HN Books @HNBooksMonth

If you don't know who this is, he wrote one of my favourite books on web (browser) security: "The Tangled Web" [1].

Another lesser known book by him is also worth a read: "Silence on the Wire" that takes a look at the full information security stack from the keyboard you type on, to the wires the data transits, to the internet protocols, etc [2] and looking at how each stage exposes/protects data.

And has quite an interesting history in infosec beyond that [3].

[1] https://www.amazon.com/Tangled-Web-Securing-Modern-Applicati...

[2] https://www.amazon.com/Silence-Wire-Passive-Reconnaissance-I...

[3] https://en.wikipedia.org/wiki/Micha%C5%82_Zalewski

⬐ iooi

He also had a pretty popular post here a while back about prepping for doomsday [1], interesting read.

[1] https://news.ycombinator.com/item?id=15110850

⬐ alethiophile

I just got one of those periodic "wow, those are the same person?" Internet moments; I've both used AFL a fair bit, and read Tangled Web, but never connected the two.

Impressive fellow.

⬐ seanhandley

"Silence on the Wire" is still my favourite security book!

⬐ harryf

I loved Silence on the Wire (your [2]) - really changed my perspective on how much we "give away" passively

⬐ elorant

That's funny because there is another book [1] with exactly the same title and also about computer security, although it predates the one you mention by a decade.

[1] https://www.amazon.com/Tangled-Web-Securing-Modern-Applicati...

⬐ dmix

That's the same book and link.

⬐ elorant

Oops, my bad. I meant this one:

https://www.amazon.com/TANGLED-WEB-Digital-Shadows-Cyberspac...

⬐ pjf

If you don't know who this is, read his CV: http://lcamtuf.coredump.cx/cv-web-en.pdf

⬐ raverbashing

yeah I think it's feeling the HN effect already

(a bit ironic that it doesn't have https enabled)

⬐ sigjuice

Not as ironic as the OpenBSD Foundation asking for donations via an http site

⬐ krylon

Their site is available via https, it just is not default. Which admittedly is a little strange.

⬐ asveikau

>> http://lcamtuf.coredump.cx/cv-web-en.pdf

> (a bit ironic that it doesn't have https enabled)

That sounds like an interesting trick... MITM the CV of a famous security person in order to land a security job?

⬐ AceJohnny2

Wait, this is lcamtuf? Wow.

I've always been in awe of his AFL fuzzer:

http://lcamtuf.coredump.cx/afl/

https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-th...

⬐ alphadevx

He also wrote Ratproxy: https://code.google.com/archive/p/ratproxy/

Guessing OS is pretty simple though, I recommend the book "Silence on the wire" [0] for a thorough explanation of passive network fingerprinting.

TL;DR is that the each TCP stack has unique characteristics that are hard to spoof (you'd have to bypass the OS TCP stack and build your own that mimics another) and definitely out of reach for tools that run in sandboxed environments (like browser extensions)

edit: Also, the author of that book, Michal Zalewski, made open source tool p0f [1] that implements some of those techniques to identify spoofed user agents.

  [0]: https://www.amazon.com/gp/product/1593270461
  [1]: http://lcamtuf.coredump.cx/p0f3/

⬐ userbinator

TL;DR is that the each TCP stack has unique characteristics that are hard to spoof (you'd have to bypass the OS TCP stack and build your own that mimics another) and definitely out of reach for tools that run in sandboxed environments (like browser extensions)

If you are behind a NAT, the TCP/IP stack of the NAT machine will probably present some of its characteristics too.

It is also possible to modify your TCP/IP stack settings so it behaves like something else, a simple search for "defeat TCP fingerprinting" or similar will be a good place to start.

I remember reading about a few universities whose networks would, via fingerprinting, identify your OS and only Windows machines would be required to install some --- intrusive, invasive, and flaky --- additional monitoring software, while Linuxes were allowed completely open access. The solution was obviously to make your machine look like Linux, and this was not hard to do with a few registry tweaks, if I remember correctly.

⬐ derefr

> you'd have to bypass the OS TCP stack and build your own that mimics another

So, the Snabb Switch sort of thing?

I'm guessing that active layer-4-or-above proxies would also ruin your fingerprinting ability (so people behind corporate firewalls would be un-fingerprint-able.)

And, possibly, API clients running on VM instances in clouds that use software-defined networking, might "look like" the SDN infrastructure, rather than like their VM.

⬐ j_s

Nice! https://amzn.com/dp/B008FRNHVY/ $18

⬐ LeoPanthera

$17.25! Amazon thinks I'm cheap. It's not wrong.

⬐ pbhjpbhj

$24 for me, perhaps i have a richer looking browser ...

⬐ orbitingpluto

$13.60 Kindle. That's a lot of variation.

⬐ woliveirajr

$24 paperback, $31.95 kindle :)

⬐ acqq

$19.55 kindle for me

⬐ titojankowski

$21.22 from Lisbon

⬐ sleepychu

$18 on kindle

⬐ j_s

Thanks for the heads-up, I fixed the link to point to the Kindle edition!

Amazon has indeed gotten called out for these types of shenanigans in the past but that was a long time ago! https://en.wikipedia.org/wiki/Amazon.com_controversies#Diffe...

I missed this related discussion last month: The High-Speed Trading Behind an Amazon Purchase | https://news.ycombinator.com/item?id=13963743

⬐ nosuchthing

Sniffing (Firefox http website) traffic with Wireshark on Ubuntu vs OSX and you'll notice there's extra null flags unique to OSX.

Can't imagine why..?

⬐ celim307

Thanks for the book recommendation!

⬐ None

None

⬐ gsnedders

Or just looking at what set of fonts the system has: that's pretty OS dependent. There are so many fairly trivial proxies for OS that detecting OS seems… uninteresting.

⬐ mpeg

font enumeration is done by basically trying to use a certain font and then measuring the div it's writing to. Also can be done a bit fancier drawing to a canvas element and then taking a fingerprint of it (but presumably slower?).

It can be spoofed from a browser extension by messing with the results from the measurement or hooking into core APIs.

Plus you need a font list to begin with, you can't just look at the fonts the system has installed just from javascript.

⬐ gsnedders

Yes, indeed. But you know what fonts each OS ships out of the box, so all you need is the set that's the union of those and then you have your fingerprinting. (Canvas will probably be slower, but I expect not by as much as you might suspect.)

I don't see how you can mess with the results of measuring successfully, though, at least not without breaking things. You'd have to make CSSOM lie all over the place to avoid it.

⬐ derefr

The simple thing would be for the browser to taint Javascript values derived (at whatever remove) from the CSSOM, and then block all network APIs from accepting such values.

⬐ pcwalton

I can think of fun ways around that. For example, using setTimeout() and then Date.now deltas to communicate numeric values. Or communicating data via UI events (you have to be able to send network requests in response to UI events, for obvious reasons).

It wouldn't be possible to do that anyway without breaking important things like infinite scroll. Infinite scroll fundamentally requires network requests to be issued when an element is scrolled into view, but whether an element is in view depends on the results of layout, which depends on the user's installed fonts…

⬐ dTal

>important things like infinite scroll

No.

⬐ derefr

> but whether an element is in view depends on the results of layout, which depends on the user's installed fonts…

It'd be kind of interesting if you could only ask about the CSSOM in terms of what the page would look like if rendered with a known set of {fonts, visited links, whatever else is a security leak} rather than asking what it does actually look like—with the browser keeping two render-trees in memory for metrics (the real one, and your hypothetical one) but only actually rendering the real one.

Then, you could synchronize page-manipulation events between the two render-trees, by trying to re-synthesize things like viewport/scroll-offsets and mouse positions, such that everything "will have been" in the right position in one model to end up clicking on whatever element ended up being clicked on in the other model.

Very inefficient, but kind of interesting.

⬐ gsnedders

If you have multiple columns of text, which column are you matching the scroll position up to? I'm pretty sure even something that inefficient isn't going to work. :)

This is also talked about in the book, "Silence on the Wire".

http://www.amazon.com/Silence-Wire-Passive-Reconnaissance-In...

⬐ parktheredcar

Thanks for sharing, that looks like an interesting read.

There was also this paper (linking to summary) about figuring out how to decode the audio of someone typing on a keyboard.

https://freedom-to-tinker.com/blog/felten/acoustic-snooping-...

⬐ 127001brewer

...it's actually a good compliment while (slowly) trying to complete the challenges on http://cryptopals.com/

Zalewski was the reason I felt unaccomplished in 2005, when I read his "Silence on the wire" and noted he wasn't much older than I am.

His separate guide on CNC is great[1]. He also has a great intro to electronics[2]. His first book is an amazing survey of totally passive attacks[3]. His second book is a comprehensive survey of web application osecurity[4].

[1] http://lcamtuf.coredump.cx/gcnc/

[2] http://lcamtuf.coredump.cx/electronics/

[3] http://www.amazon.com/dp/1593270461

[4] http://www.amazon.com/dp/1593273886/

⬐ CamperBob2

Wow, that CNC guide is awesome. Is there anything like this for metalworking-oriented machining?

⬐ zaroth

Sample chapter of 'Silence on the wire': ftp://ftp.helion.pl/online/bekomp/bekomp-11.pdf

Edit: Almost funny to see FTP actually being used to, you know, transfer files. As Scotty would say, "How quaint!"

⬐ agumonkey

warning: sample in polish (as the host dn)

Zalewski's "Silence On The Wire" (which is totally fantastic in its own right) graphs a few PRNGs and discusses their issues.

http://www.amazon.com/exec/obidos/tg/detail/-/1593270461