked and a company's project budgetary time line will always push a software release ahead of schedule.   A popular MMORPG I used to play actually released an expansion pack that wasn't even complete as they intended to just release the remainder of the pack later as a download instead of part of the CD distribution.   These releases will always have unseen vulnerabilities that have yet to be discovered.

The White Hats are the folks that are doing refutable security research and promptly reporting it to the "authorities" (aka the companies of which it concerns).  For example, a researcher finds a vulnerability in Microsoft software.  Microsoft welcomes such notifications so the vulnerability is quickly analysed and a software patch is released to resolve the vulnerability thus keeping the public as safe as possible.

This is referred to as "penetration testing" where they inform the security guards of the software realm that they can get in if they wanted to, but in an effort to play nice they did not do so.  But they are informing this company so they can fix the problem so a true villain doesn't cross that line.   Some companies like Belkin have started to offer "bounty" rewards where a cash prize will be given to the researcher that reports the existence of a vulnerability.   Various police jurisdictions have incorporated similar programs to better strengthen security of the community. 

The Gray Hats are somewhat in the middle between White and Black (go figure).  They tend to do things for fun, fame, or other reasons, but they also don't have any intention of endangering the general public.   So these superheroes are just as skilled as White and Black Hats, but their "ethics" are a tad looser in comparison.

Not all companies welcome such harsh testing of their own software.   Some companies actually refuse to acknowledge such vulnerabilities despite the evidence presented by ethical security researchers.  Sometimes the companies worry more about the negative publicity while others will worry about the cost the repair the threats it has created.

No matter the reasons, the Gray Hats believe it's more important that the public be protected from these threats, even if the company doesn't want to admit it.   They will reverse engineer software and hardware just out of curiosity and enjoyment, even if the vendor legally forbids such action.   They will break the rules just to prove their point and keep the public safe so as long as their actions do not put the public in any further danger.

For example, a gray hat might attempt to penetrate your favorite App store or market.  In doing so, they would be able to prove to the vendor that they have an exploitable vulnerability that needs to be resolved to keep the rest of society as safe as possible.

A Black hat would just penetrate and then do whatever they could to profit from their actions...like post an evil app, replace a good app with their own evil version, or steal everyone's credit card or other personal information.

A White Hat wouldn't bother to do such research without the vendor's written permission.    They typically have a very refutable job and certifications that forbid them from breaking the rules like Gray Hats.

Pick your hat color....it doesn't matter....they are ALL hackers.

They all have an impressive skill in the world of computers.   It's what they do with that skill that determines the legality or illegality of their actions.

The media could, in theory, present both sides of the story.  But let's face it....the villain is always more interesting to talk about.

Every year, hackers meet in Las Vegas for a convention known as Defcon.    The conference covers a wide range of topics in the field of hacking.  But most of it is presented in a manner of "look what I was able to do" instead of learning how to do it yourself.   But in most every case, the topic presented is intended to show you just how easy it is to exploit a particular piece of hardware of software.  It gives the vendors something to think about and in some cases it blows the whistle on the vendors that would rather sweep it under the rug.

This conference is a great way to spark positive change in a "gray hat" sort of way.   A recent example is at Defcon of 2012 where a group of researchers developed a program that made it VERY easy to exploit nearby laptops while on a shared access point such as a coffee shop.   One might wonder, why would they do such a thing?  Why would they make it EASIER for the unskilled user to take advantage of other people?

[Hackers] all have an impressive skill in the world of computers.   It's what they do with that skill that determines the legality or illegality of their actions.   

The researches addressed this issue in their presentation.  The vulnerability that they were exploiting was a vulnerability that was presented by many others in previous years.   The point of releasing such a tool was to get the vendor community to move further towards a resolution because despite all the time they've had to do so, they still haven't bothered to fix the issue.    In cases like these, when the White Hats can't get the job done, the Gray Hats give it their best shot in an attempt to stop the Black Hats from using the same issue against us all.

Hackers have shown us how easy it is to do almost anything we can imagine.  One year they demonstrated how easy it was to hack an ATM.  Shortly thereafter, there was no ATM within 10 miles that was not exploited.  No money was taken (probably), but the majority of exploits simply changed the presentation of the ATM screen similar to how web sites are defaced. 

I wore my Defcon shirt to work one day.  While in the elevator, a random stranger asked me what defcon meant.  I told him it was a hacker convention in Las Vegas.  He said "Oh" and quickly averted his head not saying another word as he exited the elevator as soon as possible.   No surprise there.   It's just the reaction we get because hackers are always misunderstood.

But without hackers, your phone wouldn't be as secure as it is now.  All the security updates you get from Microsoft would not be available as often and the bad guys would be able to steal all your money without any effort.   You wouldn't be able to shop online because the threats hackers have demonstrated have forced improvements in SSL technology to build the foundation certificate authorities are now selling to web sites like Amazon and Ebay as a standard practice.

I support hackers...the good ones.  I fall along the lines of Gray Hat simply because there are certain ethical guidelines that I don't agree with.   White Hat forbids aggressive defense tactics.   This means if someone attacks you, you cannot attack back.   I just can't wrap my head around that.  One reason I like Arizona is because they are big on defending one's home and family.

According to the law there is a difference between physical attacks versus digital attacks...but I disagree.  I believe in defending my home no matter what.  The Gray Hat knows the computer fraud laws were created to defend corporations that need to protect their proprietary information so they know these laws should not apply to the home user that needs to protect their family and their networked devices.

Hackers showed us all via youtube just how easy it is to "bump" a deadbolt lock that we all have on our doors.  They invented the credit card lock pick to unlock office doors as seen in movies.  They invented social engineering to manipulate people into willingly providing sensitive information to strangers.    Anything that manages to circumvent protective measures to achieve the same goal as using the intended protective measures is generally considered to be a hack. 

There are now small workshops out there called "Hackerspaces."  They are places where people in the community go to make things and even hack things in a cooperative environment for learning and other positive purposes.   A hackerspace will often create a group of interested hackers to play in the occasional Capture the Flag events.
Anything that manages to circumvent protective measures to achieve the same goal as using the intended protective measures is generally considered to be a hack.

Capture the Flag are contests surrounded by various topics of computer security.  The main theory behind these games are now supported by college level professors in that the best way to learn about security is to learn how to exploit computers.   Many experienced police officers and even federal agents will agree that the best officers/agents are the ones that know how to think like a criminal.

So Capture the Flag gives players a good experience of computer security without endangering or otherwise harming anything at all.  Universities have also begun to embrace CTF as it provides an incredibly valuable set of practice scenarios compared to only the theory that college can offer.

These people are hackers.

Hackers are leading the way to a safer tomorrow in a never-ending fight against the evil hackers that only want to rip you off.   Your view on hackers should only depend on the team you are rooting for.

Are you rooting for the villains, the vigilantes or the white knights?

Sunday, December 7, 2014

calling SRP's bluff

It's rare when you get those moment's of calling someone's bluff and slapping them in the face with it....it's even more fun when that someone is a greedy utility like SRP and APS.

How to save images with "no-right click" protection

The internet has lots of free crap but sometimes publishers go to extra efforts to ensure you can't save anything from their site so you will either subscribe and give them money, or to prevent bots from duplicating their site so someone else can get paid.

All good reasons, but sometimes I just want to save a picture for later and I don't like bookmarking all that much.  But thanks to sites that disable the right-click option, I can't just right-click and "save as..." for these images.   But, if I can see the picture in my browser, then I can save it if I really want to.  And thanks to the newer browsers implementing advanced debugging, it's even easier than it used to be. 

Yes, you CAN just use a screenshot program.  But that will only allow you to save the resolution of which the HTML code is presenting it while displayed in your browser.   If you download the actual image, you can get the full resolution and in some cases you can get around javascript that adds watermarks to images. 

Here's how...

Most browsers are the same, but in this case I am using Firefox as an example.

Get the browser to go to the image you want to save.  Once it's on the screen, you obviously cannot right-click on the image, but you can probably right-click somewhere else on the scree.  If you are able to get a right-click menu somewhere, then select the "Inspect Element" option.   The best place to try is just a few pixels to the left of the image.

If you cannot get a right-click option, then go to the browser menu at the top and click TOOLS > WEB DEVELOPER > INSPECTOR.

A small window with a bunch of HTML code will open at the bottom of the browser.  Now click on the HTML code at the bottom half.

Now use the UP/DOWN arrow keys to move the selection of HTML code up or down.  As you move up and down you will notice certain elements of the top half are being highlighted a certain color (eg. light blue).  Use this method to get your desired image highlighted.

Once your image is highlighted, go back down to the HTML code on the lower half of the browser.   The code will very likely have small block arrow on the left side.  This indicates a tree that has been collapsed.

You can use the keyboards RIGHT/LEFT arrow keys to expand and collapse trees.  Or you can just click the small block arrow icon on the left side of the HTML code.

With the tree expanded, you will see there is more code to scroll through.  Use the UP/DOWN arrow keys again to scroll through this code you just expanded.  Watch the upper half of the browser to see what code is referencing the image you are trying to locate.

You may have to do this process multiple times.  Keep expanding and scrolling the code until you finally locate the image reference similar to the image below.  Look for standard image file extensions like .jpg .png .bmp .gif

inside the SRC tag, you will see the http:// URL you need to load the browser on your own.  Select (highlight) the text and select EDIT AS HTML.

The HTML window will move the code to it's own private box.

Here you can select the text and use CTRL-C to copy it into the clipboard.  Paste this text into a new tab of your browser.

The image should load in your browser with nothing else and no protections.  You can now use right-click to save your image to your computer.