Aaron's suicide: System Contributed, Society Perpetuated

If you are unfamiliar with the circumstances surrounding Aaron Swartz's suicide, the rest of what I have to say will not make any sense to you. 

Aaron Swartz, an inspired and inspiring fellow hacker, left us by his own hand at the age of 26. This story, his story, is nothing less than tragic. The world is lesser without him. For his [alleged] 'computing hacking crimes,’ he faced 35 years in prison, 3 years of supervised release, and fines of up to $1 million. This degree of punishment is more than someone would receive if found guilty of providing direct support to terrorists in the acquisition of nuclear weaponry. Think about that. Angry? So am I, but that's not enough.

If you believe the actions of the Massachusetts U.S. Attorney’s office, and that of prosecutors Carmen Ortiz and Stephen Heymann were atrocious, reprehensible, despicable even, and think, as Aaron's father does, their actions contributed to his sons death, I'm with ya. At least 43,666 share similar outrage with you, well, us. A White House petition is calling for Ortiz's removal from office. Burn the witch! But be careful here, if you think this will change a damn thing, that societies usual focus of rage will somehow save a future young life, and lead to some kind of social justice, that’s where we part ways.

You see, many will look at the circumstances and correctly conclude, “something is wrong here” and “something needs to change!” Unfortunately, they'll focus their rage on the wrong things, things they are told to get upset about, and mistakenly serve to protect the system that contributed to Aaron's suicide. They'll focus rage on the prosecution's behavior. They’ll focus rage on “appropriate punishment” of the crime. They’ll focus rage on amending or removing a defective CFAA law and supposed intent of that law. They’ll focus rage on obtaining social “justice.” Bzzz, wrong! Fake out!

I concede that these are normal, natural, yet systemically trained responses. Rage focused this way guarantees that more similarly minded political appointees get, well, appointed. Rage focused this way guarantees we’ll get no justice. 

Aaron’s story was never, ever about “the law” or that pesky word, “justice.” Like ~90% of cases, this was NEVER going to get to a trial. You know, the visual you get where you have rights to a judge, jury of your peers, call witnesses, opportunity to confront your accusers, articulate lawyers and everything else you see on Law & Order. Like "justice," getting a trial was never on the negotiating table, where justice is supposedly decided. The prosecution didn’t want it. Aaron and his lawyers didn’t want it. This entire charade was about plea bargaining, a place where you have none of these "constitutional rights.” This case all was about the manufacturing of yet another felon, about career advancement. Look, one of Aaron's prosecutors admitted as much right here:

“I must, however, make clear that this office's conduct was appropriate in bringing and handling this case.”

Carmen Milagros Ortiz, United States Attorney for the District of Massachusetts

Please don’t waste time debating whether or not you feel the prosecution was going too far. That’s the fake out. The same fake out you’ll see in the headlines that protects the system. That answer doesn't matter. Instead, ask yourself WHY the prosecution thought their “conduct was appropriate.” That's the dangerous question few are willing entertain. They do really think that, you know. They’re not lying. Prosecutors are trained to think that way. We train them to think that way. And from the system's perspective, it was! Appropriate.

You don’t agree? I don't blame you. If this was anything about justice, please explain to me why on the same website, in the Office of the US Attorneys’ own mission statement, does the word “justice” appear exactly nowhere.

A clever, curious, person might ask, "if not justice, what is all of this really about?" Well, if you work for the U.S. Attorney’s office, or work as any trial lawyer for that matter, your career is weighed and measured by your Win - Loss record. And in case you didn’t know, plea deals are a “Win,” for all the attorneys, no matter what side of the divide they are on. Plea deals are faster, cheaper, and again where the defendant has little to no "rights," which is why power loves 'em -- protects them.

Secondly, taking on high-profile cases like Aaron’s and “winning” are worth extra points. It gets the attorneys name out there, helps them differentiate from their peers, and advance careers. It’s all about the money power baby. Don’t believe me? Ask Gloria Allred. Ask Aaron’s attorney. Don't bother, Wired already did:

“Heymann [prosecutor] was looking for "some juicy looking computer crime cases and Aaron's case, sadly for Aaron, fit the bill," Peters said. Heymann, Peters believes, thought the Swartz case "was going to receive press and he was going to be a tough guy and read his name in the newspaper."”

Unconvinced? Biased source right? Check out the press release from U.S. Attorney’s office website about the case. "Alleged Hacker Charged With Stealing. Over Four Million Documents From MIT Network." Yes, that's a PRESS RELEASE! PRESS PRESS PRESS. Why does this impress you society? And it does, because they wouldn't do it otherwise. I'll tell you what lawyers are NOT graded on is their appropriate application of that nebulous word, “justice.” Otherwise we'd see big headlines about expousing that. We don't. Still too cynical for you? Maybe this will help, but it won’t make you feel better:

“Ortiz [prosecutor] said it was a generous deal her office offered, and it took into account that Swartz’s actions were not financially motivated. She said Swartz would have been confined to a “low security setting.”

Please show me where appropriate application of justice entered into the thought process, especially when there were no plaintiffs left at that point. I'd be willing to bet law school systemically eliminates justice-minded do gooders. Now, have another look at that US Attorneys’ mission statement again. See what does appear?

“United States Attorneys are appointed by, and serve at the discretion of, the President of the United States”

Ask yourself, are political appointees selected on their careers merits or on the basis of their political clout? Bzzz. Sorry, trick question. The answer is already on US Attorney Carmen Ortiz’s very own wikipedia entry. Says it right there in the second sentence, immediately after her title. 

“In 2009, she was nominated to the position by President Barack Obama. Ortiz is both the first woman and the first Hispanic to serve as U.S. attorney for Massachusetts.”

Unless you count being born a women and hispanic as an accomplishment, the answer is plain as day. Make the boss man look good! I know this comment borders on racist, sexist. Please understand I've no intention of diminishing her personal accomplishments in this regard. I'm sure she had it tough. What we must question, as her customers subjects, is how this make her qualified to administer justice. And apparently we think it does, otherwise why would her gender and ethnicity be highlighted first.

Oh, and I’m also sure the possibility of Ortiz being a potential Democrat gubernatorial candidate in Massachusetts had zero effect on things. Right.

Under these circumstances, if you change or repeal the law. So what? It was never about the law, or application of justice, remember. Go ahead, call for her dismissal. Change the political appointee in the same power structure. So what? Another similar minded and well-trained appointee will gladly take their spot before the day is out. Focus on defining “appropriate behavior” when the incentives are perverted against justice. Good luck with that.

Do all these things. Declare your victory! Get your social justice and pound of flesh. What you'll also do is protect the system that manufactures felons and contributes to suicide of our best and brightest. Do everything, but ask the dangerous question... WHY. WHY does basically everyone take a plea deal. WHY do prosecutors prefer them? You better ask it because it's the only justice system any of us are likely to experience. You do know most everyone is committing three felonies a day right? 

And so what if Oritz is fired. It's not like she is going to be disbarred. She'll immediately go across the street to a private firm working the other side of the table, probably making far more money too. And if you are in a similar position as Aaron, you'll find her credentials impressive. A "former" U.S. Attorney appointed by the President of the United States, who knows all players and the plea bargain process. Hell yeah. Because when YOU are facing hard time you'll not be the slightest bit interested in justice after all. What you want is to get off, and she's the best person for the job. Did you know Aaron's attorney, Elliot R. Peters (Partner at Keker & Van Nest LLP), previously worked in the U.S. Attorney’s Office, Southern District of New York?

Let’s explore one layer deeper into the perversity of the system. Upon Aaron’s death Federal prosecutors were forced to dismiss the charges against him. Not because a lack of evidence mind you, but because there is no defendant obviously. In addition to a PR hit, we must assume a “dismissal” counts against the prosecutions Win-Loss case record. From that perspective, the prosecution did NOT want Aaron to die. They would have much preferred him to live, take a plea, or at least suffer a conviction. On the other hand, Aaron’s attorneys scored a dismissal -- a “Win.” 

Whoa, whoa there. I’m not saying Mr. Peters or Keker & Van Nest LLP wanted Aaron to die. No. What I’m saying is that system is set up such that when something like this happens, something that sparks true outrage, then that rage needs to be directed, and that the defendants attorneys don’t lose. That’s important because otherwise they wouldn’t play along in the farce. 

But that can’t be, the thought is too terrible to bare. I agree with you. Their defendant committed suicide after all. What do they do then? Aaron's attorneys immediately focus rage on the prosecution for being, what’s the word they used, “intransigent.” Whatever. They, the prosecution, are the real problem here! Right! Wrong! Whatever you supposedly chosen on your own doesn't matter one bit. The point is you picked a side and played along. The point is you society bought it. Burn the witch!

All that happened here was Aaron died and the system won.

By the Website Vulnerability Numbers: .Net XSS Request Validation Bypass

 

There are a million variations of Cross-Site Scripting (XSS), some more interesting than others. Back in August 2012 a post entitled, “.Net Cross Site Scripting – Request Validation Bypassing,” from Quotium caught our eye. The filter-bypass technique they described looked extremely trivial, only a single % character was necessary, but it worked all the same.

“This is caused by the fact that although ‹tag› is restricted by the Request Validation filter, ‹%tag› is not restricted but parsed by Internet Explorer browsers as a valid tag.

http://www.vulnerablesite.com/login.aspx?param=‹%tag style=”xss:expression(alert(123))” ›

The other notable point was that for some reason, which may be entirely reasonable, Microsoft opted to NOT address the issue. .Net developers are advised that they must provide adequate defense on their own.

At WhiteHat Security, a big part of our job is helping them do exactly that. Our research team added checks to WhiteHat Sentinel to identify this XSS variant. In the months since, we scanned 10,000+ websites and waited to see if anything turned up. So far, we’ve identified exactly 20 websites that are vulnerable to this specific issue. Not a huge number in terms of percentage of websites, but there it is.

httpOnly: By the [Website Vulnerability] Numbers

About a week ago Jon Passki asked me what vulnerability statistics WhiteHat Security had on httpOnly (via WhiteHat Sentinel). Vulnerability = when a website is NOT using httpOnly and it should be. For those unfamiliar, httpOnly is an HTTP cookie flag that tells supporting Web browsers to NOT allow javascript  (client-side code) to read cookie values.

 Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain <domain_name> [; path=<some_path>] [; secure][; httpOnly] 

The general purpose of httpOnly is an extra layer of defense against Cross-Site Scripting (XSS). Should an attacker attempt to exploit an XSS vulnerability, the javascript payload would not be able to steal the user’s cookies and perform session hijacking.

Anyway, let’s have a look at the vulnerability numbers. This is a snap shot as of January 17, 2013. These numbers include all [verified] httpOnly vulnerabilities identified by WhiteHat Sentinel across all websites, in all service lines, regardless of assigned severity / threat, going back to when we first began checking for the issue.

• Total number of vulnerabilities ever identified: 523
• Vulnerabilities [verified] closed: 91 (Remediation Rate: 17.4%)
• Vulnerabilities re-opened at least once: 10 (Re-Open Rate: 2%)
• Time-to-Fix (Days):

• Standard Deviation: 88.9
• Average: 82.2
• Median: 45
• Min: 0.9
• Max: 337.2

201x: The Year of the Security Industry Breach

What if right now, people and companies are spending billions of dollars, each and every year, to be less secure? What if security products, those things indoctrinated by best-practices and mandated by compliance obligations, are actually the weakest link in the security chain? What if defense-in-depth is really nothing more than a nice idea. I’m confident this reality is coming, soon even. An inescapable and ironic situation where the security industry is going to be publicly embarrassed and must eat its own dog food for a change. That yucky, yucky stuff we’ve been trying to force down the throats of everyone else for decades.

Wait. Stop. Let me back up.

Back in the day, malicious hackers commonly targeted unpatched FTP, mail, and DNS servers — others brute-forced telnet ports. From a defense perspective, patch and configuration management in an enterprise environment is often difficult and expensive, particularly when there’s a lot of hosts to protect. This was is a leading reason why network firewalls are pervasively deployed across basically all Internet-connected organizations, to hide away insecure software from the hostile wilds of the Internet. This was the classic network response to an inherent software security problem, a problem no one from that industry ever bothered to address. What did happen was 65,536 ports became just two, 80 and 443 (Web), and developers largely just recreated the software that already existed to run on those ports, and within a Web browser.

In response, the bad guys SHIFTED.

The bad guys began focusing their attacks at the Web-layer, which is where today we see the majority of the breaches taking place and almost all of the data being lost.

During the same period of time, other digital miscreants preferred hacking operating systems, such Windows, which for a long while was fairly trivial. The recommendation from the Information Security (InfoSec) industry, from their RSA keynote stages, was to spend more on firewalls and anti-virus software. Oh yeah, and patch, patch, patch… if you can.

Microsoft grew tired of being the security industry’s laughing stock and hacking’s path of least resistance, so they kicked off an initiative called Trustworthy Computing and invested heavily in their Software Development Lifecycle (SDL). It took some time, but their efforts in software security paid off.

How do we know? Well, the bad guys SHIFTED.

We saw that instead of predominantly targeting Windows, our cyber adversaries began exploiting the applications installed on top of the desktop. Applications like Web browsers, Microsoft Office, PDF processors, and email clients — but mostly the Web browsers. Of course the InfoSec industry said, buy more firewalls! Buy more [email and browser] AV! And sadly, a lot of people listened. Patching, yeah, that‘s good idea. Do that too! Some listened.

Then, as we saw starting around 2007, to exploit thousands, nay, millions of PCs, all one had to do was SQL Inject a vulnerable website, take your pick of millions because remember that pesky 80/443 software security problem was never solved by firewalls or AV, and lace those websites with browser-based exploits. Well-known exploits, zero-days, it didn’t matter which, few people ever kept up on browser patches anyway. Yet, more money spent on firewalls and AV just the same.

Browsers and browser vendors, Google, Microsoft, and Mozilla, then took their turn in the exploitation crosshairs, feeling the pain of a lack of adequate software security in their respective products. Browser exploitation became a leading cause of malware propagation. As we could expect, they didn’t much like that position, that reputation, even when offering a $0 application. Users expected the software to be secure. Browser vendors had to get serious about software security, and you know what, they did!

How do we know? Wait for it… the bad guys SHIFTED!

If you notice, the bad guys next began targeting browser plug-ins, namely Flash and Java. Yep, that software already installed in just about everyones browser. That software riddled with vulnerabilities. That software rarely patched by the end-user. Adobe (Flash) and Oracle (Java) are working through their own software security nightmare right now.

The browser vendors, not content to wait for Adobe and Oracle, are taking their own steps to protect their platforms, like Microsoft did by offering up ASLR and DEP. They are alerting, disabling or unbundling outdated plugins, if not actively uninstalling them altogether, and making sure technology exists so as not to need them at all. See HTML5.

Give the situation 6 months. Give it a year. It’s difficult to say when exactly, but eventually browser hacking, including the plugins, will get sufficiently difficult to warrant another SHIFT. So where will the bad guys focus next? That’s the billion dollar question. My bet is not “mobile,” while that day may come too, I think it’ll be “security products” targeted first.

Think about it. Think about all the security products out there, such as IPS, DLP, WAFs, various deployment forms of AV software, and so on are pervasive across enterprise networks and end-user PCs. These products are designed to parse and analyze data from unknown origins, making them ripe for haxoring. Products whose makers, the InfoSec Industry, never really had an emphasis on “software security,” if they even know what that concept is, and notoriously bad at handling vulnerability disclosure — a sure sign of immaturity. Their only training being how to sell more firewalls and AV.

Imagine an email specifically designed to exploit a system, but only one protected by an anti-virus email gateway. A piece of Web page code that exploits a browser, but only those protected by anti-virus software. Incoming Web traffic whose goal is to compromise an IPS or WAF itself, not necessarily the website behind it.

None of this is far fetched. In fact, the writing is already on the wall. Just look at what Tavis Ormandy did recently to Sophos’s products in his spare time. No one should be naive enough to believe this is an anomaly. How many zero-days do you think are yet to be found in that software? What about other AV products? What about all the other security products out there? Juicy untouched zero-day heaven, that’s what it is. Oh right right, we know the answer we’ll be given. Buy more firewalls and AV! And of course people will listen, but what for? To protect insecure firewalls, insecure AV, and the other insecure security products? Please.

I’m sure the industry apologists will also predictably say, “there is no silver bullet,” as if that somehow absolves responsibility for shipping risk increasing products.

Hacktivists, cyber-criminals, nation-state sponsored APT, however we label them, we’ve witnessed how our adversaries select their targets, and especially the method of attack, typically by the path of least resistance. One vulnerability is all a bad guy really needs, and the first and easiest one to identify and exploit will do just fine. So when one path of attack doesn’t work or becomes too difficult, the bad guys will shift. Reporters and PR agencies, get your digital ink ready, we’re in for a bumpy ride.