3NCRYP7ION is NOT a Crime!

3ncryp7ion is NOT a Crime!

Editors Note: In the first posting of the article, in my rush to get a blog post up I did not do my research thoroughly and I falsely attributed some statements to the French PM.  I have since edited this post, removing those incorrect statements and providing a link as a reference.  

This project came to light because of the recent terrorist attacks in France; a sad day indeed for the people of France, the families of those slain and for freedom of expression. The response by the people of France and the world was an amazing thing to witness, peoples of every nation banding together in solidarity to stand up against those that would attempt to quell freedom of expression, but then, some equally horrifying happened. Just days after the events and the rallies and marches, some European leaders, namely British PM David Cameron came out and floated some ideas for new laws that would weaken or eventually cripple encryption!  What the Verge called a "European Patriot Act". What irony there was in that statement and the follow up by other countries struggle to fight terrorism, support freedom of expression, but staunch privacy rights!

This did not sit well with me and many others in our community so I decided to do something about it, raise awareness and some money to help defend and educate people about not only encryption, but about privacy rights in general. So I created a shirt. Yeah, I know how it all sounds, but what better way to show your support and hopefully, get others to think about exactly how serious this issue is to everyone, even if they don't know why encryption is so important. If even one person asks you about your shirt and what it means, you'll have the opportunity to educate someone that might otherwise never have even bothered to think about this issue.

To order your shirt(s), go here -> 3ncryp7ion is NOT a Crime!

100% of the proceeds will go to somegreat charities, namely, Hackers for Charities and the EFF.
Hackers for Charities is doing great work in Africa to not only educate people in the use of computers, but also providing training for people who want to gain employment in the field. They also help provide internet access to remote villages and people that otherwise might not ever have that opportunity.
The EFF (Electronic Frontier Foundation) does a lot of work on behalf of computer users and the general public world wide by raising awareness of the various laws that are written involving computers and their communications and monitoring,

Please check out the charities here and when ordering, please specify which charity you would like to receive your money. (all un-allocated funds will be split between the two charities equally)

Hackers for Charities

EFF

Thanks to everyone for your support and encouragement in this project. It means a lot to me and I can see that it means a lot to many of you as well! I would also encourage other, more well-known bloggers out there to take up this cause and help raise awareness of the madness that is being proposed the help keep us "SAFE"

NOTE: For anyone ordering shirts that require international shipping, the shirt site does NOT support this, but I do and I will make that happen. just click on the Contact link on the site and send me an email with your order request and I will get back to you with the details.

Wi Fight?

So, we have TV shows and movies coming out that show “hackers” doing magical things with computers and we have the added hype from the MSM that shake in fear when a Twitter account gets hacked (really just pwned because of bad passwords, etc.) or when a gaming network has been taken offline using tools, that, well, anyone can use even if they only have basic computer skills and the money to rent a botnet.

And the result of such ignorance and misinformation? Changes to current laws that can practically make anyone in information security a criminal under the right circumstances. I’m not going to delve into that aspect, as Robert Graham has already addressed these issues in a great blog post today. Please read this, if you have not already: http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VLcCZyvF9ps

As I perused the proposed changes to the current laws, I noticed something that really stuck out to me, the recurrence of this and similar phrases; “…or facilitate the commission of…” said crime. This line got me thinking, what do I possess that could be classified under that statement? Well, I have a TP-LINK WiFi adapter that can be initialized in promiscuous mode that can sniff WiFi traffic and using some simple programs actually capture this traffic. I also have a WiFi Pineapple that can accomplish the same tasks and a great deal more!

Do these devices make me a criminal? Does watching You Tube videos on how to best leverage these devices (on a perfectly and still legal pentest) make me a criminal? Sure, there is no “intent” here, but the equipment and knowledge can “facilitate”. And this is just hardware, not the software distros that are out there that make these tools even more effective, like Kali Linux, Pentoo, Pwnie Express, just to list a few.

Another, passive, but “facilitating” concept that is frequently used, even by hobbyist in the field, is wardriving, using programs like WiGLE that log and map SSID’s of a range of devices, even providing GPS locations of said devices. Will possession, let alone use, of such applications now be criminal offenses?

The answer, as it stands today, is most likely none of these devices and techniques will be “technically” illegal if the laws are changed, just because of the sheer volume of what’s already out there and the amount of people using them, but, as Jack Daniel said earlier today, “it depends on the aspirations of the prosecutor” on where these lines are drawn.

But, as we all well know, once this Pandora’s Box is opened, it’s going to be damn hard to shut and the talented people who do great research and help protect the public from people and organizations that are truly scary, will eventually become targets, for any number of reasons that some ambitious prosecutor can conjure.

NOTE: Consider this… A great and award winning journalist, and a person that a great many people in information security admire and trust as an authoritative source when it comes to data breaches, namely Brian Krebs, could easily be a prime target under these new laws. Just let that sink in for a moment.

ACTION: Take action, write your local federal legislators, try to engage them in a dialogue and inform them of what our community is really about, educate anyone and everyone you can, encourage discourse on the matter before it’s too late.

SUPPORT:

All the journalist and bloggers out there that have the courage to report and speak out about the truth of things.

Support groups that, on their own time, are fighting the good fight every day, like:

#MalwareMustDie

#WeAreTheCavalry

#WeAreTheArtillery

And other groups and individuals, for they are the militia of the internet as we know it!

(I)nternet (C)onnected (S)tuff

So yeah, there was a Target thing, a Home Depot thing, a J.P. Morgan thing and even a Sony thing. Was it bad, yeah, sorta, if you consider that some of our largest corporations were owned in a solid manner and, in some instances, it took months to even discover the breaches. But ironically, the most discussed incursion is the Sony hack, which in retrospect, is really nothing since it’s just an entertainment company (this statement, in no way minimizes the affect this incident had on the innocent employees and their personal information that was leaked). And yet with all the press this Sony debacle is getting these days, especially when the FBI is firmly sticking to “it was North Korea that pulled it off”, people seem to have lost sight of a major area of concern for our nation’s security and that is our ICS and SCADA infrastructure. 

We always hear about the IoT (Internet of Things) and how it will be a hackers paradise, being able to make toasters and refrigerators do all sorts of dastardly deeds, but there is another IoT that concerns me more than all of the other attack vectors combined, and that is our critical infrastructure, which, according to many experts is ripe for the picking. And if there are real nation-state actors out there that want to hurt us (and I believe there are), then they won’t be popping Target, Sony or Cuisinart, they’ll be targeting the systems that we rely on every day.

Just writing what I have so far I feel like I’ve already rehashed a lot of what has been reported for months on end, but I also feel that the truth needs to be repeated so everyone understands just how important these issues really are to our country’s very existence. Most of you work in private sector positions, fighting the good fight to keep our PII safe, and this is needed very much these days, but there is also a great need for the same kind of tenacity in the ICS/SCADA world. And, if you think it tough to evoke change in your particular organization, just think about how hard that same task is in the even larger world of the major utilities like power, nuclear, transportation, oil and gas, because when things go wrong in these areas, people can die and no cyber-insurance policy will ever be able to cover that adequately.

To be honest, I have no experience at all in any kind of ICS or SCADA environment (and very little real experience in the general infosec field), but I can say that if an event on the level of the Sony incident would have happened to one of our critical infrastructure assets, then the United States would be in a very vulnerable state at this moment.

Even though the Sony story is important in a great many aspects, there are bigger fish to fry out there and we’re deathly close to being in that frying pan. So if we really want to be concerned about the “nation-state” actors, we should be more concerned with our critical infrastructure and not so much with the breach of a Japanese based entertainment company.


REVISIONS:

1. As a general note, all governmental agencies need to cooperate with our critical infrastructure firms BEFORE the $hit hits the fan, not after the fact.

2. Disclaimer: To the authors knowledge, at no time were any squirrels harmed during the writing and revising of this post. however, we do not know if they reciprocated in kind. 

Note: A very special thank you to @chrissistrunk for his insight on this piece. Wanna know more about ICS, then he’s your man!