Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Category Archives: Technology

Microsoft Bug Bounties – Podcast interview with Katie Moussoris


As most people have already read (unless you’re still under that rock), Microsoft made a landmark announcement yesterday regarding its new bug bounty programs. If you’ve not already read about the news I won’t try to rehash what’s already been said (detailed information is available in the links below). However in a case of “right place, right time”, Martin McKeay and myself managed to chat to Katie Moussouris (the driver behind these programs) as part of the FIRST conference podcast series.

Hopefully this open and frank discussion helps to clear up any questions people may have forming about the programs and their effect on the InfoSec community at large. Microsoft always do things in a unique way, and these bug bounty programs are unique in many ways. With more emphasis on defense and really talking about fixing the problems, the programs certainly looks interesting and another step along the path to making things more secure… hopefully

Microsoft’s announced bug bounties:

  • Mitigation Bypass Bounty
  • BlueHat Bonus for Defense
  • Internet Explorer 11 Preview Bug Bounty

The podcast can be found here –> http://media.first.org/podcasts/FIRST2013-Katie-Moussoris-Microsoft.mp3


{QuickPost} Windows 8 Digital Product Key recovery

Recently I’ve started moving over my lab systems from my old faithful Mac Book Pro to a new Lenovo system. After receiving the new Lenovo and booting into Windows 8 pro for the first time, I did what any sane person would… formatted the thing and installed a usable operating system.

After the usual tinkering period and getting everything setup just right, I turned my mind to setting up the various lab VMs I wanted, and quickly realized that my new Lenovo with Windows 8 pro had no license code. No sticker, nothing in the documentation, nothing on the box. Where the F was that little code I needed to get Windows 8 pro running in my VirtualBox lab.

Well, the answer came quickly… it’s in the BIOS. When you installed Windows 8 it checks for a Digital Product Key (DPK) and uses it. Simple, except I’m pretty sure my VirtualBox VM isn’t going to read the key from my BIOS through a thin layer of virtualized hardware (although I could be wrong on that). So, after digging about on the net and finding a whole load of “if you run Windows just do this” type solutions, I started digging around in my BIOS using a few Linux tools (dmidecode and acpidump).

Although dmidecode gives a nice decoded view of most of the data, it didn’t seem to pick out the information I was looking for (still, interesting stuff). In the end I used acpidump to dump the data and comb through it looking for the MSDM section containing my Windows 8 pro DPK.


sudo acpidump -t MSDM

This will output the hex and ASCII version of the DPK from your system




{Quick Post} Adding rand() to Yahoo Pipes

This is just a quick post (and not particularly security orientated) about some modifications I made to the patched together Tumblr –> Yahoo Pipes –> FeedBurner solution I use for the Suggested Reading links I post on twitter (and make available through feed.c22.cc).

The problem:

I’ve begun to notice that any blogpost or articles I share recently are turning up on Twitter (the ones with the dreaded [SuggestedReading] tag) about 6 hours after I actually share them. This doesn’t make for a very reliable sharing system as people in InfoSec tend to want up-to-date information, not day old data clogging their time lines.

The thought process:

Originally I thought this was a problem with feedburner as it was the last item in the chain and I know it doesn’t update realtime. The feedburner section of the process adds items to the twitter stream with the prefix [SuggestedReading]. As it turns out this didn’t seem to be the cause of the problems, as even a forced refresh wasn’t doing the trick. Following it back through to Yahoo Pipes I saw that the feed.c22.cc/rss feed was loading, but always responding with what seems to be a cached version.

The fix:

The fix I implemented was to add a ever changing string to the end of the Yahoo Pipes “fetch feed” to prevent the caching issue.

Instead of requesting feed.c22.cc/rss it would request feed.c22.cc/rss?timestamp=1338531580

As Yahoo Pipes doesn’t offer a rand() function, I implemented a series of pipes that take the current date/time, transform it into a string (e.g. 1338541580) and then add it to the end of the static URL using the Yahoo Pipes URL builder function.

You can view the Yahoo pipe here

EU legislation – Digging below the FUD line (cont.)

Earlier on I posted up my thoughts on the EU Legislation – “Attacks against information systems”.

At the time I held back from commenting on some quotes in the news story as I wanted to mull over my response a little longer.

In the news article posted on europarl.europa.eu one of the MEPs responsible for the amendments and the final legislation was asked to comment on the proposal. A couple of her responses warrant a rebuttal.. although at this stage things are far to far gone to make much change at the EU level.

 “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year” said rapporteur Monika Hohlmeier (EPP, DE). “No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world” she added.

The last sentence in particular really made it clear the lack of understanding of the InfoSec industry. Monika Hohlmeier talks about liability incurred through lack of testing and confuses a number of issues.

This comment would fit nicely and make sense if we were talking about lack of security testing by software vendors. I agree they should be held liable for shortcuts and sloppy work. Especially if it puts others at risk!

However in the context of this legislation it seems to point more to companies releasing tools that *could* be used by attackers.  Putting aside the fact that almost any program could be used offensively, it’s obvious that if security tools are outlawed by poorly drafted and written legislation like this, then companies won’t have the tools required to perform the testing required.

To put it in the same context as Monika Hohlmeier used…

A car manufacturer would not be able to test the reliability and security of their cars if the tools, methods and knowledge required for that testing was against the law. A company can only secure a product from potential problems (whether security or not) by using methods and techniques to test them. Car companies have and will continue to go through rigorous checks by crashing cars, dropping them on their roofs and spinning them on a wet surface to see how they react.

In the security field we do the same thing, by creating tests to see if systems are secure. We take an app and send unexpected input, attempt to force the application out of control, and take advantage of insecurities to see how far the issue goes.

You wouldn’t tell a car manufacturer that their crash tests are illegal as they cause a car to crash… So don’t try to tell us that possession of tools we need for our jobs put our jobs, and livelihoods at risk! The lack of context you placed in this legislation causes everybody to interpret the meaning. I doubt that your goal, or the goal of this legislation is to hinder, disrupt or block valid security research and testing, however the effects have to to be seen… 202(c) had the wrong effect due to it’s lax wording… don’t let this EU legislation drive all security research out of Europe.

My 0.02¢ on the issue…


  • EU legislation – Digging below the FUD line (blog.c22.cc)
  • Hacking IT Systems to become a criminal offence (Europarl article)
  • Draft Report / Amendments –  Monika Hohlmeier (PDF)
  • Draft Report / Amendments –  34 – 128 (PDF)
  • Final  (Attacks against information systems) (PDF)
  • Draft Agenda of the LIBE Meeting of 26-27 March 2012 (PDF)
  • Meeting notes and links LIBE Meeting (Europarl site)
  • Monika Hohlmeier (MEP Information Page)
  • Jan Philipp Albrech (MEP Information Page)