Hybrid models, trying to bridge corporate models with open innovation (SENSORICA)

Disclaimer: This blog entry reflects the thoughts of the author and does not speak on behalf of the Sensorica OVN.  

——————————————————————————————————————–

On May 14th SENSORICA and the OVN model were presented (by Tibi) at POINT – Atelier de cocréation et d’innovation. We also actively participated in a workshop where attendees were given the chance to understand the value accounting system and to apply it to a fictional case (see embedded document below). Five workshops were running in parallel on different topics around open innovation. We got great feedback and we were pleased to see that other groups picked up the value accounting system concept and integrated it into their own cases, along with other ideas.  

Among the participants, we had representatives of companies and consortia, as well as academics, all eager to learn more about open innovation. The working definition of open innovation was very broad. I (Tibi) presented the more restricted concept of open source innovation
One interesting observation
People are trying to bridge open source with the corporate model by creating hybrid models. It seems to me (Tibi) that the proposed hybrid models were lacking a deep understanding of the organic nature of open communities. Almost all of them featured mechanisms of control and value capture that can compromise the sustainability of the open community, which is narrowly instrumentalized to supply innovation to the box (i.e. a classical entity, corporation or other, that has well-defined boundaries such as a fixed number of employees bounded by contractual relations, limited budgets, limited production capacity, etc.). Arduino, a working hybrid model, seems to work well. But not everyone is able to walk that fine balance between extracting value from an open community and nurture this open community. 

In the end, these people are invested in the box and their natural reaction is to preserve it, while they are trying to rip the benefits of open innovation. The natural state of open innovation is open source. This happens within communities or networks, which are open (access to participation), transparent (access to information), decentralized (allocation of resources) and horizontal (access to governance and decision making). All this is fundamentally incompatible with corporate models. 

During this event I realized that you can have 3 main attitudes with respect to open source innovation (open innovation in its pure sense).

  1. tabula rasa – Find a new self-sustainable system of production and distribution that fits on top of open source innovation. This assumes that this new mode of innovation dominates all the other ones and therefore, new modes of production will eventually self-organize around it, leading to a new type of economy. I personally bet on commons-based peer production and more precisely on the OVN model.
  2. opportunism – Find a way for existing corporations (or other classical structures or boxes) to capture the value through open source innovation. This leads to a dilution of the open source innovation concept to simply open innovation, and to the creation of hybrid models. This attitude assumes that the corporate model is still viable and that it can co opt the new modes of innovation. I personally think this is the wrong attitude. 
  3. pragmatism – Realize that open source innovation is dominating other forms of innovation, and that new modes of production will eventually structure around it (might be the OVN model). But in order to establish flows from the classical economy to the new during the transition period, we can create hybrid structures like Arduino, Adafruit and so on. 

The problem of bridging corporate models with open innovation is a false one, and can only be perceived as a problem during the transition. The new natural state of economic production is, in my opinion, Open Value Networks, because they build on open source.

See also my article Open Source Hardware meets the p2p economy

Read More

Posted in Uncategorized Tagged

Wildcard DNS, Content Poisoning, XSS and Certificate Pinning (w00tsec)

Hi everyone, this time I’m going o talk about an interesting vulnerability that I reported to Google and Facebook a couple of months ago. I had some spare time last October and I started testing for vulnerabilities on a few companies with established bug bounty programs. Google awarded me with $5000,00 and Facebook payed me $500,00 for reporting the bugs.

I know you may be more interested on highly sophisticated exploits that allow arbitrary file upload to the Internet, with custom payloads that may lead to unexpected behavior like closing Security Lists. Hopefully this class of bugs is already patched by Fyodor and Attrition is offering an efficient exploit mitigation technique.

The title may be a little confusing, but I’m going to show that it’s possible to combine all these techniques to exploit vulnerable systems.

Content Poisoning and Wildcard DNS

Host header poisoning occurs when the application doesn’t validate full URL’s generated from the HTTP Host header, including the domain name. Recently, the Django Framework fixed a few vulnerabilities related to that and James Kettle made an interesting post discussing lots of attack scenarios using host header attacks.

While testing this issue, I found a different kind of Host header attack that abuses the possibility to browse wildcard domains. Let’s have a quick look at the Wikipedia entry on Hostnames:

“The Internet standards (Request for Comments) for protocols mandate that component hostname labels may contain only the ASCII letters ‘a’ through ‘z’ (in a case-insensitive manner), the digits ‘0’ through ‘9’, and the hyphen (‘-‘). The original specification of hostnames in RFC 952, mandated that labels could not start with a digit or with a hyphen, and must not end with a hyphen. However, a subsequent specification (RFC 1123) permitted hostname labels to start with digits. No other symbols, punctuation characters, or white space are permitted.”

The fun part here is that the network stack from Windows, Linux and Mac OS X consider domains like -www.plus.google.com, www-.plus.google.com and www.-.plus.google.com valid. It’s interesting to note that Android won’t resolve these domains for some reason.

image

image

Take, for example, the following URL: https://www.example.com.-.www.sites.google.com. If we compose an e-mail and paste it on the body, GMail will split them and the received message will have two “clickable” parts (https://www.example.com and sites.google.com).

image

Most e-mail based notification use the very same host you are browsing in order to compose the notification messages: you see where this is going, right?

Facebook has a wildcard DNS entry at zero.facebook.com. In order to exploit the flaw, we have to browse the service using a poisoned URL and perform actions that may need e-mail confirmation, checking whether Facebook mails the crafted URL to the user.

image

The only vulnerable endpoint that I found affected by this issue was the registration e-mail confirmation. You may be asking, how could one exploit this to attack a legitimate user?

Suppose I want to attack the Facebook account from goodguy@example.com. I can create or associate a “duplicate” account using the “+” sign by browsing Facebook with these injected URL’s. If I navigate to Facebook using an URL like https://www.example.com.-.zero.facebook.com, all I have to do is create the duplicate account goodguy+DUPLICATE@example.com. Most e-mail services like GMail and Hotmail don’t consider what you type after the “+” and forward it to the original account.

In this case, all e-mails that Facebook sent to confirm that association had the poisoned links.

image

This can also be used to poison password reset emails, but Facebook forms were not affected. They quickly fixed that by hard coding the proper URL to their e-mail confirmation system. It’s also possible (but not recommended) to fix these issues by sending notifications with relative links instead of complete URL’s (“please click here” instead of “please click on the specified url: www.example.com.-.zero.facebook.com“).

XSS and Wildcard DNS

While searching for these issues on Google I quickly found wildcard domains like:

– https://w00t.drive.google.com
– https://w00t.script.google.com
– https://w00t.sites.google.com

In case you’re wondering how to quickly find these wildcard domains, you can download and lookup for them on the scans.io datasets. You can find these references on the Reverse DNS records or by searching for SSL certificates issued to wildcard domains, like *.sites.google.com.

During my initial tests, I was unable to craft URL’s using .-. inside the drive.google.com domain (got 500 error messages) and all I could do was creating URL’s like this: https://www.example.com—–www.drive.google.com.

When you browse Google Drive using this URL, upload a File to a Folder and try to Zip/Download it asking for an e-mail confirmation (“Email when ready”), the e-mail confirmation message will be like this:

image

The “ready for downloading” link would point to https://www.example.com—–www.drive.google.com/export-result?archiveId=REDACTED. So far no big deal, I was still unable to poison the links… And phishing yourself is not that useful =)

I kept testing different URL’s until I found a weird behavior on Google DNS Servers. When typing URL’s containing a domain you control followed by a certain number of “-” and the wildcard domain from Google, the resolved IP would be the one from the URL you control.

image
My highly sophisticated Fuzzer in action

For some reason, there was a glitch on their DNS servers, more specifically in the regexp that stripped “–” from the domain prefixes. I’m not sure why they performed these checks but that may have something to do with Internationalized Domain Names.

image
XKCD’s take on the bug

Some Google domains affected by this issue (October 2013):

– docs.google.com
– docs.sandbox.google.com
– drive.google.com
– drive.sandbox.google.com
– glass.ext.google.com
– prom-qa.sandbox.google.com
– prom-test.sandbox.google.com
– sandbox.google.com
– script.google.com
– script.sandbox.google.com
– sites.google.com
– sites.sandbox.google.com

Now that I can impersonate a Google’s domain, it’s possible abuse the Same Origin policy and issue requests on behalf of a logged user. lcamtuf already told us about HTTP cookies, or how not to design protocols. What happens if we control www.example.com and the logged user from drive.google.com visits the crafted URL http://www.example.com—.drive.google.com?
Request goes to legitimate site:
image

Requests goes to the user-controlled site, in this case my own server running nginx:

image

This leverages to a XSS-like attack: you have now bypassed the same origin and you can steal cookies and run scripts on the context of the site, for example.

Certificate Pinning and Wildcard DNS

So far so good, but what if we were performing the same tests on Google Chrome, which enforces Certificate Pinning for their domains? I didn’t notice at first, but I accidentally found an issue on Chrome too: it was failing to perform the proper HSTS checks for these non-RFC compliant domains.

Other parts of the network stack were processing and fetching results from these “invalid” DNS names, but TransportSecurityState was rejecting them and therefore HSTS policies didn’t apply. They simply removed the sanity checks to make TransportSecurityState more promiscuous in what it process.

image
image

You can easily reproduce this on Chrome prior to v31: proxy Chrome through OWASP ZAP (accepting its certificate), visit URL’s like https://sites.google.com and Chrome will display a “heightened security” error message. If you type URL’s like https://www-.sites.google.com or https://www-.plus.google.com Chrome offers the option to “Proceed anyway”. If you’re in Turkey right now you don’t need to do nothing, the Turkish Telecom does all the MITM job for you.

image

image

It’s worth mentioning that when you issue a wildcard certificate for your host, it will be valid for a single level only. Certificates issued to *.google.com should not be trusted when used on domains like abc.def.google.com.

The hardcoded list of domains and pinned certificates from Chrome can be found here:

– https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json

During my analysis, I found that 55 out of 397 domains with Transport Security enabled had wildcard entries on their DNS. A nation sponsored attacker, with a valid and trusted CA could simply MITM your traffic and inject requests to these invalid domains, circumventing the HSTS policies and stealing session cookies, for example.

Google did not assign a CVE for that bug, but they fixed that within a couple of weeks. Chrome 32 and 33+ (the one that changed the SSL warning from red to yellow) are not affected by this issue.

In times of Goto fails, it was really interesting to follow the Chromium’s tracker, their internal discussions, tests performed and so on. The commits fixing these issues can be found here.

Conclusion

Google and Facebook security teams were both great to deal with. The bug was quite fun as well because it was different from the traditional OWASP Top 10 issues.

And because the industry totally needs new Vulnerability terminologies, anyone willing to refer to these attacks shall name them Advanced Persistent Cross Site Wildcard Domain Header Poisoning (or simply APCSWDHP).

In case you’re from NSA and want to use this technique to implant our DNS’s, please use the codename CRAZY KOALA so we could better track them when the next Snowden leaks your documents.

Read More

Posted in Uncategorized Tagged

Value cycle and value equation (SENSORICA)

Creative Commons (BY NC CA) licence granted by the author(s)

Disclaimer: This blog entry reflects the thoughts of the author and does not speak on behalf of the Sensorica community. Further, the work is built on the work of the Sensorica community on value equation. Moreover, the author has many views on the value equation and this blog represents only of the many perspectives. Lastly, the author assumes that the reader is familiar with concepts of Open-value network.
The current capitalistic economic model was designed in the industrial era to reflect the thoughts, culture, technology, knowledge and processes of that era.  In fact, our current economic model has been optimized to reflect the technological (information processing) capacity of industrial era. The era of internet, however, requires a new economic model and new efficiency mechanisms. In order to understand the notion of value equation, it is important to understand the value cycle and the efficiency mechanisms of the current economy.

Value cycle

Value cycle refers to the processes of how value is created, exchange, distribution and accumulated in the economic system.

Fig: Value Cycle

Value creation refers to what we call “use-value” in economics.  People contribute in the value creation process by providing time, ideas, financial capital, labour, etc and value-streams (or relationship between contributions) are built during the value creation process, which often involves a (large) number of people, in order to satisfy present and/or future needs and wants of the market. Once sufficient value is created, it becomes Goods, Product and/or Services including knowledge (GPS) that can be exchanged for another GPS, which has undergone a value creation process by a (large) number of people.  The issue is that the value exchange among GPS becomes a matching problem.  That is, 5 apples = 3 oranges = 7 bananas = … varied by personal subjectivity; this is why money exists to simplify and create efficiencies in the value cycle. Afterwards, the exchanged GPS (ex: money, apples, etc) needs to be distributed (reward, salary, labour hours, etc) among a (large) number of people. Lastly, exchanged GPS or value is stored and re-used for future value creation processes (ex: savings, seeds, etc).

Currencies exist in order to create efficiencies in the market place by creating units for the value cycle. Conceptually, currency could be thought of as a standard for the unit of value.  Perhaps not so surprisingly, money becomes the de-facto currency since it already exists as units but at the end of the day, money is nothing more than a solution for the matching problem. In its current state money solves two crucial matching problems – value exchange problem (5 apples = 3 oranges = 7 bananas = $10) and value distribution (“equitable” reward) problem (or salary/pay in simple words). In a free-market system, this is a matching problem in a sense that the basic units exists and the people can do the matching ; hence, 1 apple = $2, 1 orange = $1, 1 banana = $0.5, etc. (exchange process), similarly, 1 hour work of engineer = $60, etc. (distribution process); whereas, in a controlled market, the government does the matching (subsidies, fixed income, etc). In reality, all systems are a combination of the two.


There are three major problems within the current industrial era based value cycle that would need to be addressed within the internet era. First, reserves (accumulation) process becomes value creation process by the principles of interests (money makes money); this makes money the de-facto currency. Second, only money is used for motivation during the value creation process by influencing the value distribution process, even though, research shows that money is a negative motivator (hygiene factor) – that is, without money people still work but with money people may or may not work. Third, value creation process can involve thousands of people (for example, open-source projects) but exchange value (including reward and money) can only be distributed to a small subset of participants in the value creation process. This phenomenon is observed because accounting during the value creation process and valuation during the value distribution process are optimized for the industrial era by reliance on extreme human intervention and not for internet era.

The key idea behind value equation is to reformulate the value distribution problem to a matching problem and disconnect money (or exchange value) from the process of value distribution. Even though, money could be the reward to be distributed, it is not the only basis of the accounting. In this way, value equation and accounting can provide a solution to the matching problem of value distribution in the internet era. The value equation, however, does not solve the value exchange or accumulation problem; although, the ideas in this blog could be extended to those problem sets.

Side notes:  Unitized (unit based) currency made sense when we did not have the technology to be able to “solve” complex NP-hard or NP-complete problems.  Perhaps, we still do not have the technology and mechanism (data) to “solve” the matching problem for a larger problem (ex: marketplace) but we do have the technology to “solve” matching problem for the value distribution process.  Although, technically speaking, we do not know how to “solve” NP-complete problems efficiently, that is, calculate the optimal solution. However, we do know how to approximate them and for a certain class of NP problems, we understand the range of error of the approximation.

Value equation

As mentioned above, value distribution process currently (in traditional organizations) uses money. Money, again, is a solution to the matching problem for the value exchange process that is also used within value distribution processes (ex: salary). Nevertheless, organizations also use stocks in the value distribution process. Stocks are unitized solution to the matching problem for the distribution process similar to as money is to value exchange process. Similarly, equity represents a non-unitized solution to the matching problem for the value distribution process. Value equation, simply put, is a way to decide how many stocks or how much equity to issue to each contributor to the project. That is, equity or stock may or may not have any market value or exchange value, similarly value equation is simply an agreement on the rules for the distribution of exchange value.

Conceptually, value equation could be thought of as an algorithm to solve the matching problem of how many stocks to generate or how to create equity in order to match the rewards to contributors as per the ethos of the system. The current societal approach to problem of value distribution today is that we create units and then hope that the solution to the problem is optimized in such a way that all parties would be satisfied. This is a challenging problem since we are relying to humans to solve a matching problem.  Matching problems are NP-complete or complex and hence, the optimal solution or even approximation thereof is not possible due to human factors (we cannot possibly track and compute this information in our heads). An optimal solution to the value distribution matching problem would accurately map the contributions to rewards but there is no such thing as the “true” value of contribution. This requires a complex accounting system to track the contributions and rewards as well as algorithm to perform the mapping. 


Value and contributions are subjective unless we analyze entropy (ecological economics deals with this to introduce objectivity) and/or information (which I argue is also subjective).  In comparing value distribution process to value exchange process, the question is similar to that of how many apples for oranges?  It depends on who we ask but we may get a median or mode types of responses to determine the “democratic” subjectivity but this subjectivity changes with time, advertisement, scarcity, etc.

Determining a value equation thus is a subjective issue determined by the ethos of the system. Value equation could vary from a capitalism (completely free-market) to communism (complete equality) to time-based system, and mathematics based (machine learning and collective intelligence). Similarly, the governance of value equation or governance equation (decision on value equation itself) would also vary from democracy (a representative decides on value equation, direct democracy (every participant decides on value equation) and liquid democracy (trust based representative decide on value equation) to meritocracy, dictatorship, kingship, etc.

One of the major advantages of value equation is the flexibility in defining the system based on ethos. Whereas the industrialized system enforced a certain ethos (capitalism vs. communism), the internet era allows for choice of ethos. Nevertheless, there are certain best practices that could be adopted to ensure longer-term continuity of the system.  The following section would provide one of my thoughts on how to design such a system (or value equation).

Note: rewards in our present society refer to money (and/or reputation at times, etc) but in future, rewards could be vary varied. For example, barter system (1-1 trading) and network barter system (many-to-many trading) is an interesting way to solve the matching problem of value exchange.  EconomyApp is working on the network barter system but it uses money as units in the barter system. It would be interesting in the future to link the value exchange and distribution matching problems. I think this would give rise to a completely different currency system.

 “Solving” for Value equation

In our approach in traditional economics, we generate money and then solve for equitability or satisfaction. That is, money is created and then we use the income distribution as a measure to understand the health of economic system. At Sensorica, we have been using a similar approach in the value equation design process: create the equation and then verify to see if people are satisfied and perhaps negotiation could be used after the fact for satisfaction. In this blog, I would like to present a different approach.

Key idea behind this new approach for value equation is to fix the income distribution first (how poor should be the poor and how rich should be the rich) and then place people (“high or low in the food chain”) based on their contribution. Hence, using the placement of people with respect to their contribution as health check rather than the distribution of income. In other words, the income distribution (or relative inequality) is fixed.

The placement of people on the income distribution, however, is probabilistic (as per contribution) in the algorithm since the algorithm is stochastic in nature hence it would reduce any “corruption” or human negotiation errors.  Also, since it is stochastic (random at times), the solution generated may be more acceptable due to the phenomenon of procedural justice. From a motivation perspective, the algorithm is designed to ensure continuity of value creation process since it provides incentives to work hard (higher probability of being higher in the “food” chain) while keeping the income spread low and standard of living relatively decent at the bottom since anyone could end up at the bottom (but most likely those who don’t contribute much would end up at the bottom).  

Premise behind the Value equation algorithm

(Some raw ideas for now)
Relative background needed
1) Process fairness
2) Cooperative vs. competitive games
3) Risk-based Game theory
4) Auction games
5) Scale-free networks
6) Statistics (for based lottery games)
(the talk talks about co-operative games a lot)
(most interesting part ~39 minutes on process fairness within cement delivery industry)  <– there is a lot of other literature on process fairness
3) See the paper by Lara Buchak – “Risk aversion and rationality“, July 2009
(although, I am not sure which type of auction game to play — which bidding system)
5) Scale-free networks (wikipedia) – Better source of information: scientific america – scale free network (2003) article
(Again, lots more interesting papers exist on scale-free networks)
6) Lottery mathematics or stochastic weighted matching (for mathematicians)
Basic Idea:
– People get equity based on chance (probability is based on their contribution, the higher the contribution, the higher the probability of getting higher equity)
Why:
– Process could be more important than meritocracy or equality
– People are willing to agree upon a chance based system as long as the process is fair
– Because of chance, people have an incentive to reduce their risk and collaborate to lower the income differentiation (conceptually, increase the minimum wage and reduce the maximum wage)
– People would continue to play the game (as long as the effort generates exchange value) 
Refinement:
Assumption:
– Value accounting system exists and people insert contribution data (contribution is everything – time, money, ideas, labour, material, etc)
Auction:
– People bid to decide how much should the lowest worker get paid as compared to the highest worker (in ratio) ex: 1:12 (they tried this in Switzerland), 1:100, etc
– Auction can be a multiple round auction (for fixed number of rounds of until the system stabilizes) 
– Auction can be repeated with time (every months, every year, etc) at fixed or random interval
– Auction can be repeated when after the value exchange process has begun.

Nuance: In a unitized based system (ex: money based currency such as dollars), people may also bid on minimum wage.

At the conclusion of each auction:
– The system creates the income distribution function that follows either normal distribution or power-law distribution 
Nuance – 
– It would interesting to experiment to see which combination is better for distribution between governance equation and valuation equation.  Example: governance equation could follow normal distribution (most people have the same voting power), whereas, value equation could follow power-distribution (high contributors can a lot more than low contributors)
– it would be interesting to experiment ask people to bid between normal and power-law distribution
Next, the system picks people to win the “lottery” every, whereas, the lottery is where you get placed in the income distribution (or percentile). Your probability of winning a higher percentile lottery would need to proportional to your contribution.  
Nuance: 
– Contribution could be peer valuated or weighted.  
– People may or may not assign a decay function for your contribution (ex: depreciation of physical goods)
Lastly, the exchange value is distributed as per the distribution function and your placement on the distribution function.
Note: the auction could be conducted as a form of series of questionnaires  (mandatory or not) or direct democracy or liquid democracy, governance equation, etc.  For this game, I assume there is 100% submission and that the bidders understand the game (perfectly knowledgeable, participative, and rational bidders)

Read More

Posted in Uncategorized Tagged