Tuesday, March 6, 2018

Abusing Blockchain Transparency for Good

In 2013, I had just completed a year working on my DARPA Cyber Fast Track grant, creating a holistic threat model of the entire IoT landscape. The result of this research wasn't simply a threat model to end all IoT threat models: it was a blueprint for designing resilient, secure, long-lasting IoT technology. The question I then asked myself was, what do I build with this blueprint?

In answering that question, I spent the majority of 2013 looking at the intersection of technology and community service. I decided to set my sights on designing systems that could assist with the collapse of communities, something that has always been on the forefront of my work, and one of the reasons I had always focused on IoT. IoT has the potential to revitalize struggling communities by providing access to resources that are otherwise cost-ineffective or impractical.

So I designed a proof of concept system called DogeFling. DogeFling was the first step in an IoT system to facilitate community change through transparent donations. The way the proof-of-concept worked, everyone with a cellular phone could participate in the system. Donations were based on where your phone "lived" (the physical area in which you tend to live). So if your phone tends to "live" in Flint, Michigan, DogeFling would consider you a citizen of Flint.

If a crisis occurred anywhere in the world, the system would allow users to send monetary donations straight to your phone number via a text message, based on your location. Hurricane in Louisiana? DogeFling coins to the city of New Orleans and your currency would be evenly distributed across all phones "living" in the general area. You didn't need an account. You didn't need a bank. The system used Dogecoin to quickly and cheaply transfer money between parties.

This proof was demonstrated at Hack in the Box 2014 (the Haxpo side-conference). At the time, I donated 2,000,000 DOGE to talk attendees via DogeFling. The Doge could then be used at HITB in exchange for physical goods like t-shirts and hoodies, proving the system worked.

In practice, however, there were serious regulatory and legal gaps that the system on its own could not resolve. After looking into these, it became clear that there would need to be an alternative solution in order to make this system work.

The Flint Water Crisis

In April of 2014, it became crystal clear that a change in the way we donate money was needed. I'm sure all you readers are aware of the Flint water crisis. In 2014, Flint's water system was switched over to a local river, heavily contaminated by industrial ruin and infrastructure decay. This spread lead and other toxins into the community, causing one of the most horrific and significant health crisis of modern America. This crisis, as of writing this (March 2018), is ongoing

I was born at McLaren hospital in Flint, and was raised in the greater Flint community. I went to high school at nearby Grand Blanc High School, but spent most of my time at the Flint Institute of Arts, Flint Institute of Music, Southwestern Academy, and Flint Central. In my teenage years, I wasted most of my time at the historic Flint Capitol Theater. The first non-classical-music concert I ever attended was The Dead Milkmen at the Capitol Theater. I still have the ticket stub. 

When my friends and family told me about the Flint Water Crisis, I looked to DogeFling for an answer. But, legal issues and funding precluded me from using it, and common sense stopped me from saying "screw it" and launching without a net. 

A system like DogeFling would have been exceptional during the Flint Water Crisis. Money donated into the city was somehow disappearing. Bottles of water were ending up at storage facilities, churches, and other locations with no one to distribute them. Despite acquiring massive amounts of funding from the public, somehow, citizens were still left thirsty and desperate simply to bathe. And while I'm thankful for the celebrities that showed up with semi-trucks full of bottled water, only a fraction of that water was efficiently distributed (or distributed at all). 

Every dollar donated into the crisis resulted in only a fraction actually used to assist Flint citizens. 

With such an obvious need, I did what any sensible, cautious entrepreneur would do and started looking for venture capital. 

The Intersection of IoT and Blockchain

During 2014 and 2015, I augmented the Lab Mouse Secure IoT Platform to support Blockchain technology using Secure Elements and a custom communications protocol. This allowed us to integrate with almost any Blockchain technology with ease. However, the problem of cost was still high on the list of outstanding issues. 

The average IoT platform costs 10 to 25% of what a "secure" IoT platform costs. This is not feasible for most startups. Even when information security professionals cry out for and demand security by default, and when executives buy into the concept of IoT security, the costs are sometimes so high as to make the implementation impractical. 

If you're selling an IoT sensor for 1 USD, how can you suddenly triple your costs by integrating secure technology, either forcing your market to bear the weight (if it will), or forcing your own company to vastly decrease its profit margins. None of this is sustainable in an ecosystem where the average ARM Cortex-M0+ costs under 0.60 USD per unit at volume with no trusted element. 

My solution? RISC-V. With custom, open source, RISC-V processing technology, we can build secure processors with trust elements at a fraction of the cost of ARM processors. Integrating the RISC-V architecture into Lab Mouse, we can then offer a secure platform that is finally cost-effective

So, in 2016, I researched the RISC-V architecture and joined the RISC-V consortium. I currently sit on the Debug, Security, and general ISA groups and hope to soon get back to participating more heavily. In 2017 at Hack in the Box Amsterdam, I demonstrated security flaws in the RISC-V processor architecture that are now resolved, proving that I put in the effort to research the architecture to ensure it is resilient enough for use in the Lab Mouse solution. 

With this architecture, we will finally be able to build and offer IoT security accessible to everyone. This further allows cost-effective integration of Blockchain technology without the need for excessively robust processing architectures, large amounts of RAM, or large storage devices! 

Proving Elements Secure

The final step to a holistic secure IoT platform is designing a trust element that is cost-effective and can scale effectively. The majority of 2017 was spent doing just this. Using the DARPA threat model, and threat models for Secure Elements augmented during the development of the GSMA IoT Security Guidelines (written by me, 2016), I proved that major Fortune 100 Secure Element designs contained major security flaws that can be exploited to gain access to almost any network environment, even ones presumed otherwise trustworthy. 

This research will be released at HITB 2018, proving that Lab Mouse has a stronger understanding of how to build, deploy, and manage elements of trust than most modern corporations. 

Community Vending Machines

With a significant amount of effort performed proving what works and doesn't work in designing and deploying global, secure IoT ecosystems, it was time to get back to business. 

In 2016 and 2017 I reached out to venture capitalists and angel investors, and began building relationships to help launch the Lab Mouse ecosystem. 

But what is the ecosystem? 

We aren't just building secure IoT technology. That is only a requirement for what we are really doing: solving community problems like the Flint Water Crisis. 

With our secure IoT platform we are building technology to distribute donations directly to citizens and communities in need

Our first proof of concept is a Vending Machine that is integrated to the Stellar blockchain. Our token will be used to distribute funds donated into the Lab Mouse ecosystem directly to Vending Machines. Each machine will be directly on the blockchain, allowing users to monitor exactly where their money has been distributed. Because the Vending Machines are designed with Lab Mouse IoT technology, you know exactly when someone has received a donation, and what type of product they are retrieving from the machine. 

Because of the Flint Water Crisis, we started with the idea of vending bottles of water, so that citizens could pick up free bottles. This grew into other options. After speaking with Flint community leaders, and holding several meetings at Flint's Factory Two, we learned that the number one stolen consumer good in Flint's Genesee County is diapers. Not prescription drugs. Not alcohol. Diapers

As a result, we are augmenting our proof-of-concept design to support the distribution of packs of diapers, infant formula, and bottled water. 

Community Distribution Systems

By working with the local community, and using our blockchain token as a tracking unit, we can create distribution networks to refill vending machines around the city. Smart contracts can be used to facilitate distribution, because our secure IoT platform can identify when a contracted community member has fulfilled their job of transferring goods to a particular vending machine within the requisite time-frame. 

Furthermore, we can create incentives for helping distribution occur. By using the tracking data, we can move vending machines to more efficient locations, suitable for citizen use. 

But, most importantly, donations into the Lab Mouse IoT ecosystem directly support not only the products served by the vending machines, but the distribution, maintenance, and ongoing costs (energy consumption) required to support the machine and its ecosystem. 

The Result?

After 6 years of constant effort, this spring we will finally launch the proof-of-concept of a system long overdue: A way for citizens of the world to donate to a working environment where they can clearly see how their hard earned money is being used by citizens in need. We will use secure IoT technology built by Lab Mouse to ensure the IoT ecosystem is not just secure, but cost effective. We'll use blockchain's transparency, coupled with our secure IoT platform to guarantee how every penny is being used in the system. We'll make the system sustainable by integrating ongoing costs into the donations model, to ensure every method of distributing goods can be supported by the donations that enter the network. 

With this system, Lab Mouse hopes to change the way we think about IoT, Blockchain's usefulness, and the concept of philanthropy. We hope this is the first step in a long journey to prop up citizens in distress, to help revitalize communities long forgotten by the fallen titans of antiquated industry. 

The solution to modern economic distress isn't to pretend the revitalization of deprecated industries is profitable and sustainable. The solution is to use modern technology to distribute resources to provide opportunities for distressed citizens to educate themselves, their community, and to grow. We won't win this social war by offering another temporal band-aid on a long-term wound. We can only win by offering communities ways to ease their burdens, to give them opportunity, to reduce financial, emotional, and physical stress. Only then will we create environments where all people may thrive. 

Want to support us? Reach out: info at securitymouse dot com

Peace and Love,

Don A. Bailey
Lab Mouse Security

Tuesday, January 9, 2018

The Story of the Ghost

I Feel I've Never Told You

...the Story of the Ghost...

It was 1999... or 2000... I don't quite remember. We never slept. We would audit source code for days on end, mostly the OpenBSD or Linux kernel, looking for strange bugs despite not knowing what the hell we were doing. We'd write scripts to fuzz command-line applications, begging binaries to reveal 0days. Jaime had just written a script that hacked somewhere around 1800 computers in under 60 seconds. 

We called her Zero Cool. For obvious reasons. 

When the press caught wind of this, she did what she always did: she made it amusing. She'd joke with them about rage-rm'ing servers (even though she never actually did anything malicious) and mass website defacements in the name of Jerr Bear. To us, it was just another day at the script kiddie office. 

Then, the South Koreans called. 

Somehow, a South Korean television talk show interested in doing a piece on hackers got a hold of us because of Jaime's recent notoriety. An mIRC session or two later, the television show's runners joined our IRC channel and began chatting us up about nuclear security. Somehow they got the idea that we were mature professionals with slick hair and ties (people still wore ties back then; this was pre-Zuk-hoodie landscape). We'd chat through private messages and make sure our responses were coordinated, reasonable, and even cautious. 

The thing was, even though Jaime was a notorious troll, she was a light hearted troll. She never wanted to - or meant to - hurt anyone. And she actually loved the art of hacking. She wanted people to understand the dangers as well as the beauty behind the keystrokes that cut us and make us bleed. 

We sounded so conservative and restrained in our discussion with the TV crew that they ended up airing a segment after translating our interviews. Next thing we knew? We were on national South Korean television talking about the threat of hacking nuclear facilities. 

Of course, the translation ended up making us sound a bit more urgent than we intended... but what did we care? They used our "hacker names" and showed us as shadowy blackhat JPEGs. 

I used to have a video of the interview. Funny enough, I even tried to search for it a few months back. I never did find it. It's been lost in Internet time, but Jaime still thought it was hilarious. 

Character Zero

Over the 18+ years I knew Jaime, she and I remained close for the majority of it. There were times when she would disappear for a year or two, but she always resurfaced with new stories to tell. She lived down the street from me for a year or so in Denver. I was out of the country so often during that time that we barely got to hang out, but when we did it was always Old Times. 

She used to give me a lot of shit for not keeping up with my violin or guitar practice. 

One of the reasons we became fast friends in 1999 was that we both had a background in music. For those that don't know, Jaime wasn't just an avid Phish head, she was an exceptional guitarist. She played in a few bands and was extremely gifted. Even though I was raised to be a concert violinist, her guitar skills vastly out-shined mine. I was always jealous of her. 

A couple of years ago, I picked up the guitar again and actually started practicing. We played together in San Francisco a year or so ago and she complimented my soloing. That was the first and only time she actually gave me props. It might sound silly, but it was an interesting moment. She'd been giving me shit for 16 years at that point, and was finally proud that I was practicing again. 

But I hope she knew how proud of her I was.

She was the first person to see how hard I was trying to learn engineering and information security and keep at me to continue pursuing it. Even when I was frustrated and ready to give up, she always stood by me and supported my efforts. From the time we were teenagers up until a month ago, she was always a solid friend.

And I always stood by her. We grew in different directions as we got older. I tend to be a bit of a "bro" (and she gave me shit for it), but we always found common ground and maintained our closeness. Because of that, we never moved on from our friendship. We worked hard to maintain it and respect each other, despite living very different lifestyles.

That, to me, was Jaime. Someone that was always trying to live as honestly and emotionally full as she possibly could. Someone that would tell you you fucking suck to be honest one minute, but hug you and tell you she loved you despite you sucking the next, then finally would tell you what you could do to suck less. She was the dagger, but she was also the bandaid.

When the Circus Comes to Town

I have a lot of amazing memories of Jaime and my exploits, from learning to write exploits in the 2000's, to the Root Shell Hackers days of yore, to the jam sessions at my apartment in Denver, to the time she attempted to give her first speech at 44con (which went horribly awry, but she really tried hard to make it work despite her anxiety), there isn't a story I have about Jaime that doesn't make me smile, even if it wasn't a perfect situation. 

In fact, one of my favorite memories with her was an entirely imperfect and disgusting scene at Black Hat a few years back. 

We were bouncing from party to party, as usual, when we ran into a friend from London in the IoT space. We were all sober, and were deciding where to go to gather our first drinks. We ended up at the NCC Group party, wherever it was that year, stopping in to say hello to some pals, then we were on our way to another suite where the actual partying would commence. Despite the brief stop-in, it was quite the eventful party.

In the short time we were there, a group of miscreants near the doorway began harassing Jaime, genuinely saying some pretty foul shit. They were all pretty drunk and I was trying to ignore them. But they were calling her some pretty awful things that I won't repeat here, related to her sexuality. One of these individuals even proceeded to text me, telling me "not to go home with her", among other pleasantries. 

I responded by reminding this person that they had been in the same old school hacker crews that they were familiar with. We were all there when ADMutate was released. We were there when sadmind.c was dropped in #feed-the-goats. We were there when sk8 was arrested. We were there when phrack.ru was owned by someone who left 0day in a RWX home directory. We were there when GOBBLES owned the w00w00 server. We were there when xdr was raided. We were there when p4ntera disappeared into the Canadian ether. We were there when *someone* got caught backdooring the Linux kernel source. Cough. 

She was there. For all of it. 

When we left the party I looked at her, expecting to see some kind of frustration or disgust, as Jaime typically felt emotions very strongly. She just looked at me, shrugged, and said "Sunlight just don't sweeten trash, do it?" 

We wandered off to the next party and ended up playing the piano under a laser light show while our British friend got so drunk they wandered off with a large novelty poster that we're quite certain they weren't supposed to take ;-) 

While My Guitar Gently Weeps

While Jaime was able to turn away from pain like this, it eroded her armor over time. It erodes all of us. The bigotry. The sexual abuse. The violence. 

No matter how we leave this Earth, we are leaving it a little less human than we were when we emerged from our mother's womb. 

Jaime, more than anything, taught me to bide my time and take it slow. She taught me to listen to other people. She taught me to respect other lifestyles because you care about the human behind that mirage. She taught me that friendship didn't mean having everything in common with someone, but that friendship was simply about being there. It was about being human. 

But she also taught me to rush and never waste the day. She lived hard. She lived brightly. She lived like a day couldn't be spared. 

She was my best friend. And I'll miss her dearly. 

Fare the Well,

Don A. Bailey

Monday, October 23, 2017

An Eulogy for Infosec

Sam's Funeral

Last night I watched one of the best episodes of television to ever grace the liquid crystal affixed to the center of my living room. The episode "Eulogy" from season two of Pamela Adlon and Louis C.K.'s "Better Things" absolutely floored me. If you aren't watching, I highly suggest the show. Season two is particularly exceptional, and not solely for "Eulogy". 

Warning: this blog post is basically a spoiler for the episode. 

In the episode, Pamela's character Sam Fox starts off by leading a class in acting. This scene is meant to highlight the fragility of acting as a profession due to the drudgery of wading through awful writing to simply taste the chance of performing a brilliantly written piece, while exemplifying the actor's duty to capture and reproduce human vulnerability almost seamlessly. The cool and breezy way Sam exposes her students' strengths as weaknesses is elegantly juxtaposed against her own assertiveness. 

In the following scene, the exceptional skills Sam has tuned over the years are almost tossed aside when the practical and logistical world of commercial acting imposes itself on her. Take after take, she's relegated as the side-lined wife to a man-child in a fast, red car. Her talent has little bearing on her value in this scene, and is a perfect parallel to many careers that require years of stringent training to perform what are essentially menial duties. 

The rest of the episode is a beautiful study of these first two scenes, through the eyes of Sam and her daughters. At home, Sam's daughters dismiss her career as uninteresting; something to submit a casual eye-roll toward. Interestingly, Sam breaks the rule she defined for her actor students in the first scene by being confident and assertive, challenging her daughters, demanding their respect for her hard work and success. The daughters dismiss her as childish and weak, driving her from the house. 

Skip to the final scene, Sam arrives back home to a surprise "funeral", where her daughters and friends are eulogizing Sam, in order to tell her - albeit pseudo-indirectly - how much they do love and respect her. Sam (Pamela?) completely breaks down in perhaps one of the most sincere, vulnerable scenes I've ever watched, as she fulfills the promise set forth in scene one. 

Phenomenally written by Louis and heartbreakingly acted by Pamela, the episode actually brought tears to my eyes, for so many personal reasons. However, it also struck me as fascinating because professionally we suffer the same fate in so many careers, but especially information security. Why? Because we've been killing our industry for years. 

The Death of an Industry

At 44con this past September, I described why Information Security as an industry is dying. Don't believe me? You're not paying attention. Hacking, as an art, is dying. Our industry has been screaming at engineers and developers for decades without any attentiveness what-so-ever. Yet, over the past ~5 years, they're finally starting to listen. This is primarily thanks to major corporations like Google, Apple, and Microsoft backing information security as a necessity. Google Project Zero, Microsoft BlueHat and their many other initiatives, the exceptional team at Apple Product Security, they all have pushed the limits of what can be accomplished in offense. The result? A far stronger baseline for defense than we've ever seen in the history of computing. 

Today, it's almost impossible for an average hacker to develop a zero-day exploit for any given target. In the late 90's and early aughts, zero-days for Bind, sendmail, and even SSH were floating from secret-hacker-cult to secret-hacker-cult without the commercial world being any wiser. The cost of developing and deploying such technology today is so high that only a handful of people can do it, when it can even be done. 

We're also finding flaws faster than ever before. I wouldn't presume this is because there are "more" experts in the industry than ever before. That's quite flawed logic. Rather, it's because the tools are more cost effective and more available than ever before. Skilled hackers are still in the 1% of our industry, but they have better equipment than ever thanks to open source software and improvements in high-level programming languages. 

Point being? They're finally listening. Companies are hiring hackers at record speed. They're building security teams. They're building Secure Software Development programs. They're absorbing us. 

The result? We are no longer unique. We are becoming integrated

Better Things

But the real question that the episode "Eulogy" brought to mind was, are we respected? For all the effort we put in to coerce companies to integrate security into their process, are we heard? Are our efforts changing anything for the better?


While we perceive the baseline of security to be significantly elevated (and it has elevated) it has also shifted. We are essentially Sisyphus, except every boulder we focus on pushing uphill leaves another boulder to fall. While smartphone security has improved, laptop endpoint security has declined. IoT security is practically non-existent. While cloud security is fairly resilient. 

The baseline elevates based on our voice. And our voice is psychotic. Our industry spends more energy confusing executives and endusers than it successfully solves problems. We plead for engineers to listen to us, yet refuse to engage in reasonable discourse on what is cost-effective and practical, focusing instead on what mysterious and ethereal subtle flaws may or may not exist in hardware Trusted Platform Modules. 

Let me clarify something for you. The world is like Sam Fox's daughters. They just don't give a fuck what you think. They love you when you care for them. They love you because you care for them. But they don't want to hear your whining fucking voices. They want you to fix things. And we're not fixing things. If anything, we're scattering the problem through our pettiness and flippant behavior. 

We need to spend less time spouting the infosec equivalent of Trump-isms over 140 character communication channels and more time making Better Things. Change happens when we stop posturing. When we stop trying to be cool. When we sit down, communicate our thoughts in a healthy manner, and listen to each other. Change happens in spite of ourselves. Change happens when we show the world what real problems are, instead of what our agenda dictates. 

So shut the fuck up. Put your phone down. And make something better.

And to quote Diedrich Bader's character in the episode, don't engage me if you don't want to know how I actually feel about your thoughts and behaviors. 

Your Friend,
Don A. Bailey
CEO / Founder
Lab Mouse Security