GHC15: Wednesday Keynote: Hilary Mason

 We are welcomed here by Telle Whitney herself - a good friend of Anita Borg, the woman who founded this conference.

The first GHC had only 500 women technologists - this year?  Twelve thousand people from over 60 countries. We have an increasing number of men. They are now experiencing here at this event what most of us experience every day - welcome to our world!

Alex Wolf, president of ACM, talked about ACM. It's a member society and the largest and oldest of such in the world. It has 110,000 members.  Why would you join a professional society?  We have so many means of interacting today on social media, in ways replacing parts of the role of professional society.  ACM is the pinnacle of technical stewardship. They published 22,000 articles last year alone!

ACM also wants to work to make a difference.  They do curriculum development around the world. Continuing their focus on education, they spun out a sub group CSTA - Computer Science Teacher's Association, focusing on K-12 teachers.

ACM also focuses on improving diversity. A group you'll see a lot of here is the ACM-W group.  They have a booth here, so please go meet them.

Now our keynote: Hilary Mason, Founder and CEO at Fast Forward Labs - a computer scientist, a data scientist and a CEO! Wow!

Redit - the best and worst of the Internet. Great quote on showing someone from the past what the neatest thing about the future: I have a device in my pocket that has the sum of all human knowledge, and I use it to look at cats and argue with strangers.  Note: technology has changed, but people are the same.

Machines are now starting to do things we previously believed were only in the domain of humans: art, writing poetry, using data to build better apps.  For examples, with FourSquare - it started just as a basic checkin, but now it knows what you like and don't, and can make food recommendations specifically for you based on your location.

Why is this happening now?  First and foremost, we can afford the compute power now!  We all have computers more powerful than an Eniac now in our pockets.

Everybody thinks their data is unique - but it turns out, human behaviour is predictable. This makes it easier to learn.

And finally - we have the data! Even if you didn't collect it, you can get access to it (ref: data.gov).

Technology is now so accessible and cheap: did research around... what's the cutest animal in the world?  The answer: the dog.

Years ago, Sony made an electronic dog - Aibo. In 2013, Sony stopped repairing them. But, people fell in love with their "dogs" - so now they are having funerals or their pets. Check out: A Robotic Dog's Mortality.

Our past impacts us: think about what happened to the A:  and B: drives on windows.  Where did we get 80 column screen width from?  Punch cards.  Where did we get code comments from? Yep, punch cards again.

Fifteen years ago, data science didn't exist.  So, when you think about what you're going to be doing in 5 years - think about where the industry will go.

A lot of startups have to rely on commodities - because inventing hardware, etc, along with a new business model and idea - can be too much.

But look out for things that are about to commoditize. For example, the price of hard drives is starting to drop - what interesting thing could you do now with lots of disk space you couldn't afford to do 5 years ago?

Look at Hadoop - you can be doing computations and not care where in the world they are happening.

The last thing: new data is constantly becoming available.

A dirty research secret? Many data analysis tools are trained on the English version of wikipedia, so many of these tools are better with English than other languages.

Her team has been doing research on real-estate ads - they've found that if a home is described as "cozy" it's 400 sq feet smaller than the average house.  Oddly, if it's described by agents as "large, open" etc - it's usually average or just below average. What they learned? If the agent is talking about size... they place is not large.

She talked about analyzing photos from instagram. It's not perfect: it identified all photos taken on the NYC subway as prison photos - oops! They had used pictures of prisons in the training set, but no subway photos.  It's funny, but as we're integrating this into our lives, we need to think about the impact of these errors.

Think thoughtfully of what we're going to build - together.

Careers in technology are hard to plan, as everything is changing so fast. Think about what direction you want to head into to create the world you want to live in!

What an inspiring and informative talk!

ABIE Award Winners!

Technical Leadership Award winner: Dr. Lydia Kavroki!  She's the Noah Harding professor of Computer Science and Nuroengineering in Houston. Shes a fellow in ACM and IEEE! Congratulations!

To learn more about ABI.local groups - how you can join or start, please see the Anita Borg website.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

Raising Money For Valley Fire!

You may or may not have heard about the devastating Valley Fire in California, where over 76,067 acres have already burned. The fire is now 95% contained, but there are still nearly 3 thousand homes threatened by the fire. 1,307 homes have already been destroyed, with another 41 damaged.

These people have lost everything - many barely escaping with the skin on their backs. They had to evacuate so quickly, they had to leave behind pets and livestock, family pictures and heirlooms. Youtube has some pretty terrifying videos of the escapes.

The long drought we've had in California has hastened the spread.

Next weekend, on October 3rd, Mark is riding 100 miles in Levi Leipheimer's Levi's GranFondo. It's an excruciating ride, with major climbs. I am not in good enough shape to ride with him, so I will be working at the water rest stop at the top of the gnarliest climb - then serving beer in the afternoon as the riders finish their rides.  It's an all day event for us both - starting quite early in the morning.

The GranFondo always raises money for local charities - some of you may recall Levi's involvement with the American Lung Association (I got to ride my bike with him once!).  This year, 80% of the money raised will go to Valley Fire victims.  The rest to other local charities.

Please sponsor me!
https://fundraise.levisgranfondo.com/bubbva

Thanks!

Valerie

Silicon Valley: We Are Crushing Ourselves - or - Goodbye Fiesta del Mar

We're creating a mess that will haunt us for years. I don't know the solution, but I do know what I'm seeing and hearing are not okay.

Fiesta del Mar has been running in their Shoreline location for 24 years.  I first went there back in 1995 myself, when visiting the south bay.  I moved to Sunnyvale in 1996, and by 1999 I was in Mountain View - walking distance to Fiesta del Mar. I've moved several times since then - but every time I rented and even when I bought my house, I had the requirement of "I still have to be able to walk to Fiesta del Mar".

They are a successful family run business that serves amazing shrimp dishes and outstanding Mexican fare with the best margaritas in the Bay Area - all with a smile.  Everyone there knows my name, my favorite margaritas (La Yarona), and that they cannot possibly give me enough of their amazing salsas.  They are always packed, yet always quick with your food.

And they are closing on September 26, 2015

Huh?

They've lost their lease. Last I heard the new land owner was going to build an office building with a Panda Express and another Starbuck's.

We are losing a successful family business for a Panda Express (or some yet to be determined chain restaurant).

The manager of Fiesta del Mar is going to try to move as much of his staff as he can to the family's other restaurants in Mountain View - Fiesta del Mar II and Agave.  That's great of the family to do that, but it won't be the same.  Each of those establishments makes their salsa and sauces just a bit differently, the interiors are very different, and they are in the difficult to find parking downtown area. Yes, I walk - but my friends drive to Fiesta del Mar from all over the Bay Area.

La Costena, a burrito themed taqueria, lost their Mountain View Rengstorff location a couple of years back. I used to go there for an amazing burrito.  They were lucky and found another place on Middlefield - but in a completely different neighborhood.

DeeDee's Indian Buffet and Grocery lost their location a few years back, so an apartment building could be built - and never could find a suitable alternative location in Mountain View. So, guess how many Indian grocery stores Mountain View has now? Zero.

I've seen neighbors posting on NextDoor complaining about the sudden rise in RVs, buses, vans and cars on the street with people obviously living in them.  After Mountain View closed their last RV park...is this so shocking?  I used to live in the Forest Glenn town homes, and read in the paper that the landlord is evicting everyone to remodel, and raise the rents. I knew families that had lived there for 10 years or more. Where will they go?

Walking to the transit center the other day before 8AM, to take my companies corporate shuttle to work - I saw a man washing his hair and face in a water fountain in the park. He had a tube of toothpaste and toothbrush in his back pocket. He was dressed nicely, clearly getting ready for work - and clearly living somewhere without running water.

Houses in my neighborhood are being purchased by "investors" and left empty, or in one case turned into a Youth Hostel with bunk beds!  Families are losing their home for "investments".  One "gentleman" bragged on our neighborhood alias about how he will outbid any offer you get on your house, as he's collecting houses in our neighborhood so he can remake them in his "vision" - he already owns 5.

And just over the last two weeks, I've read with horror about the police arresting transients for stealing clothing! CLOTHING!  One man stole a shirt from Walgreen's, and was booked in the San Jose jail. Another stole a pair of shoes from Walmart (he did become violent when confronted) and again taken to jail.

Is there not a better place to take poor people who are homeless and desperate for clothing and shoes?

We are clearly not meeting our communities needs and we're in crisis.

I've loved Mountain View for their diverse cultures, nonchain restaurants and focus on community.

Can we get this back? How can we better serve those who do not have Silicon Valley paying jobs? Is there a place for us all?

GHC15: Call for Volunteer Bloggers and Note Takers!

It's that time of year again - we are looking for volunteer bloggers and note takers for the Grace Hopper Celebration of Women in Computing!  The conference will be held in Houston, TX and our theme is Our Time To Lead!

Not every one can make the trip - or make every session they are interested in - to that end, we need your help!  Are you an excellent note taker?  A passionate blogger? Then you can help us to share the conference with thousands of others around the globe by becoming an Online Community Blogger or Note-Taker.

The deadline to apply is September 18, 2015 - so please don't delay!

Please note: you must be already registered in order to participate. Volunteering as a note taker or blogger does not get you a registration, travel, hotel, etc. It's just a way to give back to this great organization!

Hope to see you there!  Valerie

This post is syndicated from Security, Beer, Theater and Biking!

BHUSA15: Black Hat Roundup

I just got back from my first Black Hat conference!  This may seem strange, that I've never been, but it always  seemed to expensive and many of the talks were repeated at DefCon.  My first DefCon was DC2 - I was still basically a kid. I could not drink nor gamble, but I had a blast year after year meeting super bright folks and learning neat hacks.  Learning what I did at DefCon has definitely shaped my career - there's no way I would've ended up in a more than two decades long career in computer security without it.

Did DC have it's down sides? Yes, definitely. As noted by a woman on the "Beyond the Gender Gap" panel, it gets tiring "proving it again" (and again) every time I would walk into the room at DefCon. "Who's your boyfriend?" "I'm single" "Or, so you're a scene whore?" "No" "Oh, then you're a fed!"

Then I would have to proceed to prove my technical prowess over and over again. (best advice for men came from that panel: never start with "who are you here with?", but rather "What do you do?") [Note: I did have a boyfriend my first couple of DefCons, and later a husband - who did not come, as he wasn't interested in the con, but I was at other times single.]

DefCon also had amazing moments - here we are at DC9 in 2001. Babies!  (I don't seem to have older pictures on my site - but I was there, usually with Artimage and Angus).

But, that didn't happen at Black Hat. Folks (men and women) spoke to me like a human. It was really nice.  Other than when I went to the bar to meet one of my friends Tuesday night, nobody started at my chest. I was able to attend two women focused luncheons and meet lots of interesting and smart security focused women.  Black Hat USA has a Code of Conduct, lots of staff, and plenty of time between sessions to network, charge batteries or go pee.

I want to thank Runa Sandvick who first of all gave an awesome talk on a wifi rifle (you know, we all need one) and gave me the free pass to attend!

Still surprising to see people drinking at 7:30 in the morning, and drinking EVERYWHERE (in the elevator a lot).  Coming from California, all the smoking was strange, too. A guy sat next to me in a session "vaping" pot - really? Can't wait until break?  Fortunately, the conference halls were non-smoking, so I escaped an asthma attack.

Overall, a very informative conference! I would highly recommend, for the very high caliber, true research talks.

Did you have a good time? Any stories to share?

BHUSA15: Hi This Is Urgent Plz Fix ASAP: Critical Vulnerabilites and Bug Bounty Programs

Kymberlee Price, Bugcrowd.(aka @kym_possible)

We won't be talking about low level bug bounty programs today, just the critical bugs. Kyberlee has extensive background as a developer and has been working lately on a "red team".

Google does a vulnerability reward program (VRP) that they produce some data one. It doesn't include the Chrome award, Android award, or patch award program - but it includes logs of other things! Google.com, google play, etc.  

The more time that passes, the fewer vulnerability reports that come in - but seems to be higher quality. Google has had to increase their bounty to keep the bugs coming in.

Facebook has a similar program and had 17,000 submissions in 2014 alone. Out of that, onlyl 61 high severity bugs. Their minimum award is $500.  Their total payout for valid submissions wwas $1.3 million to 321 researchers. Their top 5 researchers made a total of $256,750 - those had to be massive vulnerabilities.

India is Facebook's highest valid bug submissions, with Egypt coming in second - and USA in third place.  In India, the average payout was $1343, in Egypt $1220 and US $2470.

Github's bug bounty program is 1 year old today!

Microsoft will pay up to $100,000 for novel exploitation techniques against protections built into the OS, and an additional reward of up to $100,000 if you also develop a defense.

MS runs a "hall of fame" - which indicates you received a bounty. If your vuln results in a CVE, you'll be noted in the security alert.

Depending on whether it software or online services will change who is submitting your bugs (like India is very high for MS's online services, but not as many for software.

Followed 166  customer bug bounty programs, there were 37,227. There wer about eight thousand non-duplicate, valid vulnerabilities. Of those 3, 621 were awarded - paying out $700,00+ (average payout around $200, largest $10,000).

Every one of these programs is getting really critical vulnerabilities.

Who is finding these?  Professional Pen Testers and consultants (in their spare time), former developers, QA engineers and IT admins.

India, US and Pakistan are top three for volume of submissions.

Reginaldo Silva reported an XML external entity vulnerability within a PhP page tha would have allowed a hacker to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML codes. Fixed quickly and the developer was rewarded and recognized.

Kymberlee then did a deep dive into a few of these fun (and very serious) vulnerabilities found, even including videos and audio from the researchers who found these themselves. These vulnerabilities were things like banks and cars!

You need to make sure you tell researchers in advance what you need to help you triage it faster (this can be email or webform). Set expectations, but you need to have a rapid triage and prioritization process in place (to get to the P1s faster).

Now, don't expect an eloquent write up - English may not be their first language. Allow them to provide a video of the reproduction steps.

You need to have  your "in scope" and "out of scope" clearly defined, and a process for how to handle things that don't fit into either category (because they weren't defined well enough - it will happen).

To reduce noise, provide pointers to guidance and training, like Bugcrowd's forum.

Have a plan to deal with duplicates. Don't see this often for P1 or P2, because those are fixed quickly.  Don't let the lower priority bugs languish, either. If they are getting reported over and over again, you're wasting resources telling the researchers they have hit a duplicate - and if researchers are finding this every week, so are the bad guys.

 Some of the bugs can be so severe that they are worth the entire program. You don't want those vulnerabilities out there.

How to reduce noise? Publish and stick to your program SLA. Stop rewarding bad behavior (ie don't give someone "hall of fame" acknowledgement just because they are pestering you).  Don't create bad behaviour by being consistent, rewarding quickly, having good documentation.

By crowdsourcing this, you can bring people from around the world into your security team - people who cannot or do not attend conferences like Black Hat, etc.

This was a really fascinating and informative presentation!

BHUSA15: When IoT Attacks: Hacking a Linux-Powered Rifle

Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy.

 Michael Auger is an experienced IT security specialist with extensive experience in integrating and leveraging IT security tools.

Runa and Mike spent the last year researching the Trackingpoint 338TP. When CNN asked Runa why attack a rifle? She replied, because "cars are boring".

The base rifle is Remington 700 .308 bolt-action rifle. Hardware platorm is called "cascade, runs modified Angstrom Linux.

It uses Tag Track Xact (TTX) .

The wifi is off by default, and you cannot fire the rifle remotely.  The gun still works even if the scope/targeting system is broken - it is a gun, after all.

The first thing that they did was run a port scan on the rifle. It runs a webserver and rtsp server.

The more interesting side is the TrackingPont App - you can adjust settings for wind, media, and do software updates.

The mobile app was using encryption, etc.

 When they got stuck ... they just tried ALL THE THINGS! :-)

After round 1, found that the SSI contains the serial number, and it can't be changed. Guessable WPA2 key, and it also cannot be changed. Any RTSP client can stream the scope vie.

The API is unauthenticated, but it does validate input.

There is a 4 digit pin that locks advanced mode - you can brute-force. /set_factory_defualts" resets the lock.  Updates to the rifle are GPG encrypted and signed.

 Round Two...

Fortunately Tracking Point's website has an excellent diagram of what the rifle would look like, before tearing it a part. They actually used their CAD drawings in their marketing material.  Though, the website has a lot of 2D things, in reality the circuit board is round :-)

To get the circuit board out, you have to desolder at least 60-pins.

So excited to see it booting Linux!

But, alas, it did not auto-login as root.

Console access is at least password protected and the kernels and filesystem are on separate chips.

the filesystem chip was hidden under a big capacitor - missed it the first few times.

Some of the folks they were working with recognized the silk screening on the board and recommended an EMC to USB converter. Then got to see what was on the filesystem.

The webserver had a lot of interesting APIS, like ssh_accept - that could be fun!

The system backend requires unpublished API call to open port. The API validates input, backend does not. You can make temporary changes to the system. Can change wind, temperature, ballistics valus and control the solenoid, etc.  They could even lock the trigger, crash the gun, make the scope think it is attached to a different firearm, or make this one command segfault (which triggers reboot).

The changes are temporary, if the user reboots, the changes will be lost.

Now time for demos!

Watched a change in the ballistics screw up the calculation so that the shot hit the target next to the one you were aiming at.

TrackingPoint operates with two GPG keys for updates, one of which is on the scope. Update script accepts packages signed by either of the two keys. This will allow you to make persistent changes to the system AND get root access.

Successfully able to login with no password as root!

Round 3 findings: the Admin API is also unauthenticated, the system backend is unauthenticated and does not validate input. GPG key on the scope can encrpt and sign updates.

Did have to have previous access to the rifle for all of the attacks.

But, there are ways to do remote code execution - if you can get on the wifi.

it's not all that bad... USB ports are disabled during boot, media is deleted from scope once downloaded, SPQ2 is in use, even if key cannot be changed. The API does validate user input, console access is password protected and software updates are GPG encrypted and signed.

Will this get better?  Have been calling them since April, zero replies, until Wired called... since have received two calls. TrackingPoint is working on a patch. They have been easy to work with, once the connection was made.

"You can continue to use WiFi (to download photos or connect to ShotView) if you are confident no hackers are within 100 feet" - note on TrackingPoint's website. :-)

They had done security work (better than most people doing embedded work).