Since having to do system admin work while a freshman college student, I have tremendous respect for the struggles that people throw at the admins. Since a fiasco a few months back with Gmail, I’ve been hosting my own Exchange server. Yes – that’s almost sacrilege for other fellow Linux fans out there. But honestly, I like the ability to sync email/contacts/schedules across multiple devices. So I’m addicted to the features that Exchange provides. That being said, Exchange is the most fickle irritating service known to man. It seems to enjoy crashing and is why I’m awake at 3:50 tonight.

The only positive thing about these incidents is that I’m teaching myself the intricacies of small changes and detailed backup processes.

Friends pointed out this article to me today:

Verizon Adds Femtocell for Home Cell Calls

01.26.09

by Mark Hachman

On Monday, Verizon Wireless announced its entry into the market for femtocells, small home routers expressly designed to allow mobile phones to place crystal-clear calls even while indoors.Verizon’s “Network Extender” device is priced at $249.99, a flat fee that will not be supplemented – or subsidized – by any monthly pricing. The device is manufactured by Samsung.

Sprint also provides a similar device, the Airrave, while T-Mobile’s HotSpot@Home uses Wi-Fi to connect its handsets. To date, AT&T has not announced a femtocell offering.

Verizon uses the home’s broadband connection as a backhaul, essentially translating the cellular call into a VOIP connection. Who needs it? People in rural areas that may live on the outskirts of a cell site, Verizon said. According to Verizon, the femtocell provides an additional 5,000 square feet of coverage. One drawback: EV-DO is not supported, including those services that depend on it, Verizon said.

Using the Network Extender doesn’t use up any minutes on the user’s plan, Verizon added.

“Our new Network Extender device will bring the full benefit of the Verizon Wireless voice network to the small but important segment of customers who may experience a weaker signal in their homes because of geographic or structural conditions,” said Jack Plating, executive vice president and chief operating officer of Verizon Wireless, in a statement. “Current and prospective customers have told us they want this, and we are responding to that demand. For those who have wanted to sign up for Verizon Wireless service but hesitated because of reception problems unique to their home location, this is the answer.”

The service is open to Verizon customers as well as Family SharePlan members, the company said. But Verizon customers can also use a built-in management program on the Wireless Network Extender to prevent neighboring Verizon subscribers from placing unauthorized calls.

The Wireless Network Extender will be available from Verizon Wireless stores and through its Web site, the company said.

I don’t have a Verizon cell phone, but I do have a verizon data card. I’m very excited about this. Besides being fixed price and likely a huge help in some places, it’s likely a means to observe cell traffic via IP. I’m sure there’s some sort of protection, but the data is physically accessible so that’s very exciting to me. I ordered it already and will post initial thoughts once I get it up and running.

Shmoocon is just around the corner (Feb 6-8). G2 is sending a large crowd this year. We’re going to do the typical vendor thing with a booth. We also have Rockband and are going to host a contest Saturday night (with cash prizes). The fun though should be speaking with the technical staff. There are a couple projects that are particularly interesting such as BlueGlue, Fightclub, and our phishing service. Not to be too much of a sleezy business guy, but I hope you stop by. The stuff is cool to me.

Being a paranoid security guy, I do manually look at logs from time to time. Recently, I was looking at /var/log/messages. I noticed a lot of segfaults. I’m running nmap against several class Bs for a big engagement. But two interesting things, nmap segfaulted — more on that in a later post, and it was randomly in my log.

Jan 25 14:16:12 eru kernel: nmap[14831]: segfault at 00000000 eip 0808b1e3 esp b
fdc9e00 error 4

I thought that maybe nmap exception handling called syslog and was graceful enough to crash with a message. An hour of grepping and I couldn’t find it. Next, I thought, well maybe they’re using the libpcap drivers to write out the message inside a lkm. Well there is some of that, but my message wasn’t there. Frustrated, I wrote a simple program that would receive a buffer overflow.

[root@eru tmp]# less segfault.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char * argv[])
{

char buf[10];
strcpy(buf, argv[1]);

return 0;

}

So the test:

[root@eru tmp]# ./segfault AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
[root@eru tmp]# Jan 27 10:24:50 eru kernel: segfault[26006]: segfault at 4141413d eip 08048459 esp 4141413d error 4

So yes, the kernel is catching exceptions and logging them. It’s awesome. Googling it seems like this feature was added around 07. I guess I’m slow, but most of my friends weren’t readily aware of it. Also, the instruction 4141413d requires a little investigation. It should be 41414141 (AAAA). I’m guessing the 3d is some sort of stack protection, but it’s been so long since I’ve done exploit dev in linux that I don’t recall exactly what’s going on. I’m very excited about this feature though.

Saturday, Dec. 20, 2008
by Shane Harris

On October 26, 2006, computer security personnel from across the legislative branch were informed that the Congressional Budget Office had been hit with a computer virus. The news might not have seemed extraordinary. Hackers had been trying for years to break into government computers in Congress and the executive branch, and some had succeeded, making off with loads of sensitive information ranging from codes for military aircraft schedules to design specifications for the space shuttle.

Employees in the House of Representatives’ Information Systems Security Office, which monitors the computers of all members, staffers, and committee offices, had learned to keep their guard up. Every year of late, they have fended off more than a million hacking attempts against the House and removed any computer viruses that made it through their safeguards. House computers relay sensitive information about members and constituents, and committee office machines are especially loaded with files pertaining to foreign policy, national security, and intelligence. The security office took the information from the CBO attack and scanned the House network to determine whether any machines had been compromised in a similar fashion.

They found one. A computer in one member’s office matched the profile of the CBO incident. The virus seemed to be contacting Internet addresses outside the House, probably other infected computers or servers, to download malicious files into the House system. According to a confidential briefing on the investigation prepared by the security office and obtained by National Journal, security employees contacted the member’s office and directed staffers to disconnect the computer from the network. The briefing does not identify the member of Congress.

Apparently worried that the virus could have already infected other machines, security personnel met with aides from the member’s office and examined the computer. They confirmed that a virus had been placed on the machine. The member’s office then called the FBI, which employs a team of cyber-forensic specialists to investigate hackings. The House security office made a copy of the hard drive and gave it to the bureau.

“Somebody with a wireless device in China should expect it to be compromised while he’s there.” — Joel Brenner

Upon further analysis, the security office found more details about the nature and possible intent of the hack. The machine was infected with a file that sought out computers outside the House system to retrieve “malware,” malicious or destructive programs designed to spy on the infected computer’s user or to clandestinely remove files from the machine. This virus was designed to download programs that tracked what the computer user typed in e-mail and instant messages, and to remove documents from both the hard drive and a network drive shared by other House computers. As an example of the virus’s damage, the security office briefing cited one House machine on which “multiple compressed files on multiple days were created and exported.” An unknown source was stealing information from the computer, and the user never knew it.

Armed with this information about how the virus worked, the security officers scanned the House network again. This time, they found more machines that seemed to match the profile — they, too, were infected. Investigators found at least one infected computer in a member’s district office, indicating that the virus had traveled through the House network and may have breached machines far away from Washington.

Eventually, the security office determined that eight members’ offices were affected; in most of the offices, the virus had invaded only one machine, but in some offices, it hit multiple computers. It also struck seven committee offices, including Commerce; Transportation and Infrastructure; Homeland Security; and Ways and Means; plus the Commission on China, which monitors human rights and laws in China. Most of the committee offices had one or two infected computers. In the International Relations Committee (now the Foreign Affairs Committee) office, however, the virus had compromised 25 computers and one server.

The House security office contacted the committees’ employees and all of the members’ offices, and removed the infected computers and servers. The House’s technical-support center sent an advisory to all systems administrators, reminding them of safe computing practices, such as not opening links in e-mails from unknown sources. The House security office determined that whoever infected the machines had probably tricked users into visiting a website or clicking on a link in an e-mail or instant message that downloaded an infectious file; the virus then exploited as many of the computer’s vulnerabilities that it could detect. A diagram in the security briefing shows how the virus, once it penetrated the computer, made multiple attempts to download different kinds of malicious software.

The hacker or hackers — it’s unclear whether more than one was involved — attempted to evade detection by using an array of attack methods and downloading malicious files from various Internet addresses. The hacker was likely using many other infected machines as launching pads, making it essentially impossible to stop the attacks completely and exceptionally difficult to know where the hacker was located. It’s relatively easy for an attacker to mask his or her location by communicating through layers of infected computers and servers around the world.

The confidential briefing does not say where the hacker was, nor does it attribute the attack to a particular group or country. Such information is notoriously difficult for investigators to ascertain. But according to some members of Congress whose machines were infected, the attack described in the briefing emanated from China and was probably designed to steal sensitive information from lawmakers’ and committee offices.

Chinese Traces

That allegation and others about Chinese cyber-espionage lie at the heart of a simmering controversy over Chinese or China-supported hacking of U.S. government computer systems. As National Journal reported earlier this year, computer hackers, who several investigators and senior government officials believe are based in China and sometimes work on the Chinese government’s behalf, have penetrated deeply into the information systems of U.S. corporations and government agencies.

The hackers have reportedly stolen proprietary information from executives and even one Cabinet secretary in advance of business meetings in China. Some sources contend, moreover, that Chinese hackers may have played a role in two major power outages in the United States. Power companies and outside investigators call such allegations demonstrably untrue, but many cyber-security professionals express considerable anxiety about the vulnerability of U.S. networks.

Concern about China is so great that, only hours before the opening ceremonies of the Olympic Games in Beijing last summer, the United States’ top counterintelligence official, Joel Brenner, warned American visitors to leave their cellular phones and wireless handheld computers at home. “Somebody with a wireless device in China should expect it to be compromised while he’s there,” Brenner said on CBS News. “The public security services in China can turn your telephone on and activate its microphone when you think it’s off.” For those who were required or determined to take their electronic equipment, Brenner advised that they remove the batteries when they were not using the device.

Chinese sources were at the root of the hack on members of Congress in 2006, according to some lawmakers. In an interview with National Journal last summer, Rep. Mark Kirk, R-Ill., said that the virus described in the House’s confidential briefing had infected a machine in his office. House security personnel informed him of the infection, Kirk said, and he called the FBI.

Kirk then co-chaired the House U.S.-China Working Group, whose members had met with 11 Chinese business leaders less than a year earlier to discuss bilateral trade issues. The group has held monthly meetings to foster a diplomatic dialogue between Chinese and U.S. officials. Kirk said that his office’s infected computer was trying to contact Internet addresses that “eventually resolved themselves in China.” He hastened to add, “Obviously, you don’t know who is the real owner or operator of the [Internet] address.”

“On these computers was information about all of the casework I have done on behalf of political dissidents and human-rights activists around the world.” — Frank Wolf

The breach could be viewed through one of two lenses, Kirk said. “The bad view” is that Chinese intelligence sources were trying to spy on a member of Congress. The “good view” holds that Chinese citizens, who read about the commission’s work in the media, hacked Kirk’s computer out of frustration or retribution. But this attack profile, Kirk said, “looked toward the criminal side.”

“Hacking into a congressional computer is a serious offense,” he said. Although Kirk said he didn’t know what files, if any, the hacker had pilfered, he assumed that the intruder wasn’t looking for information about Kirk’s constituents in Illinois. He concluded that the hacker was more interested in his China policy. “At that point,” Kirk said, “it seemed what we had was a case of overseas espionage.”

This past June, Rep. Frank Wolf, a Republican from Northern Virginia, took to the House floor and announced that four of his office’s computers “were compromised by an outside source.”

“On these computers,” he said, “was information about all of the casework I have done on behalf of political dissidents and human-rights activists around the world.” Wolf is an outspoken critic of China’s human-rights policies.

“That kind of information, as well as everything else on my office computers — e-mails, memos, correspondence, and district casework — was open for outside eyes to see,” Wolf said. And then, without naming names, he added, “Several other members were similarly compromised.”

Wolf said he had met with staff from the House Information Resources office and with FBI officials. “It was revealed,” he said, “that the outside sources responsible for this attack came from within the People’s Republic of China.” A spokesperson for Wolf told NJ that the intrusion he spoke of on the House floor is the same attack described in the confidential briefing obtained by National Journal and prepared by the House information security office. That briefing states that Wolf was one of the eight members affected, and that four of his machines were hit — the same number that Wolf cited publicly. In his floor remarks, Wolf said that his computers were found to have been compromised in August 2006, two months before the House Information Systems Security Office scanned the network for possible infections.

Keeping It Secret

The pervasive nature of the 2006 attack begs a question: Why didn’t members of Congress publicly disclose these breaches sooner? Wolf offered one answer.

“Despite everything we read in the press, our intelligence, law enforcement, national security, and diplomatic corps remain hesitant to speak out about this problem,” Wolf said on the House floor. “Perhaps they are afraid that talking about this problem will reveal our vulnerability.” He then added, “I have been urged not to speak out about this threat.”

Wolf didn’t say who urged him to remain silent. Kirk, whose office was also hit, said he spoke with Wolf before his remarks. Wolf wanted to publicly raise the issue of cyber-security to bring more attention to the problem, Kirk said. Kirk was more interested in finding the culprits.

“My objective was to get even with these guys and nail them. My objective was to tell the FBI as much detail as I can so we can go after them.” — Mark Kirk

“My objective was to get even with these guys and nail them,” he said. “My objective was to tell the FBI as much detail as I can so we can go after them.”

In his speech, Wolf urged his colleagues to raise their level of awareness, and he exhorted the executive branch to open up. “I strongly believe that the appropriate officials, including those from the Department of Homeland Security and the FBI, should brief all members of Congress in a closed session regarding threats from China and other countries against the security of House technology, including our computers, BlackBerry devices, and phones,” Wolf said.

Wolf’s outspokenness met resistance, Kirk said. “I think a number of people came to Frank and said, ‘Back off. Don’t do this,’ ” Kirk said. He declined to say who had approached Wolf. But he said that “some parts of the government” favor keeping systems open to track attackers, but they aren’t inclined to talk about it openly.

Both the intelligence community and the military use cyber-monitoring tools that are essentially the same as those directed against U.S. government systems. The Air Force, in particular, considers cyberspace to be a new battleground; the service has reportedly developed a formidable capacity to inflict damage on other nations’ computers and electronic infrastructure.

Learning Curve

Many members of Congress, it seems, may also be uninterested in talking about their cyber-vulnerabilities — not because they aren’t concerned about them but because they don’t understand them.

Wolf has said that in discussing the threat with colleagues, he has found that members don’t realize their computers are tantalizing targets. One cyber-security expert says that Wolf is probably right but that members’ ignorance doesn’t mean they’re indifferent.

“As a member of Congress, you have so many issues competing for your attention and, historically, cyber-security hasn’t been one that’s won out,” said Amit Yoran, who was the first director of the National Cyber Security Division in the Homeland Security Department. “It’s not an issue that is particularly well tracked by their constituents.”

Moreover, Yoran said, lawmakers can also fall victim to their own demands. “In Congress, you’ve got an organization full of a lot of senior executives.” Just as in the executive branch or in the private sector, members want to be treated like CEOs. They have “very high support requirements,” Yoran said. Put another way, if members of Congress want their computers to access a certain website or run a particular program, they don’t ask for technical support — they demand it.

That mind-set makes it exceptionally difficult to protect congressional computers in a uniform fashion. The House and Senate could enact the strictest security policies imaginable, but if members and their aides ignore the policies or ask for exceptions, security degrades.

No one understands that better than the office in charge of protecting members’ computers — the House Information Systems Security Office. “I can say, comfortably, that the level and quality of expertise within the security department, the IT department, of the House, is very strong,” Yoran said. “The Senate as well.” The confidential briefing on the 2006 breach bolsters Yoran’s assessment. It is clearly written and demonstrates that the security office understands the dynamic nature of cyber-intrusions.

Yoran emphasized, however, that between expertise and adequate security, “there’s a lot of ground.” Members and their staffers must decide whether to follow security procedures — and perhaps too often, they don’t want to be bothered.

Who Should Lead?

Congress is more than a tempting and sometimes easy target. Lawmakers also have oversight responsibility for the security of executive branch networks, and they make decisions that affect all U.S. telecommunications systems.

Members make the laws that set security policies and standards for government systems. They issue an annual report card and other assessments on how well the government is meeting those standards. Slowly but increasingly, lawmakers are writing statutes aimed at stiffening the penalties for computer intrusion and at defining hacking more clearly as a crime.

Yet Congress’s repeated run-ins with cyber-thieves and hackers don’t appear to have focused lawmakers’ oversight efforts. Last week, the Center for Strategic and International Studies, the Washington think tank noted for its defense policy research, released a highly anticipated cyber-security assessment for President-elect Obama. The study group included experts from a range of disciplines and industries, and was co-chaired by two members of Congress: Reps. Jim Langevin, D-R.I., and Michael McCaul, R-Texas.

The report, a year in the making, is almost entirely devoted to cyber-security recommendations for the next president. It devotes only one page to Congress’s role, perhaps with good reason. The panel essentially concludes that Congress cannot manage cyber-security.

The root of the problem, the report said, lies in Congress’s inconsistent, almost feudal, approach to oversight. “The fragmentation of oversight complicates efforts to improve homeland security, and cyber-security shares in this problem,” the authors wrote. The Homeland Security Department, which is responsible for securing civilian government networks, “has far too many oversight committees — more than 80 — exercising jurisdiction.”

The CSIS study group discussed whether that jurisdiction should be streamlined, a simple enough task on the surface. House and Senate rules don’t explicitly give jurisdiction over cyber-issues to any committees, and congressional leaders could limit responsibility to a more manageable number of lawmakers. The study group certainly thought that was a good idea. “Without rules changes that provide clear jurisdiction, responsibility for investigation, oversight, and policy development in cyber-security will depend largely on member interest and the ability of committees to coordinate with each other,” the report stated.

The study group stopped short of formally recommending that Congress take that step, however. In large measure, that’s because the CSIS recommendations were meant for the president-elect, not the speaker of the House and the majority leader of the Senate. But the panel also concluded that cyber-security — protecting critical networks not only from espionage but also from tampering and potential control by outsiders — was of such importance and magnitude that only the president could take charge of it. Indeed, the authors titled their report “Securing Cyberspace for the 44th Presidency.”

“The president could engage [congressional] leaders in a discussion to streamline jurisdiction,” the report said, “but jurisdictional consolidation would not produce the immediate improvement in cyber-security that our other recommendations offer.” The panel wants Obama to take charge of cyber-security and make the White House its political nerve center. It recommended that he create a new office for cyberspace in the Executive Office of the President that would work closely with the National Security Council, “managing the many aspects of securing our national networks while protecting privacy and civil liberties.” Any attempt to broadly secure cyberspace will, by necessity, involve close scrutiny of the information traveling through it, including e-mails, instant messages, and, increasingly, telephone calls.

The study group also recommended that Obama appoint an assistant for cyberspace and establish a Cyber-Security Directorate in the NSC. To support that directorate, the experts recommended a National Office for Cyberspace, which would be directed by the president’s cyber-assistant.

“The new administration has to take rapid action to improve cyber-security, and streamlining congressional jurisdiction isn’t one of those actions,” said James Lewis, a CSIS senior fellow and the director of its public policy program. He led the study group.

“The legislative process is deliberative,” Lewis said. “It has to move at its own pace on questions like jurisdiction, but there are things the executive branch can and should do without waiting.”

Shawn Henry, assistant director of the FBI’s cyber division, told attendees at the International Conference on Cyber Security in New York on Tuesday that cyber attacks on critical infrastructure come second in importance only to the threat of weapons of mass destruction, Agence France-Presse reported. Deputy Attorney General Mark R. Filip echoed the sentiment on Wednesday, stating that organized criminals are becoming more adept at using the Internet for large, complex schemes.

“We must secure the our cyber infrastructure in a manner that addresses threats from foreign armies, adversary intelligence services, criminals and terrorists,” Filip stated in prepared remarks. “It’s hard to exaggerate how important this is or how hard it is to accomplish fully.”

The U.S. government looks ready to treat cybersecurity much more seriously in 2009. The Bush Administration made some significant investments in cyber security, through its Federal Desktop Core Configuration program and the Comprehensive National Cybersecurity Initiative. While the Obama Administration has not yet announced its intended policy, a group of policy, industry and technology experts recommended last month that the new administration create a top cyber post in the White House. Already, two major government contractors — Boeing and Lockheed Martin — are pushing their own cyber services divisions to compete for government dollars.

While increased spending is necessary to create more secure cyber infrastructure, the DOJ’s Filip stressed that cooperation between governments is also a necssary part of the equation. The DOJ official pointed to the concerted action against a Romania-based organized cybercrime gang, which resulted in nine U.S. arrests, as an example of the cooperation needed between governments to tackle cybercrime.

“We’re now living in a world where technology moves much faster than the government typically moves, and where our adversaries are anxious to exploit every vulnerability that technological change can offer,” Filip stated.

So I got this email the other day:

—–Original Message—–
From: Schwabplanmessenger@schwab.com [mailto:Schwabplanmessenger@schwab.com]
Sent: Friday, January 09, 2009 1:15 PM
To: Matthew Wollenweber
Subject: Schwab Retirement Plan Quarterly Statement

Dear MATTHEW WOLLENWEBER:

Your quarterly retirement plan benefits statement is attached.  This secure, electronic statement replaces your paper statement at your request.

Before opening the file we recommend you save the attachment as an html file using .html as the file extension.  You may also double-click on the attachment to open it directly.  You are required to enter your User ID and PIN to access your information.

Your company retirement plan is one of the best opportunities you will ever have to save for your future.  Visit schwabplan.com anytime to access or make changes to your account, check performance or use the planning tools. If you have any questions about your retirement account or want to know more about saving and how Schwab can help, please call us at 1-800-724-7526. We’re here Monday-Friday from 7 a.m. to 11 p.m. Eastern Time.  You can also email us at schwabplan@schwab.com if you have any questions about accessing your statement.  Please do not reply to this email.

Thank you.

Sincerely,

Catherine Miller
Vice President, Client Services

Your statement was sent through our encryption process which uses highly secure, industry standard algorithms.  The encryption process between you and Schwab assures the highest levels of confidentiality for critical and sensitive data on public networks. Your password is hashed with 160 bit encryption with a large random number. This hash is then used along with the chosen encryption algorithm to encrypt your statement.

All e-mail sent to or from the Charles Schwab corporate email system is subject to archival, monitoring and/or review by Schwab personnel.

I thought for sure it was spam. I mean “download this html file, run it, enter your SSN and password”. How could it not be phishing? Well, I checked the headers, it came from Charles Schwab. I emailed them, just to make sure it really came from them… I got a response, it did. WTF? Who does this?

Now, I suppose you’re thinking “well dumbass just look at the source and see what it’s doing”. I did, it is this nasty crypto stuff delivered by obfuscated javascript and I really wasn’t motivated enough to spend time on it. Despite that, I can’t get over the whole idea of the message. All I can say is “who does that?”

Dan Kaplan
January 07, 2009

Related Articles
Congressmen allege China-based PC hackings
Related Links
Rep. Frank Wolf

One of two federal lawmakers who disclosed last summer that their office PCs were infiltrated by foreign hackers is calling on House leaders to schedule a special Congressional meeting on cybersecurity.

The bipartisan session would be held to raise awareness of the growing threats posed by cybercriminals, according to a Monday letter from Rep. Frank Wolf, R-Va.

Wolf wrote letters on Monday to House Speaker Nancy Pelosi, House Majority Leader Steny Hoyer, House Rules Committee Chairwoman Louise Slaughter, Minority Leader John Boehner and ranking Republican on the House Rules Committee David Dreier.

The letters, first published by the National Journal, requested the “secret session” be held within the first 50 days of the new Congressional session, which opened Tuesday. The meeting seeks to address threats to House information security, risks to lawmakers traveling abroad and efforts being made to secure House networks and portable devices.

Last June, Wolf said that four of his Capitol Hill machines were compromised in August 2006 by hackers attempting to steal confidential information. Rep. Chris Wolf, R-N.J., who appeared with Wolf at a press conference, also disclosed that hackers, believed to be from China, took over some of his office computers.

Other lawmakers also were affected, according to reports.

Chinese officials have denied responsibility.

“It is logical to assume that critical and sensitive information about U.S. foreign policy and the work of Congress was open to view from these official computers,” Wolf said in the letter.

He said Congress held discussions on the incidents in September, but the meetings had poor attendance.

“I fear that members are no better informed today than they were before,” he said.

Matt Knox, a talented Ruby instructor and coder, talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for allegedly surreptitiously installing adware on millions of computers.)

S: You wrote adware. You bastard.

M: [sheepishly] Yes, I did.  I got to write half of it in Scheme, which probably means that I deployed more Scheme runtime than anybody else on the planet.

S: Let’s back up a second. Why did you write adware?

M: I was utterly and grindingly broke for a little while.  I started working on SPAM filtering software. That work got noticed by [Direct Revenue], who hired me to analyze their distribution chain.  For a little while, the site through which all their ads ran was something like top 20 in Alexa. Monstrous, really huge traffic. Maybe 4 or 5 months into my tenure there, a virus came out that was disabling some of the machines that we had adware on. I said, “I know enough C that I could kick the virus off the machines,” and I did. They said “Wow, that was really cool. Why don’t you do that again?” Then I started kicking off other viruses, and they said, “That’s pretty cool that you kicked all the viruses off. Why don’t you kick the competitors off, too?”

It was funny. It really showed me the power of gradualism. It’s hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.

S: Did you feel this was the gently sloping path to Hell?

M: Oh yeah! Absolutely. [ laughs ] I actually believe that if you sum up everything I did it comes out positive, if only because I kicked off an awful lot more adware than I installed.

S: What was Direct Revenue’s business model?

M: Their business model was that they would buy a screensaver from somebody, or develop it themselves. It would be some stupid thing like a guy who’s washing their screen. Looks like a window washer guy? They’d say “Hey, if you want this, install our adware and you can have it for free.” An astonishing number of people will do that.

S: What did they call it? I presume they didn’t call it “adware.”

M: The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting
on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.

S: Your company’s not one of those that would leverage exploits in order to get software on people’s computers?

M: We didn’t, no. Some of the distributors certainly did. If we found out a distributor was doing that, we’d say “Now we’re not going to distribute with you any more,” and we’d try to get off those machines.

The thing that I had a real problem with was the persistence work that I was doing.  This made it difficult for competitors to kick us off the machine. It was effectively impossible for a civilian to get us off the machine– unless they went through our uninstall process. You had to go to some web site, download an uninstaller, take a short survey about why they were getting rid of us, and then it would actually remove us and we would also leave a Registry key to make sure we didn’t reinstall.  Sadly, some misguided antivirus and anti-adware software would go in and remove that, which therefore meant that we would reinstall again.

S: Can you tell me more about your strategies for persistence?

M: Yes. I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do– which means basically anything. We would have a Browser Helper Object that actually served the ads, and then we made it so that you had to kill all the instances of the browser to be able to delete the thing. That’s a little bit of persistence right there.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it. That’s fine until somebody goes and deletes the executable.

The next thing that Direct Revenue did– actually I should say what I did, because I was pretty heavily involved in this– was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn’t, [ the poller would ] install it. To make sure the poller was less likely to be detected, we developed this algorithm (a really trivial one) for making a random-looking filename that was consistent per machine but was not easy to guess. I think it was the first 6 or 8 characters of the DES-encoded MAC address. You take the MAC address, encode it with DES, take the first six characters and that was it. That was pretty good, except the file itself would be the same binary.  If you md5-summed the file it would always be the same everywhere, and it was always in the same location.

Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature’s all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.

We then made a bootstrapper, which was a tiny tiny piece of code written in Assembler which would decrypt the executable in memory, and then just run it. At the same time, we also made a virtual process executable. I’ve never heard of anybody else doing this before. Windows has this thing called Create Remote Thread. Basically, the semantics of Create Remote Thread are: You’re a process, I’m a different process. I call you and say “Hey! I have this bit of code. I’d really like it if you’d run this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-like and free love. Windows processes, by the way, are insanely promiscuous. So! We would call a bunch of processes, hand them all a gob of code, and they would all run it. Each process would all know about two of the other ones. This allowed them to set up a ring … mutual support, right?

So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.

There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.

We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel.  NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can’t express in ASCII. Most notably, you can have things with a Null in the middle of it.

That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn’t be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

We also wrote a device driver and then a printer driver.  When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows. This was right around the time that the company [ got sued by Eliot Spitzer and started shrinking ]. They made a somewhat poor business decision at the same time to get visible, and they branded their ads and everything at the same time that they were having me kick all of our competitors off and we were doing all that persistence stuff.

There was also of course Scheme. Eventually, we got sick of writing a new C program every time we wanted to go kick somebody off of a machine. Everybody said, “What we need is something configurable.” I said, “Let’s install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you’re doing.

Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.

S: In your professional opinion, how can people avoid adware?

M: Um, run UNIX.

S: [ laughs]

M: We did actually get the ad client working under Wine on Linux.

S: That seems like a bit of a stretch!

M: That was a pretty limited market, I’d say.

S: What is the future for adware?

M: To the extent that advertising is beautifully targeted, it ceases to become advertising is now more informational. The most encouraging example of this is Gmail. I see nothing but Ruby on Rails developer jobs and Scheme developer jobs on Gmail.

S: Does it weird you out that there’s some automated script filtering all your mail?

M: When I think about that, it sometimes troubles me. The good news is that I’ve been on the other side of those automated script things. Their capability is incredibly dangerous, but the actuality tends not to be.

It would have been fairly trivial for me to go spelunking for people’s credit card information or whatever. I had four million nodes. I could have done it without anybody at the company even noticing.  I was the guy writing Scheme, so I could have just put a text file somewhere and then made it go away, and there wouldn’t even have been an executable lying around.

But I didn’t. To do that, by definition you have to be willing to become a criminal, and that’s a little bit rare. So I’m not too worried about that. I think that advertising it going to turn into something that’s just a big mess of algorithms, where somebody says “this guy may be interested in this new programming language.”

S: How private is people’s information today?

M: Not at all.

S: Do you think that in our society we delude ourselves into thinking we have more privacy than we really do?

M: Oh, absolutely. If you think about it, when I use a credit card, the security model is the same as that of handing you my wallet and saying, “Take out whatever money you think you want, and then give it back.”

S: …and yet it seems to be working.

M: Most things don’t have to be perfect. In particular, things involving human interactions don’t have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you’ve always got in the back of your mind the nagging worry that I’m going to show up on your doorstep with a club and kill you. Because of that, people don’t tend to screw each other too much, right? At least, they try not to. One danger, perhaps, of moving towards an algorithmically driven society is that the algorithms aren’t scared of us showing up and beating them up. The algorithms will do whatever it is that they are designed to do. But mostly I’m not too worried about that.

S: Is there anything else you wanted to comment on?

M: People can have things as good as they are willing to work for. If you want to have a system that’s clean of nasty software, you can do that. If you want to have personal privacy, it’s possible– very hard, but possible. And I think it’s worth it.