Computer Crime Research Center

etc/map.jpg

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks

Date: August 28, 2005
Source: onlamp.com
By: Federico Biancuzzi

Recently the eccentric security researcher Michal Zalewski published his first book, entitled Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. Because the book is everything except a security manual, Federico Biancuzzi chose to interview Michal and learn more about his curious approach to information security. Among other things, they discussed the need for randomness, how a hacker mind works, unconventional uses for search engines such as Google, and applying AI to security tools.

Could you introduce yourself?

Well, I am just a computer geek. I am a relatively young, self-taught enthusiast who is fairly proficient in the field of computer security, and simply enjoys playing with this stuff. Since the mid-'90s, I managed to contribute some probably worthwhile research to this area, as witnessed by a number of BUGTRAQ readers. I found and helped to solve a bunch of interesting security problems, and wrote a couple of well-received papers; I also developed several small but cool open source infosec utilities such as p0f, memfetch, Fenris, and fakebust.

Well, enough with blatant self-promotion. Curious readers can find more information about my work (and what else do I do in my free time) at lcamtuf.coredump.cx.

Recently, No Starch Press published your first book. What type of book is Silence on the Wire?

Silence on the Wire is a fairly unusual guide to the world of computer security. Unusual, because instead of taking the reader through the frequently repeated fundamentals, I tell a story of this field as witnessed by me when I first learned this stuff.

I show that security problems are inherent to the way we design systems, bound to just about any aspect of modern computing; and that only by understanding it can you follow and mitigate threats efficiently. Along the way, I focus on some of the more unusual, fascinating, and often arcane topics in a way that hopefully is both easy to follow and entertaining, even if you have no professional interest in security.

Who should read it? Well--if you just want to get a solid grasp of the basics, this book is not for you, at least not to accomplish this task. If you are a seasoned computer user or a developer, and want to learn to see the technology in a different way, I believe you should give SotW a try. If you are an infosec professional and want to learn more about the technology, and rediscover the fascinating world of computer mechanics, I hope you'd enjoy SotW, too.

In the first chapter, you write about the need for randomness, and how it's difficult to get truly random data from a machine built to behave deterministically. Could this necessity disappear with the growing resources that common people will have access to? For example, a blind spoofing attack could become more feasible with broadband access to the internet, and there are some countries where you can easily and cheaply get a 10Mbps or 100Mbps connection.

Computers need to be able to generate truly unpredictable numbers for various purposes--implementing cryptography is a prominent example. This is not going to change anytime soon.

When users have access to more and more bandwidth and computing power, they can more easily carry out brute-force attacks against protocols and algorithms. But this only means the need for strong cryptography, cryptographically secure ISN generation, and so forth is on the rise. And to get there, we need computers to be able to deliver high-quality, unpredictable entropy--more than ever.

Do you think that security concerns will require the adoption of a new version of TCP in the near future?

In my opinion, TCP has some shortcomings, and these are bound to become more and more of an issue in the near future, but I do not think we're going to reach a point where we must switch to something else that instant; there is no mystery failure threshold, but performance and security features within or kludges around the protocol are becoming less efficient as the surrounding technology advances.

In fact, even if we had to replace TCP on short notice, it would be next to impossible to carry out such an operation. Look at how we're moving toward IPv6 protocol suite--ho boy!

HTTP does not use crypto, while HTTPS does. Do you think that in the future we'll use crypto for every single connection?

Well, because of the shortcomings of TCP (and the increasing ease of blindly tampering with the data as bandwidth increases and new attacks are discussed), almost all communications, even nominally of little relevance, should be either encrypted or cryptographically tamper-proofed by now.

Unfortunately, this is a complex and costly process, and implementing advanced cryptography may introduce new flaws elsewhere. Furthermore, unless carefully engineered, it may remain susceptible to disruptions on underlying layers, replay attacks, etc. Last but not least, end users simply don't understand encryption and PKI, and hence can be easily tricked to ignore or bypass our sophisticated protections.

In other words, "perfect world" solutions may be not really that desirable or easy to implement, and we might have to stick with simpler short-term options and strategies for now.

Your book is full of interesting and original ideas to study a network or a single host; however, how can we focus on those advanced topics if most of the break-ins on the internet come from worms, spyware, and other dumb things or users?

There are plenty of books on these topics, some of them very, very good; there is no point in writing another summary of threats just because worms or spyware are a prominent problem.

What I wanted to achieve is to show how to think creatively and see problems that go beyond textbook examples; I try to show that these flaws don't come out of nowhere, and are inherent to every single tiny design decision ever made. If there is a software engineer, a system administrator, or a security professional who, after reading SotW, puts a bit more thought and insight in their work, that's good news--we may be preventing new classes of exploits and attacks of tomorrow.

There are a lot of books and courses that teach "how to think like a hacker". Your book should open a reader's mind showing original points of view for different situations and problems. Do you think that it is possible to learn this way of thinking, or is just part of some people's personality?

I don't think that ("good") hackers have any special, hardwired mental abilities or specific personality traits, and I do believe you can easily learn to think like a hacker, even when you come from a different background.

The difference between hackers and people who just deal with computers for a living, 9 to 5, is quite simple--hackers share a genuine passion for this stuff, they learn and analyze computers just for fun, and hence can more readily see beyond the taught problems and scenarios, invent or explore.

And so, if you have ambivalent feelings about computer science and just want to get your paycheck, no amount of books or courses is going to turn you into a skillful, passionate enthusiast. On the other hand, if you have the genuine desire to explore computing as a true hobby, you're likely to succeed and become an old-school hacker with (or without!) proper guidance.

I was thinking that often the so-called hackers have other hobbies beyond computers, and that being open-minded and cultivating mental elasticity could explain why they have better results than people who do things just because it's their job. For example, you like to practice photography, and this interest in expressing yourself with images came out when you published your famous research on ISN, where you used a graphical format to spot algorithms weakness. Thinking of the people you met and the hackers you know; does this theory sound good?

I think it's an oversimplification to attribute any special mental skills or capabilities as either a result of or a reason for being a hacker. In fact, I know of several hard-core hacker geeks who have remarkably little other interests or any form of mental or social elasticity. (In fact, they're really hard to get along with, and have very serious problems adopting to everyday situations.)

Also, I don't think that hackers necessarily "have better results" than people who do not fall into this category. It's a comforting thought for us geeks, but I'm afraid this is not very true. Some hackers are either far too obsessed with a particular concept or set of problems, or too disorganized, to outperform well-trained, distanced professionals.

Hackers are generally more determined to do the things they're interested in, for its own reward, that's all.

Sometime ago you played a joke claiming to have founded a company called eProvisia LLC that provided a 100 percent guaranteed antispam service. The very interesting fact was that its antispam technology used human beings who manually analyzed email.

Yes, of course the company is not real; it was just a silly joke that got out of hand (and was carried as a true story by ZDNet, Yahoo, Slashdot, and others).

This idea is original, and made me think of the saying that...
Original article



Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-09-17 10:58:11 - Thank you very much! Sonta
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo