Community Manager Forge

Community Manager for Forge.Mil

 

Up until the end of this week I worked for Booz Allen Hamilton titled as a Senior Defense Researcher.    The title was fairly generic allowing for me as a consultant / coach to help in a lot of areas.   Some in the technology industry don’t have any problem answering the question regarding what they do for a living, historically speaking I have.

 

Tomorrow is the first day working for my new job as a Community Manager for Department of Defense, Defense Information Systems Agency’s software development, community and collaboration platform called Forge.

 

Forge.Mil is cloud oriented (Software as a Service) technical offering that has a great deal of features and functional capabilities.  These include

 

  • Source code and configuration management
  • Track defects, requirements, and feature requests
  • Task hierarchy and alert mechanism
  • Collect, archive, and release packages
  • Real-time reports on tasks and trackers
  • Discussion Forums
  • Project-based Wiki
  • Document Management

 

There is a social aspect to Forge called Forge Community, which augments the technical aspects by integrating a “people to people” framework in support of the user community.

This enables the community to

 

  • Connect with other Forge.mil users
    • Find Software and Projects
    • Discover and join sub-communities or Groups
    • Improve Collaboration
    • Share Ideas or find Ideas to act on
    • Share Knowledge, Experience and Lessons Learned
    • Find Answer and Solutions
    • Expand the Discussions and Cast a Wider Net to Find an Answer

 

My job is to help enable community members, examine technical and non-technical concepts ultimately to enhance the speed and ease of technical projects in the department.

 

As I determine what information I can share based on the nature of the work, I will post from time to time anything that I believe is relevant to the greater public.  For now, I am excited to take on this new challenge and it is my intent to help our defense community work effectively and efficiently to accomplish their individual goals and objectives.

CY83r 83H4v10r

A few days ago Applidium a mobile application company provided the world some insight on how to essentially hack Siri.  Cloud computing as an approach has certain characteristics and patterns from a development or managerial perspective but in consideration of the physical and logical disposition of technical resources most of us if not all of us are already in the cloud.   Lets look today at two examples for consideration, the first is Siri.   Siri is a cloud service, the application is intended to serve a certain community although due to the broad spectrum of users the application must be exposed to the public.   The model of authentication or security is tied to a unique identifier.  Applidium goes into detail on this process and I for the purpose of this discussion I am republishing this here.  This information is freely available on the Applidium website.

Cracking Siri

On October 14, 2011, Apple introduced the new iPhone 4S. One of its major new features was Siri, a personal assistant application. Siri uses a natural language processing technology to interact with the user.

Interestingly, Apple explained that Siri works by sending data to a remote server (that’s probably why Siri only works over 3G or WiFi). As soon as we could put our hands on the new iPhone 4S, we decided to have a sneak peek at how it really works.

Today, we managed to crack open Siri’s protocol. As a result, we are able to use Siri’s recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we’re goign to share this know-how with you.

Demo

The best demo probably is Siri’s speech-to-text feature. We made a simple recording of us saying “Applidium vous souhaite une bonne journé”, and got a perfect result !

Sample_Siri_speech_to_text.zip

70.78 KoDownload

This sound sample never went through any iPhone, but nonetheless we got Siri to analyze it for us.

Understanding the protocol – A brief technical history

At Applidium we’re used to building mobile applications. The best way to chat with a remote server is HTTP, as it’s the protocol that is the more likely to work in any case.

The easiest way to sniff HTTP traffic is to setup a proxy server, configure your iPhone to use it, and look at what goes through the proxy. Surprisingly, when we did, we wouldn’t gather any traffic when using Siri. So we ressorted to using tcpdump on a network gateway, and we realised Siri’s traffic  was TCP, on port 443, to a server at 17.174.4.4.

Going to https://17.174.4.4/ on a desktop machine we noticed that this server was presenting a certificate for guzzoni.apple.com. So it seemed like Siri was communicating with a server named guzzoni.apple.com over HTTPS.

As you know, the “S” in HTTPS stands for “secure” : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPSserver, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well… they did check that it was valid, but thing is, you can add your own “root certificate”, which lets you mark any certificate you want as valid.

So basically all we had to do was to setup a custom SSL certification authority, add it to our iPhone 4S, and use it to sign our very own certificate for a fake “guzzoni.apple.com”. And it worked : Siri was sending commands to your own HTTPS sever! Seems like someone at Apple missed something!

That’s when we realised how Siri’s protocol is opaque. Let’s have a look at a Siri HTTP request. The request’s body is binary (we’ll get into that later), and here are the headers :

            ACE /ace HTTP/1.0
            Host: guzzoni.apple.com
            User-Agent: Assistant(iPhone/iPhone4,1; iPhone OS/5.0/9A334) Ace/1.0
            Content-Length: 2000000000
            X-Ace-Host: 4620a9aa-88f4-4ac1-a49d-e2012910921

A few interesting things :

  • The request is using a custom “ACE” method, instead of a more usual GET.
  • The url requested is “/ace”
  • The Content-Length is nearly 2GB. Which is obviously not conforming to the HTTP standard.
  • X-Ace-host is some form of GUID. After trying with several iPhone 4Ses, it seems to be tied to the actual device (pretty much like an UDID).

Now let’s move on to the body. The body is some raw binary content. When we first looked at it with an hex editor, we noticed it started with 0xAACCEE. Oh, seems like header ! Unfortunately, we couldn’t understand anything of what was after that.

That’s when we took some time to think. As people who are used to designing mobile application, we know there’s one thing which is very important when talking over a network : compression. The bandwidth is often limited, so it’s usually a very good idea to compress your data. And what is the most ubiquitous compression library around ? zlib:“http://zlib.net/”. It’s a very solid library, really efficient and powerful (makes sense, it’s half french!). So we tried to pipe that binary data through zlib. But nothing came out, we were missing a zlib header. That’s when we thought “hmm, so there’s already thisAACCEE header in the request body. Maybe there’s some more ?”. We developers like to keep things packed. 3 bytes is not a good length for a header. 4 would be. So we tried un-zipping after the 4th byte. And it worked!

Now when we unziped the content, we got onto some new binary data. Not very understandable either, but some parts were text. Among them, one caugh our attention : bplist00. Hurray, it seems like the data is some binary plist. After fiddling a little bit with that binary stream, we figured out it was made out of chunks :

  • Chunks starting with 0x020000xxxx are “plist” packets, xxxx being the size of the binary plist data that follows the header.
  • Chunks starting with 0x030000xxxx are “ping” packets, sent by the iPhone to Siri’s servers to keep the connection alive. Here xx is the ping sequence number.
  • Chunks starting with 0x040000xxxx are “pong” packets, sent by Siri’s server as a reply to ping packets. Without surprise, xx is the pong sequence number.

And deciphering the content of binary plists is very easy, you can do it on Mac OS X with the “plutil” command-line tool. Or in ruby with the CFPropertyList gem on any platform.

What we learned

We did really learn a few interesting things about how the iPhone 4S talks to Apple’s servers :

The audio data

The iPhone 4S really sends raw audio data. It’s compressed using the Speex audio codec, which makes sense as it’s a codec specifically tailored for VoIP.

Signature

The iPhone 4S sends identifiers everywhere. So if you want to use Siri on another device, you still need the identifier of at least one iPhone 4S. Of course we’re not publishing ours, but it’s very easy to retrieve one using the tools we’ve written. Of course Apple could blacklist an identifier, but as long as you’re keeping it for personal use, that should be alright!

The actual content

The protocol is actually very, very chatty. Your iPhone sends a tons of things to Apple’s servers. And those servers reply an incredible amount of information. For example, when you’re using text-to-speech, Apple’s server even reply a confidence score and the timestamp of each word.

What’s next ?

Here’s a collection of tools we wrote to help us understand the protocol. They’re written mostly in Ruby (because that’s a wonderfully simple language), some parts are in C and some in Objective-C.

Now What?

Technical resources are created with specific intent and potentially captured and reused for other purpose.   Little history lesson as long as there have been services made available to the public people have been finding ways to re-purpose or use those services without paying.

  • Television
  • Digital Cable
  • Digital Satellite
  • Phone -Phreaking
  • Power -Leeching
  • Water

Most of the time these services were regional or isolated geographically.  People didn’t have as much access to information as they do today.  Just a few days ago hackers took control of a satellite http://www.pakistantoday.com.pk/2011/11/hackers-take-command-of-us-satellites/  or how about the foreigners with the Russian address that damaged a water plant http://www.theverge.com/2011/11/18/2572079/springfield-water-plant-scada-hacked-us-russia at the same time another person got into a system in a Texas plant.

Story after story is the same thing over and again.   In our lifetime, we are never going to stop this behavior.   That is the key to this discussion, this a behavior problem.

Transition ~ L33t H@x0rz http://www.cyberpsychology.com/  http://iconof.com/blog/category/cyberpsychology/

I don’t believe that we can protect the internet.   We can protect technical assets that are disconnected from the network but protecting something connected would be like trying to protect your hand from your brain.  If there is a connection and there is INTENT there will be a result.  People that are curious or driven with unlimited access can and will find ways to access these resources.  What I am suggesting is that we focus on education and identification of behaviors to help work on these challenges.   Recently, I watched the movie Starship Troopers (you know mindless scifi) during the movie the leader Sky Marshal decided to attack the enemy head on.  When the troopers attacked they were overwhelmed by the sheer numbers of enemies.  There was another aspect as well, the enemy was smarter than expected.   Attacking something you don’t understand is not likely to produce a desired result.   At some point the leadership decided that it must understand the enemy to achieve success.   Cyber threats are no different.  We are dealing with thousands of everyday people who have the power of the most up to date and relevant information at their command.   Some of them work together, some of them work alone, some are destructive and some are simply curious or just want to solve a puzzle they are told is unsolvable.

What do you do when the enemy is you?  If we start to pay attention to our culture and recognize or realize our actual connectivity with the global community we can start to find ways to limit our damages.   We are not moving to cloud computing or moving towards a cloud paradigm; as long as we are connected by a logical and physical connection we are IN A CLOUD.   We need to focus on behavior sciences with predictive gaming algorithms to identify the greatest risks based on technological trends, this will help us mitigate the damages that will for certain occur.

1986

http://www.phrack.org/issues.html?issue=7&id=3&mode=txt

File: archives/7/p7_0x03_Hacker's Manifesto_by_The Mentor.txt
                               ==Phrack Inc.==

                    Volume One, Issue 7, Phile 3 of 10

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The following was written shortly after my arrest...

                       \/\The Conscience of a Hacker/\/

                                      by

                               +++The Mentor+++

                          Written on January 8, 1986
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

        Another one got caught today, it's all over the papers.  "Teenager
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
        Damn kids.  They're all alike.

        But did you, in your three-piece psychology and 1950's technobrain,
ever take a look behind the eyes of the hacker?  Did you ever wonder what
made him tick, what forces shaped him, what may have molded him?
        I am a hacker, enter my world...
        Mine is a world that begins with school... I'm smarter than most of
the other kids, this crap they teach us bores me...
        Damn underachiever.  They're all alike.

        I'm in junior high or high school.  I've listened to teachers explain
for the fifteenth time how to reduce a fraction.  I understand it.  "No, Ms.
Smith, I didn't show my work.  I did it in my head..."
        Damn kid.  Probably copied it.  They're all alike.

        I made a discovery today.  I found a computer.  Wait a second, this is
cool.  It does what I want it to.  If it makes a mistake, it's because I
screwed it up.  Not because it doesn't like me...
                Or feels threatened by me...
                Or thinks I'm a smart ass...
                Or doesn't like teaching and shouldn't be here...
        Damn kid.  All he does is play games.  They're all alike.

        And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is
sent out, a refuge from the day-to-day incompetencies is sought... a board is
found.
        "This is it... this is where I belong..."
        I know everyone here... even if I've never met them, never talked to
them, may never hear from them again... I know you all...
        Damn kid.  Tying up the phone line again.  They're all alike...

        You bet your ass we're all alike... we've been spoon-fed baby food at
school when we hungered for steak... the bits of meat that you did let slip
through were pre-chewed and tasteless.  We've been dominated by sadists, or
ignored by the apathetic.  The few that had something to teach found us will-
ing pupils, but those few are like drops of water in the desert.

        This is our world now... the world of the electron and the switch, the
beauty of the baud.  We make use of a service already existing without paying
for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
you call us criminals.  We explore... and you call us criminals.  We seek
after knowledge... and you call us criminals.  We exist without skin color,
without nationality, without religious bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us
and try to make us believe it's for our own good, yet we're the criminals.

        Yes, I am a criminal.  My crime is that of curiosity.  My crime is
that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me
for.

        I am a hacker, and this is my manifesto.  You may stop this individual,
but you can't stop us all... after all, we're all alike.

                               +++The Mentor+++
_______________________________________________________________________________

Guiding Principles of the DoD Cloud Computing

Guiding Principles of the DoD Cloud Computing Effort

  • The cloud effort will focus on significantly improving operational efficiencies in DoD data centers.
  • These are enduring O&M reductions, not one time savings
  • Examples: lower power consumption by half (more green), better server to admin ratio (lower labor), smaller data centers (less facilities)
  • The cloud effort will yield greater IT resource agility. IT resources will be provisioned in minutes instead of months.
    • High interest problems of national interest can have nearly instant application of computing resources, such as processing power and storage
    • The Department can more agilely add and subtract IT resources to support missions, in a carefully controlled private cloud deployment
  • The cloud effort will provide improved cost effectiveness for providing infrastructure resources to the Department.
    • Economies of scale (e.g., aggregated licensing and purchasing) will lower unit cost of IT resources to the Department

    History tells us the IT model in the DoD is to spend more money and get less consolidated and reusable capability. In other words, you spend more and get less. As opposed to the commercial business world which is to spend less and get more. Business looks to increase the value proposition. The value proposition is a promise which I believe is important to recognize. Built into this system of business is a check and balance that puts controls on business for customers. For example, Bank of America recently attempted to transfer debit card fees to customers, when customers were outraged and could clearly see the promises between the bank and the customer being broken they responded by moving money. In another example a few posts ago I wrote to Netflix because they decreased the value of their product and increased their costs. The result, over 800,000 subscribers walked on them. My point is that when consumers can see that promises are broken or that “the deal” has changed they respond with their wallets.

    Unless we are talking about essential needs like food, water and cable(heh) people are going to respond as long as they KNOW what is going on.

    Government vs People Round #1,000,000,000

    The government as a body tells us that it understands the need to save money and recognizes that it needs to change and create a value proposition. The problem is that the government makes many promises to the people that it simply can’t keep. With specific regard to data center consolidation, resource consolidation and the cloud paradigm the DoD simply will not be able to achieve this without fundamental change in their practice of acquisition. The basic reason and difference from the government implementation of cloud and consumer or business implementation is that business has control over the change in direction while government entities only have the ability to effect the limited area they have authority over. THERE IS NO CONSUMER CHECK AND BALANCE! The people can get upset and occupy Wall street but that will have no effect of Title 10 authority of a program .

    You can work very hard to accomplish the objective, you can be very busy and build lots plans, you can map out the process and draw all of the road maps but at the end of the day it is the result that counts. As a society we continue to treat and focus on symptoms of problems instead of the actual problems themselves. The result is that the actual problems go untreated and we maintain our busy behaviors addressing the symptoms with great enthusiasm. Regardless of how hard we work on the symptoms the results are consistent. If we want to solve the actual problems we need to expose the system to the people. The people will respond and direct the change facilitated by honest and honorable leadership that has the ability to create the needed adjustments. Just as Bank of America will remain in business, so will the government, it can simply respond to the people. For cloud computing to be effective we will need to change our behavior and address our culture. If we do this we can find the savings we need, if not we will find many clouds and many cloud strategies all throughout the DoD. Below is the baseline for the federal strategy, a good place to start.

    Cloud computing is defined by the National Institute of Standards and Technology here

    Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

    Essential Characteristics:

    • On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
    • Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
    • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
    • Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
    • Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

    Service Models:

    • Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
    • Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming
      1 Typically this is done on a pay-per-use or charge-per-use basis. 2 A cloud infrastructure is the collection of hardware and software that enables the five essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer.
      3 languages, libraries, services, and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    • Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

    Deployment Models:

    • Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
    • Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
    • Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
    • Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).