Monday, 13 June 2016

Scottish Football Fans and LinkedIn(2012)

So Scotland is pretty used to not being represented at international football tournaments, so much so that the legend Paul Gascoigne once said, “What do you call a Scot at the World-Cup? Referee!”. It's harsh, incredibly harsh. Yet as a fan of the Scottish game, and no team I can really support in good faith during the Euro 2016 tournament, I’m left with some time on my hands.

So as some of you know, LinkedIn suffered a compromise back in 2012 and it was discovered later on that their password security was a little lacking. Namely they didn't salt their hashes.  I won't go on about this point as it would be akin to flogging a dead horse. However with a little bit of fu I was able to search the LinkedIn dump for particular hashes.

Now missing football, whilst everyone else is getting to play inspired me to look at how popular Scottish Football teams are as passwords within the LinkedIn dump. So I decided to produce a league table of SCOTTISH TEAMS ONLY!!! BECAUSE WE CAN EXCLUDE YOU GUYS TOO ;)

This isn't definitive and only a little fun, but here goes:

1) Rangers Fans – 5669 passwords
2) Celtic Fans – 4509 passwords
3) Hamilton Fans – 4042 passwords
4) Hearts Fans – 2544 passwords
5) Aberdeen Fans – 2008 passwords
6) Dundee Fans – 1226 passwords
7) Albion Fans – 1062 passwords
8) Morton Fans – 956 passwords
9) Montrose Fans – 709 passwords
10) Hibs Fans – 484 passwords
11) Livingston Fans – 418 passwords
12) Motherwell Fans – 188 passwords
13) Falkirk Fans – 184 passwords
14) Kilmarnock Fans – 99 passwords
15) St Mirren Fans – 95 passwords
16) Partick Thistle Fans – 84 passwords
17) Dunfermline Fans – 77 passwords
18) Arbroath Fans – 73 passwords
19) Dumbarton Fans – 67 passwords
20) Forfar Fans – 50 passwords
21) Dundee United Fans – 47 passwords
22) Brechin Fans – 46 passwords
23) Stranraer Fans – 36 passwords
24) Peterhead Fans – 31 passwords
25) Raith Rovers Fans – 29 passwords

Now, granted they be a few false-positives and I didn't have time to search for EVERY Scottish football team, and every permutation of their name. However whilst we can't fly the St. Andrews during the Euros I’d suggest this is a bloody good time for fellow Scottish football fans to go change their passwords.

finux Xx

Wednesday, 24 February 2016

Its double-sided™

Save your time, this is going to be long with high chances of rantiness drizzle throughout it. It seems once a year or so I ended up blogging about something that's more of a reaction piece than anything of any real value. My guess is, this is no different. As many of you may have noticed my engagement with the InfoSec-Community™ has been winding down for awhile. I can't quite put my finger on what the issue is, but I know whatever it is makes me uneasy. Either I have changed (which I have, I hope for the better) or InfoSec-Community™ has. When I started getting involved in community events, it was Security-BSides London, and i'd dare to say that if I hadn't gone my life may have been very different. I made life-long friends at the conference, I learned a lot, and I realised from that moment, we're better community when we can meet and exchange. Since then I’ve always held BSides close to my heart, and as I’ve grown and changed my involvement in BSides events has too. I went from attendee/speaker to organiser (one of them) of the Rookie-Track to organiser of 3 BSides conferences. I tell you what though, for large parts, its a thankless task. For me though, there is a moment that I look out at the event we created and see all the participants and I know in my heart of hearts we did something worth doing. That in some small way we did make a difference.

I guess this is why today's news to Security-BSides organisers is that we have a Board of Directors (BoD) that decided it would be trademarking Security-BSides was blunt knock to the feels. The TL;DR is that a BSides event in Germany (anywhere) will need to be rubber-stamped by one of a few people in America, and an American contract will need to be signed. This contract's jurisdiction (and recourse) will be in California. Apparently there was a discussion on a Google Group and now as an organiser of a German BSides I now need to ask and agree to terms with a Board of Directors that I had no idea owned BSides. I kinda assumed it was all of us that owned it, which yes makes me one of the dumbest freetards on the planet. “But finux, someone needs to protect the global brand” I imagine some of you are saying, and you know what, I think you're wrong. Not just a little wrong, but a whole slice of pie, wrong. BSides events are great because they're a representation of the communities that host them, because no two of them are the same. As a BSides organiser in Europe I can assure you that the sponsors we're getting are from our organisers own networks of contacts and not from some global franchise owners. Our sponsors are interested in what we offer them, not what a Californian judge agrees.

Those that follow the talks I’ve been giving at BSides events (irony is not just a friend of wrinkly it seems) is that building weapons to protect yourself from future perceived attacks is a slippery slope. I really wonder how having a trademark infringement case, by a community against its own community will bare anything other than lose/lose situation. Can we imagine our new Global BoD shutting down a community BSides event. Let that sink in. Filing an injunction in a Californian court, against any BSides event, anywhere, because one of a handful of people decided that “no you can't be a BSides event”. Of course, they can opt not to do that, and not to file an injunction but it sort of precludes you from doing at all. “Oh, you didn't do that against BSidesFFM but you're doing against us”. The problem with developing a structure to shut BSides's events down, is you might have to shut a BSides event down. The reality of it is, all BSides now seem to have a centralised Government. I can assure you all, I had no idea about any discussion about having this until I was told we had it. I've spoken to two of the global BoD less than two months ago, it didn't come up then.

Lets not forget that sponsors, and organisers and the BoD are only a small part of the BSides ecosystem, but did anyone discuss this with the attendees/participants? I mean if there is a global brand, that needs to be protected, then surely they're the stakeholders that give that brand value. I've not asked any participants, but I wonder how our attendees feel about our event happening because a BoD in the United States of Security-BSides™ says we're permitted. Then again, I’m pretty sure most don't care. Apathy is a wonderful thing sometimes.

I'm at a loss for what this really means. Has BSides just became a brand that is to be shaped and governed by a few, and if so, why did we agree to that? What do we get for losing control over our own destiny as events? Will those that are protecting our events from those events organisers actually be adding any benefit to those events? I worry if the next thing we need to do is start paying a stipend to be allowed to use the word BSides, you know because there is costs. Will part of an events sponsorship money been siphoned off to fund shutting down other BSides events on other parts of the world? Who is going to protect us from our BoD's, today, tomorrow, next week, next year, next decade? Everyone on that BoD are good people, and all of my ranting isn't a reflection on those wonderful human-beings, I hope I can say that for the next Directors and their successors.

I know i'm not helping on first glance, but we need to ask ourselves are we just a brand? Are we losing our way? Do bigger BSides events have influence now over how events are managed, and who manages them? But the biggest question is, which one of you made things so that our global BoD feels they need to have control over events they don't organise?

Many BSides events in many different non-US colonies will need to discuss amongst themselves if running with the just the ideals of BSides but without the Security-BSides™ endorsement is an option. I know at BSidesHH we're going to be discussing if we're going to become HamburgSides, or stay the same. The real question is do we fork-off?

Arron 'finux' Finnon