Here is the presentation that Massachusetts Bay Transportation Authority didn’t want to be presented.

I am tired of companies that tries to hide the flaws in their products and services using the legal system, instead of fixing the vulnerabilities at hand (you know who they are, and if not I’ll start a wall-of-shame).

And, as the evidence of previous attempts shows, the information gets out there anyway - and I will do what I can to spread the information further.

Dr. George Ledin, professor at the Sonoma State University, is teaching his students on how to write malware (in an air gapped environment). The antivirus industry is shocked and vowed not to hire Ledin’s students, the NewsWeek article reads. Unfortunately I find the NewsWeek article very condemning and it basically that Dr. Ledin are doing some shady business and trains the next generation computer criminals. They missed the point: the computer industry needs talented knowledge work force, and that doesn’t come from just readying malware theory and a lot of crypto. Even Bruce Schneier realized that no matter how good crypto you have, there will always be problems that crypto doesn’t solve. So my words to Dr. Ledin is: “Good job! Keep it up” (and in the name of academic, scientific and social progress, please make the classroom material available under a Creative Commons license).

I agree with Dr. Ledin’s view that to really solve the malware problem one needs to understand how malware works, and I am not sure that just reading some theory about it helps (I for one learns by doing, more then from reading). Of course, statistically some of his students will use the new gained knowledge to do Bad stuff tm but I could say the same thing about anyone taking chemistry (anything that can be caused to explode or flare up will be replicated by some students, and not always under supervision in a lab) or any almost any other class you take in school (physics? learn why you can burn ants with a magnifier. Electrical engineering? Learn the smell of blown capacitors, resistors or see the flash of a thin wire vaporized after being short-circus in the regular mains). Heck, we even learn young men and women weapon skills but it doesn’t have people up in arms (pun intended) in the matter. That particular story is re-told here (cached version as at the time of writing the site was down).

I am not impressed by the antivirus vendors ability to keep your computer safe from viruses and other malware, it is actually very simple to modify an existing binary so it passes the antivirus scanner. My computer has been infected once, while my parents was visiting and using it (lesson learned: visitors can use a “guest” laptop) and it was detected by Windows XP built-in firewall and not the commercial antivirus software installed and up-to-date on the machine. The truth of the matter is that they only got updates for the malware after I sent it in to the antivirus vendors. The anti-malware technology clearly reached its limits and new insights needs to be applied to the problem. Dr. Ledin was quoted to say “If college students can beat these antivirus programs, he argues, what good are they for the people and businesses spending nearly $5 billion a year on them?”, and that is a reality that the anti-malware companies doesn’t want to acknowledge when they got a whole business model built up around malware (an undying reputation that antivirus companies actually sponsor malware creators never seems to die off, although now days they have their own financial motivators so even if it was true in the beginning, when viruses was little more then a greeing card, it is unlikely that it is so today).

What do you think of teaching students how to write malware as part of a security course? Please leave a comment or trackback.

The Blackhat 2008 slides are out, get your copy here (198 756 461 bytes, MD5 = a5551435ccce85d3fb26b90bc899c080).

Don’t forget to drop by tomorrow (Friday 8 August) at 20:00 CEST (GMT+0200) for my live “Privacy in Wireless Networks” presentation.

My EEE PC 901 arrived today (well, technically yesterday but I had to go to the postal office and get it). I bought this one off eBay from a seller named ishop_ec (really good seller, highly recommended), and it comes already modded with a 2 Gb memory module (the original RAM module was also included, which I think is a nice gesture).

I bought the EEE 901 to replace my broken Cloudbook as hacking computer. 20 Gb SSD storage (4 + 16 Gb), 2 Gb RAM and an Intel Atom CPU @ 1.6 GHz I think it should be able to do the job pretty well.

Anyway, enough of my babbling, here are the promised pictures:

Box front	Box back
Opened the box	Removed the EEE Quick Start Guide
The EEE got a small paper thingy in the corner explain the benefits of having a SSD drive.	Opened the lid of the EEE 901 for the first time.
Look at the remaining items of the package.	What is not standard here is the RAM module as well as the UK -> EUR wall plug converter.
6600 mAh battery. Always welcome. I’ll time the battery time later.	Notice that the shiny surface smudges very easily. Barely touched it, but my fingerprints are all over it already.
The EEE 901 booted for the first time.	Ports on the right side of the machine: 1 SD card reader, 2 USB ports and 1 VGA port. Notice that the charger is now connected on the side of the computer instead of back as on earlier models.
Ports on the left side of the machine: 1 LAN port, 1 USB port, Microphone and Headphone jack. Notice that the Kensington security slot has moved to sit beside the LAN port and not beside the VGA port as on earlier versions (which is an improvement, as earlier you had to choose between locking your computer and having it connected to a monitor).	The surface is very shiny. Hard to see that on this photo, but it’s almost like black metallic paint. I already gotten upset with all the fingerprints on it so I’ll quickly whip up a custom laptop skin for it.

Hope you liked it. The full set of pictures can be found on flickr. I am looking forward to transform this machine to a lean, mean hacking machine.

In exactly one week I will be presenting “Privacy in Wireless Networks” live here on this site. The talk will include data interception, man-in-the-middle and fake access points attacks (among others) against your privacy from individuals, corporations and governments.

This is an updated and extended presentation from when I first preformed it at the 2^nd Annual Wireless Security Conference in Singapore.

So I hope to see you on Friday the 8^th August at 20:00 CEST (GMT+0200).

I like the speed my ISP is giving me. Here’s some stats…

Please note that I am concurrently downloading Steal This Film Part 1 and Part 2 at 7.3 MB/s and 3.8 MB/s respectively (total download speed of 11.2 MB/s).

And here is the mandatory Speedtest.net result.

All for 275 SEK/month (current exchange rates puts that at about USD$ 45.58/month) with no minimum contract period. Compared what I was receiving in Singapore this is a big improvement, especially in upload speeds.

For my friends back in Singapore: You are getting ripped off by your ISPs. Start organizing yourselves and do something about it.

I found WebcamMax so usable so I caved in and bought 2 copies for it: one for my Shuttle desktop and one for my Asus EEE 900.

Now I got the software I need to be able to do live presentations using StickAm (think of it as a “live” version of YouTube). I was thinking of sticking to some sort of regular schedule so I can plan in advance for it, and it will take place after Swedish office hours so not to interfere with my work commitments. So I’ve decided to do it every other Friday evening at 20:00 Swedish local time (CEST [GMT+0200 at the moment]).

The first presentation to be broadcasted will be “Privacy in Wireless Networks“, which I originally presented at the and Annual Wireless Security Conference in Singapore. The date will be Friday the 8^th August at 20:00 CEST (GMT+0200).

The second presentation will broadcasted on Friday the 22^nd August at 20:00 CEST (GMT+0200), and the topic will be “Overcoming USB (In)Security” which I originally presented at the NextGen CyberCrime Conference in Singapore.

I have some ideas what to present after these two pilot presentations, but I would like to hear from you, my dear website visitor / blog reader. What do you want to have explained to you? Look through my website and see if you find something that you would like a demo of or explained live.

I hope that I will see you there, and if you can’t attend due to other commitments or time zone issues I will attempt to record the shows for on-demand viewing.

One of my old colleges seems to have used the site http://amazing-thingz.com/ in which she had given out her MSN username and password to (very bad idea to begin with).

From their Terms of Use / Privacy Policy (http://amazing-thingz.com/indexx.php):

We may temporarily access your MSN account to do a combination of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.

Which means that they can spam users in your contact list on your behalf (myself included, didn’t find it amusing).

TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

Blanket statement that you agree to agree with any of their future, even unannounced, privacy policies regardless what they state. I feel a cold chill in my spinal cord when I read such language.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.

Which would mean that you are responsible for any MSN EULA violations, and can have your account suspended / deleted.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

Which means that they don’t want to operate where the laws are more technology savvy.

I told my ex-college to update her MSN password and all other sites she has been using the same password on. It should now and forever be treated as compromised and should never be used again.

In retrospect, was it all worth it for some pictures for MSN, or worse? Some reports mentions malware infections in association of this site, but I have not looked into that aspect yet.

It seems like WebCamMax will allow me to stream my desktop, including PowerPoint presentations, over to StickAm to facilitate live presentations over the Internet. At USD$29.95 it seems quite reasonable priced.

While I come up with some new material to present, is there anything from my older presentations you would like me to present again?

Please leave a comment with your suggestion.

I am trying to find a (cheap) setup that would allow me to give live presentations over the Internet. I would think that a service like SickAm or Ustream would work well for this, but I haven’t manage to find a way to get my slides work with these services.

Do you know of any way this can be done? Do let me know and leave a comment.