While we’re discussing the fate of LibreSSL, it’s worth noting how confusing the names of these packages became. I’d like to take this opportunity to provide a short note on what’s what.

First of all, SSL and its successor TLS are protocols used to implement network connection security. For historical reasons, many libraries carry ‘SSL’ in their name (OpenSSL, LibreSSL, PolarSSL) but nowadays they all support TLS.

OpenSSL is the ‘original’ crypto/SSL/TLS library. It is maintained independently of a specific operating system. It provides two main libraries: libcrypto and libssl (that also implements TLS).

LibreSSL is a fork of OpenSSL. It is maintained by OpenBSD as part of its base system. However, the upstream also maintains LibreSSL-portable repository that provides build system and portability glue for using it on other systems. LibreSSL provides partially compatible versions of libcrypto and libssl, and a new libtls library. Both libssl and libtls can be used for TLS support in your applications.

LibreTLS is a lightweight fork of libtls from LibreSSL that builds it against OpenSSL. This makes it possible to build programs written for libtls against OpenSSL+LibreTLS instead of LibreSSL.

So, to summarize. OpenSSL is the original, while LibreSSL is the OpenBSD fork. libtls is the LibreSSL original library, while LibreTLS is its fork for OpenSSL. Makes sense, right? And finally, despite the name, they all implement TLS.

KYOTO, Japan — Nintendo has reportedly entered a full state of panic with executives blindsided after Microsoft announced that it had acquired Luigi.

“How is this even possible!?” shouted a panicked Shigeru Miyamoto. “Buying all of our trusted third party partners is one thing, but now they’re taking my own painstaking creations right out from under my nose? Who even authorized this!?”

The news came shortly after Microsoft announced it was finalizing plans to acquire publishing giant Bethesda. In a second press release later in the day, the Microsoft blog added it had come to terms with a deal to make Luigi the new face of Xbox, noting that the Mario brother has shown his true colors for decades by wearing Xbox green.

“We are thrilled to welcome Luigi to the Xbox family,” said Gaming at Microsoft Vice President Phil Spencer. “With premier services like Xbox Game Pass and xCloud, players will now be able to experience Luigi anytime, anywhere. We just don’t think fans got that kind of versatile accessibility with the Nintendo Switch.”

In retaliation to the deal, Nintendo says it has prohibited Microsoft from using Luigi’s last name, Mario, which Nintendo still owns. Instead, Microsoft says Luigi’s new legal name going forward will be Luigi Cortana.

“Maybe it’s our own fault,” said Nintendo president Shuntaro Furukawa. “Perhaps if we treated Luigi with the respect and care he deserved, he’d still want to work with us. We plan on changing how we treat our property going forward and will put more time and energy into all of our characters, like Mario, Link, and…. Uh…. shoot, what’s her name?”

To get around having to scrub the now inaccurate “Brothers” usage from the franchise’s history, Nintendo plans to retcon Waluigi into Mario’s canonical brother.

Like this article? Check out our podcast! The Hard Drive Podcast is available on all podcast apps.

The post Nintendo in Panic Mode After Microsoft Acquires Luigi appeared first on The Hard Times.

Direct from CEO Eric Yuan. Today. He said this today.

Corporate clients will get access to Zoom's end-to-end encryption service now being developed, but Yuan said free users won't enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

"Free users for sure we don't want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose," Yuan said on the call.

Based on their track record, it's not like they could ensure the privacy of your calls even if they wanted to. But it's good to know up front that they absolutely do not want to.

Previously, previously, previously, previously, previously, previously, previously.

When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way to combat cybercrime and steer offenders toward a better path.

Yes, I realize hooded hacker stock photos have become a meme, but that’s the point.

The findings come in a new paper released by researchers at Cambridge University’s Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings.

In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the activity of legitimate system administrators.

Richard Clayton, a co-author of the report and director of Cambridge’s Cybercrime Centre, said the findings suggest policymakers and law enforcement agencies may be doing nobody a favor when they issue aggrandizing press releases that couch their cybercrime investigations as targeting sophisticated actors.

“The way in which everyone looks at cybercrime is they’re all interested in the rockstars and all the exciting stuff,” Clayton told KrebsOnSecurity. “The message put out there is that cybercrime is lucrative and exciting, when for most of the people involved it’s absolutely not the case.”

From the paper:

“We find that as cybercrime has developed into industrialized illicit economies, so too have a range of tedious supportive forms of labor proliferated, much as in mainstream industrialized economies. We argue that cybercrime economies in advanced states of growth have begun to create their own tedious, low-fulfillment jobs, becoming less about charismatic transgression and deviant identity, and more about stability and the management and diffusion of risk. Those who take part in them, the research literature suggests, may well be initially attracted by exciting media portrayals of hackers and technological deviance.”

“However, the kinds of work and practices in which they actually become involved are not reflective of the excitement and exploration which characterized early ‘hacker’ communities, but are more similar to low-level work in drug dealing gangs, involving making petty amounts of money for tedious work in the service of aspirations that they may one day be one of the major players. This creates the same conditions of boredom…which are found in mainstream jobs when the reality emerges that these status and financial goals are as blocked in the illicit economy as they are in the regular job market.”

The researchers drew on interviews with people engaged in such enterprises, case studies on ex- or reformed criminal hackers, and from scraping posts by denizens of underground forums and chat channels. They focused on the activity needed to keep various crime services operating efficiently and free from disruption from interlopers, internecine conflict, law enforcement or competitors.

BOOTER BLUES

For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks.

Booter services (a.k.a. “stressers”) — like many other cybercrime-as-a-service offerings — tend to live or die by their reputation for uptime, effectiveness, treating customers fairly, and for quickly responding to inquiries or concerns from users. As a result, these services typically require substantial investment in staff needed for customer support work (through a ticketing system or a realtime chat service) when issues arise with payments or with clueless customers failing to understand how to use the service.

In one interview with a former administrator of a booter service, the proprietor told researchers he quit and went on with a normal life after getting tired of dealing with customers who took for granted all the grunt work needed to keep the service running. From the interview:

“And after doing [it] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all. Creating a stresser is easy. Providing the power to run it is the tricky part. And when you have to put all your effort, all your attention. When you have to sit in front of a computer screen and scan, filter, then filter again over 30 amps per 4 hours it gets annoying.”

The researchers note that this burnout is an important feature of customer support work, “which is characterized less by a progressive disengagement with a once-interesting activity, and more by the gradual build-up of boredom and disenchantment, once the low ceiling of social and financial capital which can be gained from this work is reached.”

WHINY CUSTOMERS

Running a malware-as-a-service offering also can take its toll on developers, who quickly find themselves overwhelmed with customer support requests and negative feedback when a well-functioning service has intermittent outages.

Indeed, the author of the infamous ZeuS Trojan — a powerful password stealing tool that paved the way for hundreds of millions of dollars stolen from hacked businesses — is reputed to have quit the job and released the source code for the malware (thus spawning an entire industry of malware-as-a-service offerings) mainly to focus his skills on less tedious work than supporting hundreds of customers.

“While they may sound glamorous, providing these cybercrime services require the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries, and so on,” the report continues.

To some degree, the ZeuS’s author experience may not be the best example, because his desire to get away from supporting hundreds of customers ultimately led to his focusing attention and resources on building a far more sophisticated malware threat — the peer-to-peer based Gameover malware that he leased to a small group of organized crime groups.

Likewise, the cover story in this month’s Wired magazine profiles Marcus Hutchins, who said he “quickly grew bored with his botnets and his hosting service, which he found involved placating a lot of ‘whiny customers.’ So he quit and began to focus on something he enjoyed far more: perfecting his own malware.”

BORING THEM OUT OF BUSINESS

Cambridge’s Clayton and his colleagues argue the last two examples are more the exception than the rule, and that their research points to important policy implications for fighting cybercrime that are often discounted or overlooked: Namely, interventions that focus on the economics of attention and boredom, and on making such work as laborious and boring as possible.

Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cybercrime businesses amounts to little more than a game of whack-a-mole, because the perpetrators simply move somewhere else to resume their operations. But the Cambridge researchers note that each takedown creates further repetitive, tedious, work for the administrators to set up their sites anew.

“Recent research shows that the booter market is particularly susceptible to interventions targeted at this infrastructural work, which make the jobs of these server managers more boring and more risky,” the researchers note.

The paper takes care to note that its depictions of the ‘boredom’ of the untrained administrative work carried out in the illicit economy should not be taken as impugning the valuable and complex work of legitimate system administrators. “Rather, it is to recognize that this is a different kind of knowledge and set of skills from engineering work, which needs to be taught, learned, and managed differently.”

The authors conclude that refocusing interventions in this way might also be supported by changes to the predominant forms of messaging used by law enforcement and policy professionals around cybercrime:

“If participation within these economies is in fact based in deviant aspiration rather than deviant experience, the currently dominant approaches to messaging, which tend to focus on the dangerous and harmful nature of these behaviors, the high levels of technical skill possessed by cybercrime actors, the large amounts of money made in illicit online economies, and the risk of detection, arrest, and prosecution are potentially counterproductive, only feeding the aspiration which drives this work. Conversely, by emphasizing the tedious, low-skilled, low-paid, and low-status reality of much of this work, messaging could potentially dissuade those involved in deviant online subcultures from making the leap from posting on forums to committing low-level crime.”

“Additionally, diversionary interventions that emphasize the shortage of sysadmin and ‘pen tester’ workers in the legitimate economy (“you could be paid really good money for doing the same things in a proper job”) need to recognize that pathways, motivations, and experiences may be rather more prosaic than might be expected.”

“Conceptualizing cybercrime actors as high-skilled, creative adolescents with a deep love for and understanding of technology may in fact mischaracterize most of the people on whom these markets depend, who are often low-skilled administrators who understand fairly little about the systems they maintain and administer, and whose approach is more akin to the practical knowledge of the maintainer than the systematic knowledge of a software engineer or security researcher. Finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.”

Further reading: Cybercrime is (often) Boring: Maintaining the Infrastructure of Cybercrime Economies (PDF).

@kmlefranc: I had to get a background check for my job, and it turns out the report is a 300+ page pdf of every single tweet I've ever liked with the work "fuck" in it.

I came home to a package containing a printout of all 351 pages of it! Obv the dystopia cares about wasting paper. [...] The background check company is Sterling Talent Solutions, and it looks like they contracted with Fama Technologies for this part of the report. [...]

To those asking - I did not give them my handle or permission, I'm assuming they just found this via my (old) name. [...] The especially creepy part is this didn't turn up anything at all relevant or incriminating! I keep personal info on my non-public accounts. But their shitty algorithm means that my "reputation" and "character" is flagged as questionable and sent to my boss. [...]

Though I also liked the "positive flags" section that picked up the words donate and volunteer - most of which were critiques of capitalism and charity culture.

Previously, previously, previously, previously.