It is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.
As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.
ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
(i.e. you don’t need graphical access to steal data)
TKXf Demo – Keyboard upload of virus to hardened Windows platform
(i.e. I can type a virus into Windows .. stop me)
TKXf Demo – Keyboard upload of payload via Windows to Linux
(i.e. I can type any payload into anything via anything .. stop me)
TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
(i.e. I can route anything via anything over screen and keyboard)
And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
Yes that last one is a functional network over TGXf and TKXf…
As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.
Yesterday I decided that I’d no longer be an armchair commentator on the state of IT services and the direction it, as an understanding as a discipline, is going. So to that end I ponied up my own own money and bought myself a membership to the itSMF (IT Service Management Forum) and robbed myself in to participate in the next Special Interest Group meeting at the end of the month.
The itSMF isn’t as sexy as the technology groups and bodies that I’ve been a part of before, but I think that it is a lot more real and accessible to the non-technical in the industry (yes, there are a lot of non-technical people in IT) and a way of bridging the gap between IT and “the business”.
I hope to gain some insight into the wider Australian market’s changes and perceptions as well as supply my 1st hand experience and understanding when it comes to solutioning, negotiating and delivering Technology and IT Services in the APJ market.
photo credit: Chimpr via photopin cc
I found this paper earlier in the week. I honestly wish I found this three or four years ago, as it is a great pre-cursor for understanding how to break up a business and set the appropriate technology strategy to support the overarching business strategy.
It pulls together a number of ideas I’ve been playing with over the last few years with regards to business-mapping and lets me see, what appears to be, the embryo of a lot of the thinking in support of Simon Wardley’s model. The origin is an article by Nicolas Carr, 2003, Why IT doesn’t matter. I never realised it was from a larger thesis, I read the HBR article 2 years ago.
His main recommendations for IT are
- Spend Less
- Follow, don’t lead
- invest only when risks are low
- focus on vulnerabilities rather than opportunities
This is all based on the view that IT is not of strategic importance because:
- Technology is expensive so not everyone can afford it.
- Not everyone will be sufficiently imaginative to see the potential
- Those who exploit it early may be able to lock-in customers, markets or business in a way that is difficult to break or match.
These all read like excuses, putting It into the “too hard” basket. If we treated HR with the same contempt we’d never employ anyone because people are really expensive, I might not be able to use them to their potential, I’m locking by business into relying on those people because they know a lot about me.
This attitude also explains why so many people can’t see the chess board when it comes to business strategy in general; if you ignore it because it’s hard and copy the competition, you’ll be fine.
This is a very raw emerging thought – Catching up on the reading I need to do for University and a few things started to come together. I realised that business (people in them) still think of themselves as relatively static entities in a market that doesn’t change. This was highlighted when I was reviewing two different frameworks for business strategy; Michael Porter’s Generic Strategy model (something I’ve used in the past) and D’Aventi’s Hyper-competition model. Click in the image to see the two models.
I’m still working through my thoughts on this and how to use, but I think that as a whole as markets thrash through the product -> commodity phases, the markets represent a hyper-competitive one and the strategies listed by D’Aventi seem to be more appropriate.
That said, you could also use the D’Aventi model as a targeted selling technique on a case by case basis. As the relevant IT adoption maturity of the potential customer will vary, as will their perception of the Technology and it’s capability.
Regardless of the use, the models are definitely only useful for short term game. I don’t want to get to the point of lazy generation of strategy statements. More looking at ways to direct thinking appropriately, for the given situation.
I started writing this post a few week back and stumbled onto it today – It was off the back of me reading this article on Denzeen by Alexendria Lange. It is an individual perspective on 3D printing, it’s failings and how it could learn from the sewing revival. This article was in direct response to Seth Stephen’s article on Slate.com. Below is my rambling thoughts on their perspectives.
Experience limitations can and do skew perspectives, more often than not towards the negative. Look at the wider picture and see the possibility.
Look to the future, and like the sewing pattern sellers you will see more like Thingiverse, offering a marketplace (marketspace) for the sale of 3D patterns. The sewing revival, enabled by the internet, teaches how to make your own patterns, or download pre-created patterns for you to sew. 3D, too, offers this (Thingiverse, other?). The difference is in the maturity of the technology. Give it time.
Now for the longer version:
Whilst the parallels are useful, keep in mind that they are different technologies with different applications.
Article points to the fact that current home 3D printing is not at a level sufficient for mass use. I argue that, in it’s current form, it will never be. What it is today is the very beginning of what is to come. The pre-cursor to something amazing. We are already seeing what is coming (Food printing, medical printing, manufacturing). I’m sure that the early automatic sewing machines were horrible and produced sub-par results too (Just look to the shitty hand-held or initial cheap machines available; and even what is now available in discount stores). Not all things are created equal.