Tuesday, 17 January 2012

Copyright, attribution and assignment.

In recent days I have faced claims of plagiarism to which I have responded in prior posts. In these I have noted how I created documents, sometimes in a group with others and at times with clients.

It has been stated that this is an admission that will lead to liability.

The statement is that I have no rights to use these works as I was only an employee and would contractually have been bound to assign my rights. This is not the case and one where those involved clearly are talking and commenting based on assumptions.

The fact of the matter is that I was not an employee of the company, I was the founder and primary shareholder with over 75% of the shares in the company at the time.

More than this, I was informed enough to have ensured that I maintained all copyright. That is personally. My employees did not like this, but the works they created are covered in this manner. I have to attribute them for those works they created, but they do not maintain copyright in itself. They maintain author’s rights.

Copyright and plagiarism are not the same thing.

They can be related, but the theft of an idea does not always mean the theft of copy. To be theft, it also needs to be intentional. That is the intention to use without authority. This is the legal definition of intent and not that in common parlance.

I have more to follow on thins topic in coming days, but as with all things, I also need to ensure I complete my paid work.

What I did have in all contracts was a “right to use”. That is, those companies who received the works I issued could freely use and distribute those works. This is not an assignment of copyright.

I was always careful to maintain and not assign the rights to those works completely at any stage. The confusion in this I think stems from  the distinction in ownership of rights. When I owned DeMorgan, contracted to the ASX, News Ltd, IBM, CSC and others, we never assigned copyright. I doubt the lawyers in these places would allow me to get away with this now, but those were the early days of the net and few used lawyers to create contracts for small jobs.

More to add and over the coming weekend I will look at posting copies of old contracts. I am amazed how others have to assume that one is an employee and was not an owner of a company. That is not a difficult fact to check.

Monday, 16 January 2012

Cyber (Crime / Espionage / Terror)

Cyber (Crime / Espionage / Terror) Lecture 7

To register:


The lecture series, Cyber (Crime / Espionage / Terror) is on tonight.

This is part 3 of "Cyber Terror" and is lecture 7 of 24.

Reserve your Webinar seat now at:
Lecture 7 in a series of 24. 
We have just seen the largest cyber espionage incident in recorded history and it is only set to get bigger. The rise of cyber based groups engaging in hactivism is creating chaos, but it is only the start as these groups start to do more damage. Al-Qaeda and other pure terror groups have been on the back foot unable to leverage the social aspects of Web 2.0, but will this change as groups such as 
Anon and LulzSec define a distributed model for social malfeasance?
Add to this criminal controlled botnets of millions of zombie hosts and the decade is set to be the decade of the hack!
In this lecture, we focus on Cyber Terror. This will be the next in 4 lectures detailing the rise and development of cyber terror and its links to traditional criminal enterprises (including the drug trade, prostitution and smuggling), states and more.
Presented by Dr Craig Wright of Charles Sturt University [1] and the Global Institute for Cyber Security + Research [2].
Cyber (Crime / Espionage / Terror)
Mon, Jan 16, 2012 7:00 PM - 8:00 PM AEDT
7:00 PM - 8:00 PM AEDT
After registering you will receive a confirmation email containing information about joining the Webinar.

Sunday, 15 January 2012

Why create shellcode?

Shellcode can be complex. To effectively write shellcode, you need to understand what the system is actually doing. Binding to a remote listening port, dropping privileges or even restoring system rights are all common but difficult tasks at the system level. Knowledge of a lower level language (such as C) will help at this point.

In time, it will become necessary to recognize what a system call is expecting and how this can be achieved using assembly code. You will also need to come to know which registers the data you seek to manipulate are held in and where your shellcode’s arguments will be stored, that is again which registers.

Shellcode exists for both Linux and Windows based hosts, but for the purposes of this article, we will focus on exploiting Linux.

Shellcode is named from its origin and primary use (Foster, et. al. 2005), spawning a shell. Though it is possible to create machine code directly, it is both more common and also far simpler to write in Assembly code and to use this to create the machine code using an assembler such as NASM[1]. Shellcode can allow an attacker to do nearly anything that the exploited program can do as well as calling external functions (such as spawning a root shell). Some of the more common uses of shellcode include:

· Linked library injection,

· Binding a service or a shell to a listening port (including UDP),

· Tampering with and removing log and audit entries,

· Creating user accounts or changing passwords,

· Drop active users (especially administrative accounts) from the system, and

· Shovelling a shell (forcing a reverse connection back to a remote system).

Shellcode, as with assembly code is architecture specific. This makes it a little more difficult as it cannot be easily ported between dissimilar processor families. As shellcode generally manipulates the various processor calls directly in order to point them to a desired system call in place of the original calls, the author needs to have an in-depth understanding of a particular processor register and the opcodes that are used to manipulate these.

In order to create shellcode, Assembly code is specifically written to accomplish a chosen operation. It is necessary to assemble this into machine code without any “null bytes”[2] (Foster, et. al. 2005).

System calls

The Linux and Unix operating systems assign individual system call numbers to each function used. A system calls allows the system to manage the communications between the system kernel and the hardware.

“Rings” are generally used to protect or secure the system separating processes and function (figure 1). In this model, controls are built into the kernel to act as check points. These allow or deny calls from higher level rings and control secure functions. Ring 0 is the most trusted or privileged ring in Unix and is defined as kernel mode. Ring 1 is reserved for device drivers and offers some protection from the hardware layer. Ring 3 is the user or application layer and is the security level where most unprivileged operations reside in Linux. Applications running in a higher level need to request access to lower level functions and hardware.

System calls are a means of allowing kernel level functionality and access to hardware from within a program. Many kernel level functions cannot be directly assigned and allocated into the address space of a ring 3 application. System calls allow for the required levels of access in a safer and more controlled manner.

When a user level application needs to access a function that is not within its address space, it needs to first ascertain the system call number (FreeBSD, 2010) of the function it is seeking to invoke and then issue an interrupt (int 0x80)

The assembly instruction “int 0x80” is used to invoke system calls in the manner displayed below:


int 80h ; Call kernel


Here, if a function needed to access a function with more privileges than are provided in Ring 3, the assembly command “call kernel” which would then issue an “int 0x80” and signals the operating system that an event has occurred.clip_image002

Figure 1: Privileges and rings.

If the access is allowed, the OS can schedule the tasks and processes and allow the function call to complete. In general, a system call will also require one or more arguments. The system call number is loaded into the EAX register with the associated arguments being loaded into the EBX, ECX and EDX registers as required.

As an example, if a sys_write() function is called, the value “04” will be written into the EAX register with the arguments that are associated with the function being written into the EBX, ECX and EDX registers as needed with the “int 0x80” statement being loaded last. E.g. to use the sys_write() function to write a value of 16 we would use:

Mov EAX 04

Mov EBX 10

Int 80h

Code 1: calling sys_write()

This instruction set loads the system call number “04” for “int 0x80” into EAX and then loads the value we wish to write (16) into EBX as 10h before executing the interrupt 0x80. The Linux Man page for Syscalls(2) has a good list of common Linux system calls and their associated numbers[3].

[1] The Netwide Assembler.NASM is available for download from http://www.nasm.us/

[2] Common string operators [such as strcpy()] will terminate when a null byte is read. As such, any shellcode with null bytes remaining will likely fail unexpectedly but certainly without achieving the desired goal.

[3] A comprehensive system calls is available online from http://bluemaster.iu.hio.no/edu/dark/lin-asm/syscalls.html or if you are on a Linux system, the file “/usr/include/asm-i386/unistd.h” has a full list of the calls.