Explanation Needed

1 comment

by Javantea
Jan 23, 2012

Some things require no explanation. Some things do. Today isn't the day for a cryptic blog post, so I'll get right to it. AltSci's SSH shell service is unavailable to most users due to an unpatched Local Root Vulnerability in the Linux Kernel. I tested it on my machine at home and it works. That will teach me to upgrade my kernel regularly. =[ The explanation of the vulnerability is incredibly good and the timing could not be much better. If you have a shell that has a new kernel, you should know about this.

I've been working diligently on a SIP softphone, BikeIM. The simplest explanation is that it is a competitor to Skype. Skype has several features that version 1.0 of BikeIM will not: a GUI, video support, a directory, SkypeIn, and SkypeOut. So without all these killer features, how do I expect to compete? Linphone, Ekiga, and Jitsi are Open Source competitors to Skype that have most or all of the features that Skype does. Many people use these tools in place of Skype. My reason for writing my own is to be able to trust the code. Instead of writing my own softphone, I could pen test or code review one or all the open source softphones, but when I found bugs, I would go through the process of writing it up, getting the developers to patch, and getting people to upgrade. That process is not as difficult as writing software, but the end result is a handful of CVEs at best. The reward for reviewing and testing open source software is good software for everyone. The reward for writing good open source software is good software for everyone. When I started writing code in July 2011, I evaluated Linphone, Pidgin, and Ekiga. Linphone and Pidgin didn't work for me, and Ekiga had issues that I could not accept (despite working quite well). It's possible that Linphone has improved, but I do not think that Pidgin or Ekiga have changed. VoIP is a strange example of Open Source innovation: multiple well-designed systems all using open protocols but with reliability that is suspect in my opinion. Asterisk is a perfect example of how an Open Source project can grow too quickly for its own good. Asterisk has had so many vulnerabilities in the past 6 years that they have become famous for their flaws. The problem with Asterisk is that the code base is increasing in size by implementing unnecessary features without proper code review and testing. This is a recipe for disaster and the size of their project should daunt even their most staunch supporters. But Open Source is not alone, closed source VoIP software works, but all have serious reliability issues. If you've ever had the stuttering effect on Skype, you know what I mean. Not only will BikeIM be reliable and Open Source, it will grow as times goes on. I plan to use it in place of a home phone and will leave it on all my systems. Version 2.0 should have a GUI for those who prefer. I hope that my work will inspire Open Source VoIP projects to increase their testing to ensure reliability and quality. Even if they can't afford professional security experts, they can appeal for help. Since my project will also be Open Source, they will have the choice of copying any improvements I make and visa-versa. That's just how we roll.

Recently SOPA came to the forefront of Internet news. Wikipedia, Reddit, WordPress, and thousands of sites went dark for a full day last week in protest against censorship. Many wrote blog posts like this which explains that SOPA is unconstitutional in every way that it possibly can be. The very next day ICE took down one of the largest file upload sites, MegaUpload to the cries of more thousands of people. I think a lesson can be learned from this: congress can be bought but they fear for reelection if lots of influential people find their way to the Internet news, the executive branch are a bunch of twats who don't give a shit about the constitution and the judicial branch has no method of doing justice. The above linked WordPress blog post contained this logical inconsistency. See if you can spot it.

Some people will tell you that taking action is useless, that online petitions, phone calls to representatives, and other actions won’t change a single mind, especially one that’s been convinced of something by lobbyist dollars. To those people, I repeat the words of Margaret Mead:
Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.
We are not a small group.

The logical inconsistency is that Margaret Mead says that only a small group of thoughtful, committed citizens has ever changed the world. WordPress in attempting to consider itself a small group of thoughtful, committed citizens then says "We are not a small group" thus invoking either they are a small group or that Margaret Mead is wrong and that large groups have changed the world. Another possible choice would be that they didn't change the world by stopping SOPA, but that's a conspiracy theory I don't want to get into.

Where does this all lead? We need a private file sharing protocol that has strong cryptography so that all this talk of censorship can just go away. It's 2012 and we're still using BitTorrent (albeit a much better protocol than years past), HTTP, and Tor. Since BikeIM will have strong encryption anyway and since SIP can negotiate any protocol, I suggest that SIP or a similar protocol over an encrypted UDP or TCP channel will be the file sharing software that people use in the future. You may be thinking: this guy doesn't know that TLS doesn't work over UDP but you'd be wrong. What a mess we have where doing encryption over UDP is a pain. Tor is dragging its heels on supporting UDP, SIP requires TCP to use TLS. It's as if no one imagined that we'd have corrupt politicians, global wiretapping and NAT in the Year 2000.

It's that time again, predictions for the year 2012. By the end of 2012, I will have a peer-reviewed paper published. I will have at least 20 users of BikeIM. I will visit Brazil again and I will speak a lot of Brazilian Portuguese. There will be at least 2 CVEs for Asterisk. There will be approximately 100 MS12-XXX security vulnerabilities. There will be increased growth in the computer security market. Most of that growth will be the same old vulns but in better products. CSRF tokens will cause Burp and Skipfish to adapt to allow users to specify what CSRF token to send along with a system of logging back in after an errant attack causes the system to log you out. Sakuracon 2012 will be awesome. Defcon 20 will be awesome. Toorcamp will be awesome. Hope Number Nine (since it's temporarily down, try 2600) will be awesome. Neg9 will do well in CTF quals, possibly also at OpenCTF.

Javantea Out.


Comments: 1

Leave a reply »

  • Sara

    Found it. (small)

  • Leave a Reply
    Your gravatar
    Your Name