Friday, July 31, 2009

Hacking Telepresence for Fun and Profit...

Just sat through the VIPER Lab talk on Advanced Video Attacks. If you're not familiar with the Sipera guys, check out their blog for more on the cool (and free!) tools they offer, including the forthcoming UCSniff 3.0, simplifying attacks on VOIP, video, and unified communications.

Most enterprises believe that putting their IP phones on a separate VLAN is secure. Suuuuure it is. I remember seeing Jason Ostrom give a demo at Shmoocon 2008 where he intercepted (and played back) VOIP calls by crashing through a VLAN using VOIP Hopper, one of the early tools that he worked on. Today, he and his colleague Arjun demoed how to instantaneously jack not just an audio stream, but both sides of an actual videoconference. Freakin' COOL.

Not only are the Sipera guys rolling out UCSniff 3.0, but they're also rolling out version 1.1 of VideoJak, enabling pwnage of Cisco's HD surveillance cameras; Wired has a much more in-depth article on Sipera's efforts and demo here. The most important point in the entire article is in the final paragraph, in that Sipera has found that only five percent of enterprises have fully enabled the built-in security features in their unified communications systems. Brutal. Jason and I talked about this over beers last night...the stories he has on organizations not turning on security are mind-boggling.

The Sipera guys are also soon rolling out VideoSnarf, a third tool in the video hacking toolbox. They showed a couple of SWEET demos of manipulating video phones and IP video for fun and profit...for that, you should've been here.

In addition to showing an attack that was extremely LPD/LPI by using UCSniff in target mode, they also figured out a way to defeat GARP disablement on Cisco phones--meaning, if you can get physical access to the network, you can enable GARP and pick off phones one-by-one, jacking an entire enterprise--or just the key execs whose information you care about. Sipera has made the Cisco PSIRT aware of the problem; while Cisco may (or may not) patch this issue, there's a pretty easy fix to prevent being pwned--turn on the friggin' built-in security. Encrypted configuration files = no modification of phone settings. Sure, it's a ~25% performance hit...but that sure beats having your CFO's earnings release preparation calls attacked.

But, sadly, no...I certainly don't expect that the 95% of the orgs that haven't deployed the security already built into their UC systems to do so anytime soon. Meaning, still lots of opportunity for fun and profit by hacking voice and video.


Early DEFCON Thoughts...

  • Every Apple TV user with any semblance of hacking skills should try out atvusb-creator, which is a patchstick to enable a ton of new capabilities on the Apple TV. Simple, easy, useful.
  • Great quote this morning from Bob Lentz, DoD CISO, talking about all the advice he's getting on shutting down Web 2.0 apps like Facebook: "As a security officer, that's the last thing I want to do. I don't want to be Dr. No." Lentz' point is that putting his head in the sand on the topic of social networking would be stupid, particularly in light of the story that he related where he'd recently been on an aircraft carrier where the average age of the 5000 shipboard personnel was 19 1/2--meaning they'd grown up in the Internet age, that they were beyond comfortable in terms of the use of online capabilities, and that to try to shut them down totally would be folly. We play too much whack-a-mole already, so putting some legitimate regulation in place to allow Web 2.0 apps in the military ends up being a helluva lot easier than trying to police every single instance of use.
  • A couple of us bumped into Johnny Long last night while on the way to dinner. The work that Johnny is doing in Jinja, Uganda (the mouth of The Nile), is hugely inspiring--down there of his own accord, helping wire up one of the needier places in East Africa. Johnny mentioned that with all the oil money flowing into the country, it's getting to the point where people have the equivalent of Verizon FiOS--in a city with a population of 100,000+, but where the per capita income is about $100. Wow. Every time I wear my "i hack charities" t-shirt, I get a ton of inquiries (and nasty looks) about what the hell that means. Hearing the stories of the small but vital successes Johnny and the hacker community are achieving there make me want to wear that t-shirt every single day.
  • Yes, I'm on the network. No, it's not as toxic as the network was in years past, thanks to the new network they deployed a few years ago. But, I'll also say that this is the one place in the world where I'll only deal with https traffic, and where I actually click on the lock in the browser to verify validity of the certificate. And yes, I fully expect to get pwned--that's the risk of using the network here.
  • The line to get replacement badges this morning was epic--no kidding, at least a thousand people deep, probably way more. They ran out of real badges multiple times yesterday; I was fortunate enough that when I walked in, I managed to register in about 10 minutes, as well as get a real badge. I thank the karma gods for that one.

Saturday, July 11, 2009

What a Week of Baseball...

Wow. I'm spent, and I have a ballgame left tomorrow night. I was planning on getting up to The Phone Booth tonight for the Giants-Padres game, but chose to pass in an attempt to get caught up on some work, having already seen two Rockies-Nationals games this week at Coors. After Monday night's game, where we saw history made, who'd've thunk that Jonathan Sanchez would go out and throw a no-hitter tonight? Of course, had I been there, I'm sure I would've jinxed it, so I'm glad I stayed home to catch Kruk and Kuip's call. I'm psyched to have seen the end of the 258th no-hitter in major league history, and even more psyched to have seen something Monday night which is nearly 37 times as rare.

As part of the research I did on Tuesday to determine the rarity of half-innings which consisted of three 3-1 putouts, I ended up running across an interview with Milt Pappas and Bruce Froemming. All I've ever heard from my dad, his friends, and pretty much all of the Chicago media is that Froemming robbed Pappas of his perfect game in '72, by calling a full-count fastball on Larry Stahl ball four. Thinking about how a borderline pitch that goes the wrong way can ruin a perfect game (and maybe a W, if it's a close ballgame), I was getting edgy tonight as Sanchez led off the top of the 8th with three four-seamers to Adrian Gonzalez, all off the plate inside, before coming back to get him on a 3-1 flyout to CF. And, I was thankful that Major League Baseball Advanced Media and Sportvision have installed PITCHf/x in every major league stadium, to provide an impartial (and non-human) arbiter which wasn't available at Wrigley on that fateful second day of September in 1972. As you can see in the attached screen shot, PITCHf/x confirmed Brian Runge's called third strike on Everth Cabrera--no doubt about it.

I'm psyched that Sportvision's technology is not only installed in every major league stadium, but that they're expanding their analytical capabilities to include hitting, fielding, baserunning, and much more. I grew up listening to coaches talk about "The Book", which was comparatively simple when I was a kid--lefty reliever against righty pinch-hitter (and vice versa), when to issue an intentional pass, when to drop down a sac bunt, etc. Today, with the overwhelming volume of statistical data available, and sufficient computing horsepower in packages accessible to even the casual observer, sports analytics can be performed in real-time by Joe Fan--which is pretty freakin' cool.

Now, further advances by MLBAM and Sportvision have led to dramatic new capabilities, many of which are being revealed tomorrow at the 2nd Annual PITCHf/x Summit. I'm humbled to be part of what the New York Times has described as follows...

"Teams have begun scrambling to develop uses for the new data, which will be unveiled Saturday to a group of baseball executives, statisticians and academics, knowing it will probably become the largest single advance in baseball science since the development of the box score."

I'm not sure I can be easily dropped into one of those three categories (I'm closest to a statistician, knowing how much Strat-O-Matic I played as a kid, and the years of toil I spent as a Rotisserie Baseball player before the advent of the Internet), but I'm certain that I'll find the summit as valuable as the other esteemed members of the audience. More to follow over the weekend...and hopefully, maybe another historical event...

Thursday, July 9, 2009

Stimulating...and The Stimulus...

I was fortunate to be asked to sit on a panel at today's Stimulus Opportunities for Small Business program, hosted by the Silicon Valley Small Business Development Center. Until recently, I wasn't familiar with the Small Business Development Center network, but wow...what a great resource for small businesses. SBA partially funds the 1,000 or so SBDCs, working closely with local colleges and state economic agencies, all to help entrepreneurs achieve success--and all for free or at very low cost.

My panel was composed of representatives from private sector entities...
  • Denise Rodriguez-Lopez, formerly of the U.S. Department of Transportation, who now runs her own consultancy focused on federal and state procurement
  • Don Gonneville, who runs his own service-disabled veteran-owned business
  • Dorothy Davis, who runs her own business, providing software QA and CD/DVD duplication
  • Carol Bowyer from The Federal Technology Center, which works throughout California to help small businesses sell to federal, state, and local governments
  • Yours truly, providing the perspective of a guy who sold to federal and state governments for years, and worked closely with federal agencies on wireless information assurance policies such as DoDD 8100.2
Brian Burch from HP set the stage, and Brian Tippens from HP moderated.

The reason that I mention all seven of us and what we currently do is that we come from wildly different backgrounds, but to a person, each of us commented on the tremendous value of the professional network, the value of teaming, and the need to cooperate (sometimes even with your competitors) to advance your own agenda. As a guy who has cultivated a professional and personal network across a very broad spectrum of interests and expertise, I can absolutely vouch for the value of developing and maintaining a network of folks to whom you can turn when you need advice, support, or cooperation.

Each speaker contributed salient points in his or her own way. Hopefully, the key points that I got across are:
  • the need to establish credibility with customers, prospects, and partners--the work I did in the federal space had much less to do with a hard sell than it did with educating stakeholders on wireless information assurance threat vectors, but the end result was significant customer revenue
  • the need to educate yourself on your market, your competitors, and your potential teaming partners (even, or perhaps especially, if they're in markets outside your core competence), as well as the fact that many free or low-cost options exist to do so, ranging from local IEEE chapter meetings, to SBDC classes, to SD Forum meetings, and much more
  • the need to find a champion in an organization who can be your flag bearer, who will go to bat for you in internal battles, and who will provide off-the-record commentary to assist in your success
  • the need to attack via the flank on every deal, regardless of deal size; large or small, too many vendors deal with a single point of customer contact, which provides a horrendously incomplete picture of the opportunity
Regarding flanking, I related the story of how long the cycle was to earn a particular piece of multi-million dollar business with one of the uniform services, and how we as a team had to evangelize policy makers at the customer, at the prime contractor, and at related agencies, as well as educating end users, network managers, security architects, and many, many more folks on both coasts. But, we established credibility over the course of more than a year, because we were passionate about earning the customer's business, which we ultimately did, to the dismay of some very large companies who were left on the outside looking in.

I think that the ~400 attendees received tremendous value from the day's discussions, which also included presentations from Mark Quinn of the San Francisco SBA, Marty Keller of the State of California's Small Business Advocate office, and a public sector panel composed of city, state, and federal procurement officials--all told, an awesome lineup of folks at a half-day session which cost exactly $0.00 to attend.

Kudos (and thanks) to Patrick Cook and the team at SVSBDC for putting on a great event. Thanks also to Joanne Vliet, the director of the Department of Commerce's Silicon Valley Export Assistance Center, who recommended me for the panel. I enjoyed the event immensely, and came away with a number of valuable new contacts.

I'm not sure what the Latin would be for "I learned, I shared, I networked", but that'd be a good recap of the day.

Until then, Veni, Vidi, Vici.

Tuesday, July 7, 2009

A Record-Tying Evening in Denver...

I was fortunate enough to make it to last night's Nationals-Rockies game at Coors Field (which I think is now the 19th major league stadium I've visited). Prior to first pitch, numerous questions ran through my head...
  • Coors Field...with the history of this place, and despite the fact that they keep their baseballs in a humidor, would this be a high-scoring three-plus hour game?
  • Would the rain that had just passed through have left enough moisture in the air to prevent much carry, keeping the score reasonable?
  • Or would the fact that the Nationals entered play nearly a dozen games worse than the next-poorest team in the NL translate into a Rockies slaughter?
  • Would the Rockies be able to continue their hot streak, coming off a torrential stretch where they'd won 22 of 29, with much of the turnaround attributed to Jim Tracy replacing Clint Hurdle in the dugout?
  • Could the Nationals achieve a similar kind of turnaround by showing Manny Acta the door?
  • Are the Diamondbacks so devoid of talent that a Rockies-like turnaround (or even .500 baseball) is impossible under A.J. Hinch? And, are certain veterans still (to be kind) lamenting Hinch's hiring? Sure, he's young, came in with zero coaching experience, and came into play last night with a 21-32 lifetime managerial record, but he's a Stanford grad, caught nine years of professional ball, and has always been known as a bright guy. So, I continue to wonder what's going on with that organization, and why the club hasn't responded to the managerial change even remotely like the Rockies did to theirs (unbelievably so, in fact).
  • Could the Cubs bullpen hold their 4-0 lead over the Braves?
  • What the heck was going on with the Reds in Philadelphia, down 10-0 after 1?
After two innings where a number of hard-hit balls didn't carry, I thought we might be in for a low-scoring ballgame. Little did I know that we'd witness only the eighth 1-0 game in Coors Field history--not coincidentally, all after the introduction of the humidor. The game wasn't exactly a masterpiece--I can't tell you the last time I saw two runners from the same team doubled off second base on line drives.

But, we saw two major league records tied, which was certainly memorable.

In the bottom of the fourth, Todd Helton hit a hard two-hopper to first; the amount of topspin off the bat made me utter "tough hop" after the first hop, but 1B Nick Johnson masterfully played the in-between second hop, tossing a strike to P Craig Stammen for the out. On the very next pitch, Brad Hawpe hit a hard three-hopper over (and narrowly missing) the bag on which Johnson made an excellent backhanded diving stop, scrambling to his feet to deliver an underhand toss to the covering Stammen for the out. I made a note to self how rare it is to see back-to-back 3-1 putouts--tough ones at that.

Lo and behold, Troy Tulowitzki grounded a full count fastball to Johnson, who picked it and tossed to Stammen for the third out. I immediately turned to my friend Toby Nixon and said "We just saw a major league record at least tied, and maybe set--three putouts in an inning by a pitcher may've never happened before." The thought crossed my mind that three assists in an inning by a first baseman might also be a record, but I mentioned to Toby that since an assist can be awarded without a putout being recorded (e.g., ground ball to third, clean throw across to beat the runner in plenty of time, first baseman drops the ball, scoring goes 5-E3), it's possible that a first baseman could've had four assists in an inning.

With a little research this morning (thanks, Baseball Almanac), I've learned that:
  • we witnessed two major league records tied--P putouts in an inning and 1B assists in an inning
  • this was the 13th time in MLB history that a pitcher had three putouts in an inning
  • this was the 12th time in MLB history that a first baseman had three assists in an inning
  • this was the seventh time in NL history that three 3-1 putouts in an inning had occurred
  • that three 3-1 putouts in an inning has occurred only once in AL history--ironically with Dick "Dr. Strangeglove" Stuart on the fielding end, in the summer of '63
The statistically interesting part of the entire equation is that while this was the seventh time in NL history that three 3-1 putouts have occurred in a single inning, it was the fourth time it's happened in the fourth inning. When you do the math on how infinitesimally small the chances are of this happening, it gets even cooler. I'm not even going to try to calculate this, but at 162 games per team per season, times number of defensive innings, times number of teams, then do the same going back through pre-expansion, 154-game seasons, you end up with a whole lot of defensive innings, but only now seven instances where this has happened--four of which happened in the fourth inning.

You know what? That's pretty freakin' cool.

A few more statistical niceties on the topic of three 3-1 putouts in an inning...

Well, wait a second. Baseball Almanac lists most putouts by a pitcher in an inning, and most assists by a first baseman in an inning. Comparing those lists is how I came up with the number of seven NL cases. But, maybe it's only six. Read on...

According to Baseball Almanac's records, the first recorded instance in NL history was in 1975, when Andre Thornton of the Cubs fielded three grounders, delivering the ball to Rick Reuschel. For all I know, I might've been watching Jack Brickhouse describe the action on WGN that day after school. The interesting piece here is that Big Daddy, while a decent fielder for a guy of his considerable (and I mean considerable) girth, managed to get to the bag all three times.

(As an aside, I think about how well Big Daddy moved for a big dude, then I think about Dennis Lamp, his Cubs teammate from '77-'80. I swear, at least once a game, Lamp would give up a ground ball to the right side which would turn into a base hit while Larry Biittner stood helplessly, ball-in-hand, hoping, praying even, that Lamp might consider covering the bag. I mean, he was right-handed...he fell towards first base when he delivered, for Pete's sake. And by Pete, I mean Pete LaCock, whom Biittner replaced at first after the '76 season. Circle gets the square.)

But, maybe Reuschel didn't. I wanted to see who the batters were who'd committed the outs, so I popped over to Retrosheet's play-by-play of the 4/24/75 Cardinals-Cubs game. While the second (Keith Hernandez) and third (future Cub Kenny Reitz) outs were recorded on 3-1 putouts, Retrosheet claims that Ted Simmons grounded out pitcher unassisted. I can envision a scenario where Big Daddy jams the switch-hitting catcher with a fastball, which Simmons tops weakly down the first base line. From the left-handed batter's box, the lead-footed Simmons stumbles away before righting himself. Big Daddy pounces (-ish) off the mound to pick up the squibber, chugging like a freight train directly into Simmons' path, applying the tag and a momentum-stopping hug. 1U, one out.

Maybe it happened that way, maybe it didn't. Either way, if Retrosheet is right (and I have to believe they are, knowing their penchant for accuracy), Baseball Almanac is wrong--meaning last night was the seventh case of this happening ever, the fourth time in the fourth inning. Wow. I'll have to circle back with the Baseball Almanac guys.

Okay, more interesting (to me, at least) nuggets...

Of the now seven games where three 3-1 putouts occurred in the same inning:
  • six of them were one-run ballgames; the sole game decided by more than one run was a 6-4 Cubs victory (shocking)
  • the only run scored in such an inning occurred in the very first instance, a Red Sox-Yankees affair at the Stadium; sandwiched in-between 3-1 groundouts by Tony Kubek, Roger Maris, and Joe Pepitone were a Bobby Richardson single to center, a wild pitch, and a Tom Tresh RBI double
  • all seven cases happened in the fourth inning or earlier
  • the Cubs participated in three, winning two (again, shocking)
  • John Kruk committed outs in two of the instances, in '86 at Wrigley and in '92 at the 'Stick
  • no game lasted longer than 2:52, with last night's 2:12 contest being the most efficient
So, yeah, you might think I've gone a little bit overboard here; but, it's a good warmup for this Saturday. I'm fortunate to have been invited to the 2nd annual PITCHf/x Summit, hosted by Major League Baseball and Sportvision. Picture an entire day of baseball analytics with a bunch of other baseball numbers folks, then a ballgame--a pretty great way to spend a weekend for this SABR member.

And, lest you think this is all irrelevant, think about how rare a perfect game is--only 17 instances of 27 up, 27 down, ever. Last night was only the seventh time three 3-1 putouts have occurred in the same inning.


Heck, not just memorable. Historic, even.