March 31, 2012

I Am a Sensitive Hacker...

Well hello there, boys and girls!  I've been meaning to ask you:  Do you know someone in infosec who's so super cool that s/he thinks they're better than, well, everybody else?  Do they remind you of the Sensitive Artist type from King Missile's classic hipster-bashing song from the 90s?

If you don't know this gem, please familiarize yourself with it, then follow along and cringe with me, as you knowingly snicker under your breath at the ones you find annoyingly in love with themselves.

We all know someone like this. Maybe they're going through a phase, or maybe they were just born this way. ...And maybe if they get a link to this post sent from a bunch of people, they'll get the hint.

Think of it as a public service...


Gossip Gal


Sensitive Hacker

I am a sensitive hacker

I am a sensitive hacker
I am a sensitive hacker
I am a sensitive hacker

I am a sensitive hacker,
Nobody understands me because I am so l33t
In my work, I make allusions to sploits nobody else has developed, classes of vulnerabilities nobody else has ever heard of and 0days nobody else has seen
I can’t help it, because I am so much more intelligent and hyper-specialized than everyone who surrounds me.

I stopped using Windows when I was six months old, because registry surgery was so boring and stupid, and I started using openBSD, and going to DefCon and CCC.

I don’t go to mainstream cons anymore, because my fanbois are too legion.

And I don’t submit papers to CFPs anymore, because all the reviewers are haters, cuz they’re jealous of my skillz, and I can’t deal with jealous haters, because they don’t understand me.

I stay at home, writing tools that are beneath me, and working on my new framework, which no one understands.

I am sensitive
I am sensitive
I am a sensitive hacker
I am a sensitive hacker...


March 20, 2012

We Didn't Start the (NextGen) Fire(wall)

Oops,  I did it again...


Another sing-song, sing-along through infosec history, this time with more cowbell!

Same spoof on Billy Joel's We Didn't Start the Fire, different infosec terms and references.


Gal Shpantzer

PS A guide to pronunciation for the sake of the song's rhyming and timing:

Roesch like mesh.

RIAA like diarrhea (I'm not sorry, they deserve it... )

M-P-A-A like Em Pee Ey Ey

SCADA like Skay-duh

NIPC like NipSee

Here we goooooooo.....  mi mi mi mi mi..... la la la LA la la laaaaaa....

Diffie-Helman, Token Ring, Private Cloud, Google and Bing
Forrester, hypervisor, Christmas Tree attacks

Marcus Ranum, DEC SEAL; Scarfo loses, no appeal
Multics, lethal ping, Trustworthy Computing

Stephen Northcutt, IDS, wirespeed analysis
Magic Quadrant, APT, Flash and Reader (Adobe)

We didn’t start the firewall...
It was always burning
Since the URL’s been turning
We didn't start the fire
No we didn't light it
But we tried to fight it

Straw-hat glasses, geotags, BIOS firmware blackbags
Hardware hacking, side channel, Communist Bloc

Wireless to Zigbee mesh, Alan Turing, Marty Roesch
Evening Iguana, Rock Around the Clock

EINSTEIN, A-Team, Sharks with friggin LASER beams
Bruce Schneier, MBR, Twitter Facebook, SQUIRREL!!!

Android, VDI, @Hrbrmstr, SQLi

We didn’t start the firewall...

Joshua Corman, PCI, No Child will be Left Behind
SCADA, Office Space, Common Criteria

Enigma, Firewall, Comodo CA Falls
Night Dragon, NetFlix,  SB 1386
NIPC, Farmville, Arpanet, ‘bola Monkey, MafiaBoy
MapReduce, Hadoop, TwoFish is a no-go

Duqu, BSD, AOL sends out CDs
Zombie botnets, Psycho, Nudie Scans at SFO

We didn’t start the firewall...

Gartner’s “IDS Is Dead,” joyride on the NO-OP Sled
Remote screen emulation, Van Eck emanations

Wall Street speculators lie, Nortel’s decade compromised
TrueCrypt, Next-Gen, Firewalls are back again

UseNet, XSS, browser pwn on the WordPress
RSA: Blown away! What else do I have to say?

We didn’t start the firewall…

Trojan horse, Chuvakin, Zero-Client endpoint Zen
TCP, NFC, Peer to Peer, RFC
Sneakers, Matrix, BGP, thank you Sir Tim Berners-Lee
Ayatollahs in Iran, US in Afghanistan

SecurID, seeds exposed, DIB is getting hosed
Foreign debts, homeless Vets, WEP cracked in minutes

Angelina in Hackers, I Can Haz D Cheezburgers
Linux flavor holy war, I can’t take it anymore!

March 15, 2012

We Didn't Start the Fire(wall)

Well, hello there, boys and girls, it's time for another sing-song, sing-along!

Previously, we destroyed paid homage to a Bob Dylan song in the guise of a BSides security conference tribute and that seemed to go over like a lead balloon, so let's try this again...  Once more, with FEEEEEEELing.

Today, we point our favorite secure (ahem) browser to (open in another tab), support the original artist by watching the official video with a 30 second commercial, then follow along with our very own mangled, er, um, I mean ShpanTazered (TM) version of this Billy Joel classic!  

The original song was difficult to follow, with so many vague references to historical events and figures.  I left some of the original references in there, just to be confusing, but switched up the rest for an infosec audience (who else reads this ridiculous blog...)  

Security types will certainly be more familiar with Operation Bot Roast than Santayana (who's THAT?) and with the infamous and historically significant Paris Hilton Sidekick hack than with any 'trouble in the Suez' nonsense (where's that again...?)

We usually look at the world through the hazy filters of geek rock star practitioners and analysts, malware outbreaks, advances in hacking tools, networking breakthroughs and disruptive technologies.  Not actual rock stars and you know, shooting wars, and whatever else people pay attention to... We're special little infosec snowflakes!  Cuz I said so.

It's been a long, wild ride, intertubes, so have a drink of water, warm up your vocal chords, strap in and try to sing this techie tongue-twister to the Billy beat!

Good luck, 

gAli G AKA Gal Shpantzer

We Didn't Start the Fire(wall)

Hacktivism, PGP, Red China, Entropy
BlackBerry, Neuromancer, PageRank SEO

Dan Kaminsky, Richard Nixon, Studebaker, Max Vision
Red Pill, Blue Pill, CISSP

RADIUS, Logic Bomb, Pain Ray, Johnny Long
Gene Schultz, The King And I, when do we stop SQLi ?

Robert Morris, Vaccine, England's got the same queen
DVD Jon, Liberace, Operation Bot Roast

We didn't start the firewall
It was always burning
Since the URL’s been turning
We didn't start the fire
No we didn't light it
But we tried to fight it

Pirate Party, Rybolov, Nimda and CSRF
Blaster LoveBug, John The Ripper, Communist Bloc

SRI, BBN, PDF bugs round the bend,
D-N-S Fails, Synchronize the Clocks

Stuxnet, LASER Beam, BSides’ got a winning team
Hoffacino, Xerox PARC, Kristin Paget, Bletchley Park

Lycos, LulzSec, Altavista, Cuckoo’s Egg
Freedom Frisk, Howard Schmidt, Paris Hilton’s Sidekick

We didn't start the firewall
It was always burning
Since the URL’s been turning
We didn't start the fire
No we didn't light it
But we tried to fight it

Cyber Storm, AirCrack, Mickey Mantle, ENIAC
Mitnick, System High, It’s the year of PKI

Keyloggers, Stacheldracht, Operation ShadyRAT
BitLocker, SecuTwits, Sony-BMG Rootkit

SE Linux, @Beaker, EFF, Mafia
SIPRNET, Lamo, Ripco is a no-go

U2, WikiLeaks, IANA and IRC
Securosis, RAND Corp, Hacker’s Manifesto

We didn't start the firewall
It was always burning
Since the URL's been turning
We didn't start the fire
No we didn't light it
But we tried to fight it

Zimmerman, LANMan, Stranger in a Strange LAN
Webcam, KLM, APT invasion

(David) Bell-Lapadula, Foursquare check-in mania
Vint Cerf, Trojans, GPUs make BitCoins

JavaScript, Active X, British Politician sex
RSA: Blown away! What else do I have to say?!?

We didn't start the firewall
It was always burning
Since the URLs been turning
We didn't start the firewall
No we didn't light it
But we tried to fight it

451, brute forcing, Kerberos is back again
Pick locks, teraflops, Captain Crunch, DevOps
Begin, Reagan, Cross Domain, hackers bringing Titan Rain
Ayatollas in Iran, US in Afghanistan

9/11, Sally Ride, Biba Model, suicide
Foreign debts, homeless vets, AIDE, Crack, iOS
Got collisions in the SHA, China's under martial law
BYOD, browser wars, I can't take it anymore!

We didn't start the firewall
It was always burning
Since the URL’s been turning
We didn't start the fire
No we didn't light it
But we tried to fight it

March 13, 2012

FUDSec post. Oldie but goodie...

Back in the Spring of 2010 I was given the rare opportunity to contribute to the FUDSec Blog.  I thought long and hard about what I could add to the site, then sat down for a whole 30 minutes of uninterruped, squirrel-less focus and created the Shpantzer Coma Scale of Vendor Lameness and FUD, AKA SCSoVLF.  Kinda has a ring to it, doesn't it...  It was in response to the overhyped marketing and ridiculous bandwagon-jumping by vendors who, due to the economy, were struggling to get a piece of the security spending pie.  When the economy shrinks, the vendors can get desperate to make their numbers and sometimes the sales and marketing machines get ahead of delivery and, you know, real software/hardware/services that actually do anything.

I've spent years as a specialty security VAR/Integrator and still consult to a couple of niche vendors so I understand that it's rough all over...  Still, I'm somewhat old school when it comes to the integrity of the sales process.  Everybody's selling something, whether their consulting services (Ohai 0-day ninjas!) or basic antivirus products trying to stay relevant in an increasingly difficult market.  Regardless, it's never a bad idea to present your wares in a way that will bring you a fanatically loyal following of qualified buyers and the referrals to friends of said qualified buyers.

Be the professional who can legitimately say "You know, I can't do that myself but I know someone who can."

This is a very small industry.  People talk and ask around.  Don't be that one clown who tries to make a quick buck by overdoing it.

I'll be updating the post right here on this site since it's been almost two years and I want to drive some more nails into the FUD coffin as best I can...

For now, here's the original, uncensored, unadulterated and unfiltered version 1.0 of the Shpantzer Coma Scale of Vendor Lameness and FUD...
In the previous post, leading up to RSA 2012, I mentioned the CyberWolves and the fear they instill in the hearts of infosec professionals.  Now it's time for a quick post RSA 2012 update:  High-speed photography of my CyberOwls unleashing their CyberWolf-shredding, Anti-Threat Talons during an intense table-top training exercise! 

Exclusive footage here: