Thursday, May 12, 2011

A Conversation With Adam Laurie



His profile include working as a computer programmer on PDP-8 and other mini computers, various Unix, Dos and CP/M based micro computers as they emerged in the eighties. Adam Laurie gave the world first CD ripper ever, 'CDGRAB'. As the internet evolved, Adam and (his brother) Ben became interested in open source projects, and they come up with 'Apache-SSL'-which went on to become the de-facto standard secure web server. Since then Adam is actively involved in busting several myths about wireless technologies, Infrared devices and bluetooth protocols. Lately, Adam unveiled his latest research about RFID's and different threats to privacy. Adam also released a python library "RFIDIOt" for accessing and reading RFID devices. Adam and Ben also pioneered the concept of re-using military data centers (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.
Omer: Adam, please introduce yourself.
Adam: Well, I started off with computers in early eighties, when my father was the editor of a computer magazine in UK. So before the computers and the windows that we see today, he used to bring along micro computers, which seems to be pretty interesting for kids. I and my brother used to play with these machines and then my father brought them back to magazine. So we almost witnessed the whole evolution of the computers.
Omer: Since how long have you been associated with events like Black Hat and DefCon?
Adam: The first DefCon that I attended was DefCon IV. Then I attended the DefCon V again and became a "goon" there and there has been no stopping ever since. So, it is almost over 10 years now. When Black Hat first started off, a lot of goons working for DefCon also worked for Black Hat, but it was only for a couple of years. As soon as it became a public commercial event, they hired staff for the work that goons used to do.
Omer: You wrote the first CD ripper, how do you feel about it? RIAA and other recording associations and must be a great fan of yours?
Adam: (Laughs) the problem is that when I wrote the first CD ripper "CDGRAB", the hard disk was so expensive and it used to fill all the hard disk space. So commercially it was really a stupid thing to do, because it would just fill up the entire hard disk and that would cost you 30 times more then a CD. So when I wrote the tool there was no commercial use of it, until years later when someone came up with compression standards and hard disk space got cheaper.
Omer: Are you still maintaining the tool 'CDGRAB'?
Adam: Not really. It was written even before Windows was a popular environment. It was a command line tool originally, but we did a Windows version too. It was programmed in C. Then we just stopped maintaining it, we got distracted by the internet phenomenon so much that we started looking into other ideas.
Omer: You have also been a part of Apache-SSL project, which later became the de-facto standard of the secure web. How the whole idea did come to life?
Adam: It is actually my brother's idea. I have been involved in the later stages to do the testing, release and documentation. It was Ben Laurie who actually coded the Apache-SSL. The whole idea came even before the internet. We had email addresses even before the web was really famous. We started with bulletin boards (fidonet) and then when internet came along, there was a company in the UK, called "Daemon", who was actually just bunch of people chatting on the bulletin boards, before they formed this company. So they were just chatting that if 100 of us could get together, may be we could buy a dedicated leased line onto a service provider, and we'll just put up some modems there and then you can just dial in and get on to the internet. We were one of the first groups in the UK, who pooled up the resources together to get on to the internet and that company later became one of the biggest service providers in UK. It has nothing to do with us; we were just the first customers. We then started doing the internet projects and we realized that there is no secure open source web server over the internet. U.S had some border restrictions over the use of cryptography. Outside the U.S you couldn't get a cryptographic web server. So we went to the UK government and asked that what the rules for using crypto in UK are. They responded that its somewhat a grey area, we are still not sure, but just keep a record of whatever you send across and that shouldn't be a problem. We thought that it's not something really practical. But luckily then Cambridge University and Oxford University stepped forward and said that we will do the distribution for you, you write the code and then publish it to us. We'll put it on our public servers. So technically this makes them the publisher of the software and if they have any legal challenges to face, they have big legal departments who can deal with this.
Omer: Was this a formal association with Oxford University and Cambridge University?
Adam: Not really. It was an informal association. It was just an agreement. My brother wrote the code, we published it to them; and they put it onto their web servers. And then it became the de-facto standard of the web, because it was the only one around.
Omer: Were you guys expecting it to be that big?
Adam: We never expected it to be that big.
Omer: You have also been held responsible for finding some critical bluetooth bugs? What was that?
Adam: Well I discovered Blue Snarfing, it is actually a problem found in bluetooth phones that can be exploited to pull out phone books and other information without the knowledge of the owner. The problem was quite wide spread and it involved some of the very popular business phones like Nokia 6310i. There was a great problem communicating with the cell phone manufacturers, because they were not just used to the idea of someone coming to them and saying that you have a problem. So, you know, the whole idea of full disclosure and the philosophy of open source are quite alien to them. At first, they treated the problem with suspicion that why would you tell us or I am trying to blackmail them. So, they really didn't understand that all we want is to get the problem fixed. We want to use the technology, here's the security hole, and this is how you reproduce it, just go ahead and fix it.
Omer: Has it been fixed now?
Adam: It has on most phones now. In fact, about a year later, they arranged bluetooth security events. It's actually a nice thing to do. All manufacturers get together in hotel, do the interoperability tests, and run them through security procedures. There's no compensation on that level, where everything is designed to function properly. We did this for around 18 months and it was quite a success. We found many problems and they fixed it before it hits the street. But then they discontinued the program and I don't think that they are doing any security specific testing any more, so I do expect more problems.
Omer: Lately you have been inspired by RFID's. Please tell us about that.
Adam: Okay. There are two areas that I am looking into. One is where RFID is used as an authentication token like you have door entry systems. So, the problem there is that all the tag is doing is giving out just an ID number, which they claim is unique, like your door key is unique, but it can be of course copied. The industry is trying to tell us that an electronic key is somehow magically different and it cannot be copied. So I demonstrated that these RFID's can be pretty easily copied and a good copy will open the door and it's not perfectly safe to use the technology. Actually there was quite an interesting situation recently, when there was a company that threatened to sue on breach of patents if they revealed how their systems work or if they demonstrated a device that can clone the door keys. So what I have been doing is using manufacturer's own technology against them. So what I do is that instead of building emulation, I take an existing door tag and reprogrammed it to pretend to be another tag or even to pretend to be another manufacturer's authentication token. So what I found was original methods that manufacturer used to program the door tags in the first place and what protocols do they use.
Omer: You have ruined infrared devices, explored wi-fi environments, busted bluetooth and now demystifying RFID's. Why are you against technology? (In good humor)
Adam: (Laughs) I am not against technology. I am against inappropriately used technology. I think technology is great. The reason why I wanted them to fix bluetooth is that I liked the technology and I wanted to be able to rely on it. I don't want it to make me insecure and the same is with RFID's. I think that the idea is dangerous that the tags are magically unique and they cannot be cloned, of course they can be cloned.
Omer: Why do you think that there is a gap between the product development and the security of the products? Lousy administrators and poorly configured devices is one thing, but the intrinsically flawed protocols, buggy stacks and second-rate implementations is another. What do you think could be the reason?
Adam: Well I think it's usually the cost. The manufacturers are just looking for ways to increase revenues and doing a proper security is often an expected thing and they would say that well, we'll worry about it later, if it becomes a problem. So the security of the system is second consideration and by the time it becomes a problem, it's already too late because it's already deployed. At this stage they should stop and do what they should have done in the first place. But the culture is changing. The internet has gone through a very long and painful process of learning that. The internet used to be the same software vendors and they never always released patches as Microsoft is doing it now. The old Microsoft would say that there are no problems, play it down and hope nobody hears about it, discredit the person who find the problem in the first place. But they realized that actually engaging with the open source and even the hacker community is a good thing for every one. It's about revealing problems and getting them fixed and its far better to admit to the public that you have an issue, deal with it quickly rather then trying to cover it up and then the public found out that you have an issue any ways and then you just look bad. You actually look quite good if you say "yup, we got that wrong but here's the fix". Everyone will forgive and forget, because they know that where there'll be complex system, there will be problems.
Omer: In recent times, the ethics of full disclosure has been questioned. There are more corporate and political pressures on security researchers, especially if you remember Michael Lynn's controversy last year. What is your take on this?
Adam: Well again I think it's very dangerous that the commercial world is getting such a strong foothold into the rules that govern what we can do in the world of security, the rules about reverse engineering and so on. When laws start to back up philosophies that if there is something bad, you shouldn't talk about it rather then you should fix it. No one is allowed to talk about it; no one is allowed to fix it because in theory nobody knows that its there and what we found is that full disclosure does actually work. Manufacturers will fix things if you publicly disclose the fact that they've got a problem. If you don't, they would tend not to because they don't need to and they can save the money. But the bad guys would know about the problem. If the bunch of amateurs, who have nothing to gain, can find problems, then so can bunch of criminals, who have a lot to gain, financially motivated, they have the organizations, they have the skill, they are going to find the problem. So your best defense against that is to encourage people to look for problems and to deal with problems rather then punishing them for this. I think this is the most dangerous thing to do. They have been publishing about the so-called "hacker tools", but what's a hacker tool? If I write a tool that can catch the clones of the door entry tag, is that a hacker tool or is that a tool that the industry is using anyway to program the tags in the first place and if I am afraid to publish it because I will be prosecuted then the problem never gets fixed because nobody is even aware about it other then the bad guys.
Omer: How does your lab look like?
Adam: Imagine a big pile of random cables and wires, you know, the mad scientist lab basically. I collect a lot of hardware and whenever I see a device that I'd think might be usable, I buy it. I take lots of electronic out of junk piles as well, so if I see an old tape, I'll just rip the magnetic tape and use it somewhere. I keep on doing lots of random stuff. I have a very chaotic lab, 3 or 4 laptops tossing around, popped up computers everywhere.
Omer: Thank you for your time Adam. It has been fun talking to you.
Adam: Thanks to you too.
Interview concluded.




Ausric Solutions - Manchester based Web Design and Development company. We offer a lot more e.g. Logo Design, IT Support, Network Support, Security and Disaster Management.
Web Design and Development Manchester



ย 

personal laws