Apple + Patching = You’re Doing It Wrong :(

Apple just released iOS 7.1.1, which contains a bunch of security fixes for a wide range of things. Of particular interest is the list of issues they fixed in WebKit, which includes:

CVE-2013-2871 : miaubiz
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative

What’s particularly interesting about this list is that is looks an awful lot like the list of bugs fixed in Safari 7.0.3 on the desktop, which was released some 3 weeks ago on April 1st:

CVE-2013-2871 : miaubiz
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-6625 : cloudfuzzer
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team
CVE-2014-1298 : Google Chrome Security Team
CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics
CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative
CVE-2014-1301 : Google Chrome Security Team
CVE-2014-1302 : Google Chrome Security Team, Apple
CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative
CVE-2014-1304 : Apple
CVE-2014-1305 : Apple
CVE-2014-1307 : Google Chrome Security Team
CVE-2014-1308 : Google Chrome Security Team
CVE-2014-1309 : cloudfuzzer
CVE-2014-1310 : Google Chrome Security Team
CVE-2014-1311 : Google Chrome Security Team
CVE-2014-1312 : Google Chrome Security Team
CVE-2014-1313 : Google Chrome Security Team
CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative

OK, so the desktop patch also included a few more issues – but clearly the iOS vulnerabilities they just fixed are a direct subset of the vulnerabilities they fixed 3 weeks ago. Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines:
“I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS”.

Seriously, Apple – what the fuck?

Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?

Someone tell me I’m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms – but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?

In what world is this acceptable?

I’m starting a bounty. One thousand Defcoin and my eternal respect to the first person to cross-check the list of bugs fixed in iOS versus the list of bugs fixed in OS X, and draw a pretty graph (with supporting open-source data) of how many patches are missing on each platform compared to the other over time. Should be an interesting picture…


Time, Religion, and Unix.

When we want to define something numerically we need to choose two fundamental things: a zero point and a unit of scale.  The zero point is where “plus something” becomes “minus something”, and the unit of scale defines exactly how much “one something” is.  We typically use things that are easy to observe and measure, or meaningful physical quantities to which we can compare.

When it’s time we’re talking about our unit of scale is easy – one lap around the sun defines a year, the rotational speed of our planet defines a day, and we combine and subdivide these two to get all of our other units.  For a zero point though our choice is free and arbitrary – every “year zero” is as good as any other, we just need to pick one and agree on it.  In the Western world we use a particular religious event to define Year Zero, which leads to some interesting consequences – how, for example, can you argue that all religions are treated equally under the law when one of them gets to define the very calendar by which we count time?

It’s time for something a bit more modern.

“Unix Time”, as the name suggests, is how Unix-like operating systems quantify time.  It’s defined as “the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on Thursday, 1 January 1970, not counting leap seconds”.  Back when the Unix operating system was being defined, memory was expensive; it didn’t make sense for Unix to have to count thousands of years of seconds whenever it wanted to tell the time, so its creators took a shortcut – they simply redefined the zero point.

Unix Time is here to stay.  It’s such a core feature of so many different operating systems (Linux, Mac OS, Android, iOS, Solaris, BSD – even Windows supports it) and even the very specifications by which Unix is defined (it’s part of the POSIX standard that defines what “Unix” actually means) that it has become the de facto way by which the Internet defines time.  Given the way that the Internet has shaped and defined our society and the part that Unix has played within that, if we want to move our zero point to something non-denominational then using a core function of Unix to do so seems entirely appropriate.

Not only can we use Unix Time to define a new calendar, but it actually makes a lot of sense to do so!

The “old” calendar uses B.C. (“Before Christ”) to designate anything before Year Zero, and A.D. (“Anno Domini”, “The year of our Lord”) for anything after the zero point.  In keeping with this naming convention, the Unix Calendar designates everything before Unix Time zero as B.U. (“Before Unix”) and everything afterwards as A.U. (“Anno Unixi”, “The year of our Unixes”).  Not only does this agree with the assertion that we’re living in the golden age of computing (geddit?), but it’s environmentally friendly as well – 2014AD uses a full 50% more characters (and hence 50% more ink) than its Unix Calendar equivalent of 44AU.

In all seriousness, the Unix Calendar would be a good non-denominational basis by which time can be synchronized around the world – in fact it sort of is already.  All we have to do is agree to stop translating Unix Time into so many different calendars around the world, and instead just use the same timebase that practically all of our computers around the world are already using.

Now then, who wants to start a Unix Calendar kickstarter? :)


US-based BTC miners, read this!

I just got back from doing my taxes for 2013, and have discovered something awesome about the US tax system.  Before I say anything else, let me be clear: I am not an accountant, lawyer, doctor, or anyone else who can give you advice about taxes.  I’m just repeating (to the best of my knowledge) my understanding of what worked for me, and you should consult a properly-licensed accountant abut anything here that you think you could use.

OK, now that’s out of the way, here’s the big thing:

If you mine for Bitcoins you can depreciate your hardware.

Let me explain.  I filed my taxes this year as the usual “married filing jointly”, but I reported my income from Bitcoin mining as income to a privately-owned company called “Kristin Paget”.  It turns out that for tax purposes you can do that – and it has some interesting consequences.

  • The space you use for your Bitcoin-mining farm is now a deductible expense, expressed as a percentage of overall floor space of your house (and hence a percentage of your rent and utilities)
  • The electricity you pay for while mining is also a deductible expense.
  • Mining equipment that you purchase can be depreciated.  This effectively means that you can deduct the price of the equipment from your income, spread over several years, paying less tax as a result.

You’re damned right I paid the $35 for the “peace of mind guarantee” at H&R Block when filing all this.  If the IRS decide to audit me then as I understand it, H&R block will defend me to the IRS and pay for several thousand dollars of fees if the IRS disagrees with their maths.  This kind of insurance is A Good Idea when juggling numbers like this :)

It’s an interesting approach that definitely makes sense, and made quite a difference to my tax filing.  Here’s hoping that it’s helpful to those of you out there who mine Bitcoins and wait right until the last minute to file your taxes! :D


White Rabbit – You *have* to see this movie :)

So last night I got to go to the world premiere of White Rabbit, an independent film about an Iraq war veteran who comes home to find that her hacking skills are rather valuable to the local corrupt cops. She gets mixed up in a grand heist involving the Tea Party, Oakland PD, and a rather important chameleon (whose name I forget) and, well, you’ll just have to go watch it to find out the rest :)

Here’s the thing. Well, two of them actually. Hollywood usually does a dismal job of portraying hacking, while White Rabbit does a surprisingly good job. Screenwriter Kevin Warner and director Bill Kinder really did their homework, and I found myself really engaged in all the hacking-related scenes instead of being turned off by the utter idiocy of it. I can *totally* relate to Kerryann (the main character) in the way she gets treated by those around her, and I’ve personally pulled off almost all the hacks they use as plot points – one of which they actually came up with after watching a presentation of mine (which is why we were invited to the premiere). No hollywood-style superfake nonsense, just a couple of LOLtennas (and an apparently accidental helical antenna!) and some very believable shenanigans.

Secondly (and perhaps more importantly) this is an independent movie, so it’s only in the cinema for two more nights – Mon 10th at 9:15 PM or Wed 12th at 5:00PM. If you want to see it be quick, although I did hear talk last night of other releases coming soon.

So yeah. If you’re free on this coming Monday or Wednesday evening I can think of few better ways to while away a couple of hours, and you’ll be showing some love to some small movie-makers who actually took the time to make hacking look realistic on the silver screen for once. Go see this movie! :)


I wanted to make a few clarifications about goto fail now that the patch has dropped, the dust has settled, and I’ve had a little time to chillax.

I want to start out by being crystal clear about one thing – I like Apple’s products. Both my wife and I like and use iThings and Macbooks; I like and use TouchID, and OS X is my primary OS both at home and at work. I’m a fan of Apple. That’s why this whole goto fail debacle made me so mad – Apple started with this beautiful, elegant, *wonderful* machine, and then screwed it up by giving all of my passwords to anyone with the balls to attempt any of the 15-year-old vulnerabilities in Ethernet and TCP/IP that we fixed with SSL.

You do realize that’s what goto fail did, right? You know how we laugh at people that use telnet to remote admin their machines? Goto fail broke the “secure” in “secure sockets layer” and reduced it effectively to plaintext, and then did the same thing for a whole bunch of other protocols. Ethernet is horribly insecure, TCP/IP has a whole world of native vulnerabilities, and things like wifi and bluetooth don’t exactly make things better – and we fix *all* of this with SSL. No matter what kind of network you were on, your “secured” connections could be peeked inside of, just for the asking. Thanks, Apple, for telling the entire freaking planet that they could do this. For four days.

Please, Apple, learn a lesson – *never* drop a critical patch for only one platform when it affects both platforms. Both together or not at all; it’s better to withhold the patch a few days longer than to tell the world there’s a bug you could drive a tank through.

Some other random things:

- The Guardian (among others) have been claiming that I was “until recently in charge of Apple’s core OS X security”. Uh, why would “Core OS Security Researcher” or “Hacker Princess” make you think I was running the show? C’mon people, basic research please.
- If I had anything to do with this code while I was at Apple, or if I had been in any way responsible for its security, don’t you think it would be rather stupid of me to go swearing at Apple on the internet about this bug? Take a moment and think about that for a second.

So yeah, I’m back to being a happy iThing user again, at least until the next time I find a reason to go yelling at Apple about something.

Okay, Internets – it’s all safe to come out again now. Big hugs <3 :)

Dear Apple, FIX YOUR SHIT. Much love, Me <3

Okay, so iOS 7.0.6 happened – the short version is that Apple broke SSL. Oops. Oh well, it happens, apply the patch yadda yadda yadda.

What didn’t happen was the corresponding OS X patch. At least not yet.

WHAT THE EVER LOVING F**K, APPLE??!?!! Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?

Come the hell on, Apple. You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.




Love and hugs as always,

Me <3

Why I’m not going to Vegas (and what you can do about it)

It’s the day before Blackhat starts, and as usual a lot of my friends are en route to Las Vegas for some combination of Blackhat, Def Con, B-Sides, LobbyCon, or “just because”. Usually on this day I’d be in my car trying to reach “Ludicrous Speed” across the Mojave desert to join them, but I’m sad to say I’m not going to be attending this year.

Last year I skipped Vegas because I couldn’t afford to go; I was interviewing for jobs at the time having just watched my startup more or less implode. This year I’m avoiding it for two entirely different reasons – the minor reason is work-related, but the major reason is because I’m just not ready. While my transition has been going well and I have much love for the entire infosec community (you’ve all been *so* supportive – thanks, guys), I’m just not in a good place at the moment. My hormones have been out of whack for a little while leaving me a bit of an emotional mess, and I’m just not ready to deal with that many people with that many questions, no matter how well-meaning. Not a good environment for me right now.

I will miss you all intensely (I’m fighting back the tears as I type this) but this is a Good Decision. Next year I’ll re-evaluate and things may well be different, but for now this is what it is.

Putting all of that aside though, if you want to help tip the scales the other way next year then there is something you can do to help – send me a souvenir! Send me a shot glass or a mug or a cheesy blinky-LED pin or something, to:

Kristin Paget
1 Infinite Loop
CA 95014

Show me some love! Send me a thankyou for something I’ve done in the past, or an encouragement to do something new, or whatever. Make a girl smile – remind me of why I’m still in this business after ten years and help cheer me up while you’re at it. I could use it…

What have hormones done for me?

Figured it was time for another blog post, one that I’ve been thinking about for a while. I was complaining on Facebook about some of the negative side effects of estrogen therapy and started thinking about what the positive effects have been to counterbalance the negative – turns out there’s rather a lot, most of which I really didn’t expect.

I did a lot of research on estrogen before starting and I certainly knew what I was getting into; 2 years in I’m seeing many of the “expected” changes that were predicted although it’s likely to be a few more years before their effects are complete. My body fat has begun to redistribute (away from my belly and into my hips / thighs / breasts, with less-pronounced changes in my face), my muscle mass has decreased (I *really* can’t lift heavy things like I used to be able to), my skin is softer and my body hair is much finer and grows more slowly, my skin is less oily (with correspondingly less pimples), and my body odour has changed to be sweeter and less acrid.

These were all things that I expected – most any site on MtF hormones will tell you that these things will happen. However, there have also been *many* more changes that I really didn’t expect. In no particular order:

Sleeping: For my entire adult life I had severe sleeping problems, often lying awake until dawn despite being utterly exhausted – 2-3 hours a night was pretty commonplace for weeks or months at a time. Even sleeping pills wouldn’t work – Ambien did nothing at all, melatonin would occasionally help (but not often), and nothing else short of an anaesthetic had any effect at all. The day I started estrogen and progesterone though I slept like a baby, and have ever since. In fact, I used to be able to tell when my progesterone was running out by gauging my sleep patterns – if I slept badly for 2-3 nights in a row I’d check the calendar and it would be 6 weeks on-the-dot since my last progesterone shot. I now get a progesterone shot every month, and have never slept so well.

Dreaming: Pre-hormones I could count on my fingers the number of dreams I’d had in my entire life. At one point my wife bought me a Zeo sleep monitor and I remember being utterly thrilled when I dreamed one night while wearing it – my excitement at having an EEG recording of an actual dream was practically uncontrollable. Nowadays though I have several vivid dreams every night, slowing down somewhat towards the end of my estrogen cycle – it took some getting used to but nowadays it feels strange when I don’t dream the entire night away.

Depression: As is common with transgendered folks, I suffered severe depression for many years, at one point even going on Prozac (which screwed me up in all kinds of ways but didn’t actually help in the slightest). I remember feeling different after my first dose of hormones though – it took me a full week to figure out that what I was feeling was my depression not being there. I feel like my emotional range has drastically shifted towards the positive; while I still get depressed from time to time it’s no longer my de facto state-of-being and I’m definitely happy-dominant nowadays :)

PMS: This is my wife’s name for what I go through towards the end of my 3-month estrogen cycle, when my levels are starting to drop. I get irritable, moody, prone to mood swings, I cry for no reason and get general-purpose cranky-bitchy for about a month – then I get my new hormone pellets and I’m back to my usual self again. Believe me when I say that chocolate works very differently for women than it does for men – pre-hormones I enjoyed the taste of chocolate but nothing more, while nowadays it really helps to stabilise me when I’m PMS’ing. The difference is stunning.

Hot flashes: Another end-of-cycle effect, although this one comes a couple of weeks after the PMS starts. My wife has always been more prone to cold while I’m more easily overheated, but these come and go pretty rapidly (usually only minutes at a time). I’m told it’s very similar to when menopausal women get hot flashes – biochemically there’s some very similar things going on so it kinda makes sense.

Skin pH: Probably the root cause of my body-smell change (and possibly related to the skin oil decrease), the change in my skin pH has also caused other effects. Perfumes smell very different on me now – scents I used to wear just don’t smell right any more and I’ve had to find new perfumes to replace them. More dramatic though has been the effect on my silver jewelry – silver used to corrode very rapidly against my skin (silver rings would turn almost black within days) but nowadays silver stays nice and bright more or less indefinitely.

Dry hair: Also related to the decrease in skin oils is a change to my hair. My hair is much less greasy, to the point where I have to be careful not to wash it too often – it just gets dry and brittle if I wash it too much. It soaks up conditioner like you wouldn’t believe and still feels dry, I’m still experimenting with “intensive” conditioners to see how they fare but they certainly help.

Sun effects: Two big changes here – firstly I burn way more easily than I used to. Last year I went for a walk with a friend of mine on a sunny day; not even an hour in the sun and I ended up blistered all over my shoulders – before hormones I would have been fine. That was the day I learned a new love and respect for sunblock! More recently I’ve noticed that I don’t really tan as much any more – I freckle! Never had freckles before but now I’m covered, and I get even more every time I step outside. I really like this one – freckles are cute! :)

Allergies: I never used to have problems with seasonal allergies, now I’m sniffling and sneezing all summer and have to take some pretty serious anti-histamines to keep it under control. Still don’t have a problem with my cats (yay!) but pollen is a killer, and I’m still trying to figure out what flowers I’m most allergic to – sometimes I can’t even be in the same room as a gorgeous bouquet, while other times I’m completely fine.

Taste and Smell: I don’t think that the things I like have changed (I still can’t stand mushrooms and still love vegetables) but my senses of smell and taste have definitely intensified. For example, I’m a lot pickier about what red wines I do and don’t like (because the difference between them is now much more pronounced), and I can actually enjoy the flavours of a nice salad instead of it being little more than just crunch.

Swollen feet & ankles: Especially towards the end of my hormone cycle, if I sit down for too long or drink too much my feet and ankles will swell noticeably, sometimes to the point where I can’t get my shoes on! Not a problem that I ever had pre-hormones, and not honestly that much of a problem nowadays – definitely a new experience though…

Pain threshold: My pain threshold has dropped considerably since starting hormones. I remember when I was a kid I had an ingrown toenail that my doctor just couldn’t get rid of; more than once I cut into my nail bed to dig it out myself since it was simply more expedient than a doctors visit and the pain really didn’t bother me. Not so nowadays – my tolerance for pain seems much more “normal” but again, that took some getting used to.

Girlbrain: Kind of hard to explain, but my brain seems to just work differently nowadays. Where I used to remember things very literally (often with perfect word-for-word recall of conversations), my memories are now much more emotional – I may not remember exactly what was said but can perfectly recall how it made me feel. I’m much quicker to trust people and much more free with my emotions, I have much more clarity of myself and others, I have infinitely more self-confidence – and all of that manifests in a million different ways. I’m able to make friends in a way that I never have before, able to find joy in the little things in life, able to just be happy. I feel like I’ve shed all of the lies and fakeness that came with being a woman’s brain trapped in a man’s body (and doing a bad job of pretending to be the latter) – now that my brain and body and outward appearance are in sync, the grey matter up top is just that much more effective. Boybrain just seems broken in comparison.

Nesting: Another odd one to describe, kind of related to girlbrain – I nest! I love making places my own, whether it’s the desktop on my computer, my desk at work, my bedroom, kitchen or anywhere else – if it’s my space then I make it mine. I clean, I tidy, and I enjoy doing it; I arrange and rearrange and move and fiddle until it feels just right – I nest :)

“Is it all worthwhile” is an easy question to answer – despite all of the complexity and newness (I feel like I’m going through puberty again) it’s absolutely worth it. Even if all I had gotten from hormones was sleeping right and freeing myself from depression it would be worth all of the side-effects – and I’ve gotten so much more than that. I really like girlbrain, nesting is really a lot of fun, and I even love my freckles! Estrogen – it’s not for everyone, but for me it’s the best drug in the world :)

Rebirthday 2013

Wow, has it really been over a year since I wrote anything here? That sucks. I’ve been thinking recently that I really should start blogging again but my job kinda nixes writing anything publicly about technical matters; I’ve been waiting for something good to come along that was worth writing about and which wasn’t going to get me in trouble. I think I finally found something :)

Spoiler alert: This post is going to be very personal and not at all technical. I may actually open up comments for the first time in *forever* when I’m done though, so stay tuned.

Yesterday was my Rebirthday – the second anniversary of the day I that I finally made up my mind to transition permanently. I really don’t feel like the same person who made that decision; my world has changed so much since that day and I really do feel like I’ve become an entirely new person. I’m actually quite proud of this shiny new me and it feels like a story that I need to tell – this celebration seems like a good reason to do that, and hopefully it’ll spur me into writing more about transexualism and all it involves. Perhaps someone, somewhere will find something positive in my experience that makes their own journey a little easier, and if not then I guess all you cisgendered folks will just learn a little more about what us trans folks go through on our journeys of self-discovery.

The scene: it’s May 21st 2011, and my wife and I are about to get on a plane to Las Vegas. We’ve bought ourselves tickets to go and see Kylie Minogue at Caesar’s Palace on the last night of her US tour, so a long weekend of fun awaits us. This time things are different though – I’m dressed as a woman, and I’m about to go through my first female TSA patdown.

I had been flirting with changing my gender for about a year and a half, essentially waking up every day and deciding what gender to present for that day. Since I was self-employed I had a lot of flexibility; if I had important meetings that day I would usually present male (so as not to freak anyone out), but otherwise I’d probably present as a woman. I’d go back and forth as necessity dictated, terrified that the sky would fall down on me if I made the wrong choice – dressing as a woman had certainly led to some unexpected encounters (my landlord was a little surprised when he stopped by one day) but I had never had a problem. It had taken me the better part of a decade to sufficiently come to terms with my own gender that I could leave the house dressed as a woman, and I’d found a certain level of comfort in doing so.

That day was different though. I don’t like going through TSA at the best of times (it’s *far* too invasive for my taste) and this time I had no fallback plan – I had decided to present as a woman for the entire trip and had no male clothes with me at all. I was *way* out of my comfort zone, utterly terrified, and yet oddly comforted at the same time – I was, after all, just being myself. I had familiarised myself with the appropriate TSA regulations, I had a lawyer from ACLU on speed-dial in case anything did go wrong, and I was all set for a trip to Vegas.

I have never been so scared in all my life as I was going through that security checkpoint. I kept running through nightmare scenarios in my head, playing out how things could go, trying to plan for every possible eventuality. And then it was over in the blink of an eye, completely uneventful. Nothing happened, and before I knew it we were on the plane and headed to Vegas (still shaking from fear, but otherwise unharmed).

The trip itself was amazing. We got our makeup professionally done before the concert, I got to wear one of my favourite party dresses, Kylie was her usual dazzling self, and the concert was everything we hoped it would be. We gambled, we drank, we partied, and I did it all in dresses and skirts and high heels and makeup and all the trimmings (as Vegas demands!). The trip home was marginally less scary (I’d done it once so it wasn’t as terrifying) and before I knew it it was all over.

It was a day or two after the trip that it really sank in what had happened. I had gone through one of the most terrifying things I could possibly imagine, and not only had TSA been no big deal but I’d ended up *really* glad I had chosen that path for that trip – being myself for those few days had been completely comforting and enjoyable. I’d had a *fabulous* time, and there had been no negative repercussions whatsoever. I quickly realised three things:
1: Whenever I felt like I had a choice, I was choosing to be a woman.
2: Whenever I felt like I *had* to be male it upset me immensely – I truly hated it.
3: If I could cope with TSA as a woman, I could cope with anything.

I finally realised that the only impediment to permanently changing my gender was my own fear, and I also realised that that fear was completely unfounded. I had made my mind up – I was going to stay a woman for the rest of my days, and that I really was able to deal with the world as a woman. A month later I had one of my first surgeries to make that life a little easier, and a month after that I started hormones. My life had finally begun.

Two years on, I fell like that scared little girl is finally (mostly) gone. Estrogen has changed both my brain and my body in so many ways, both expected and unexpected (that’s another post entirely) but almost all good; transition has had very few downsides for me. The worst is that I now get PMS (as my wife calls it) – I’m on a 3-month Estrogen cycle and for the last month of that (when my levels are starting to drop) I get super bitchy, easily upset, and generally a little unstable. Most women are like this for a week every month; I’m like it for a month every 3 months. It occurs to me that when that’s the worst thing I can point to about my life it’s really been a good move for me – it’s really not much of a downside.

On the other hand, I’ve found a level of inner peace and self-acceptance that I never even knew existed. I understand myself, I understand other people, and the world is just so much easier to live in nowadays – I’ve made some *amazing* friends (something I was never really able to do as a man) and I can look myself in the mirror every day and truthfully say that *I like my life* – that’s a really big deal when you’ve spent 33 years in deep depression. Most of the people I see on a daily basis never knew Chris and completely accept me as Kristin; looking back it feels like I never really was Chris, I was just Kristin pretending to be a boy and doing a lousy job of it. I sleep at night. I don’t get random fits of anger and frustration and hatred at the entire world for making me the way I am – I’ve found myself, and I’m finally happy.

One sad part about all of this is my family. I’ve really enjoyed re-meeting people and getting to know them all over again, and I’ve not had the chance to do that with my family yet – and I probably never will with my parents. I’ll never forget when I came out to them and my father asked if it meant I was “going to start sniffing bicycle saddles”, as if transexualism was synonymous with the most deviant sexual fetishism that humankind can conjure; likewise I’ll never forget when my mother (after encouraging me to wear what I wanted when I was visiting) scolded me for going to get something from my car while wearing a skirt, because “What if the neighbours see?”. They instilled in me a shame and self-loathing that took me a very long time to get over and made me alienate much of the rest of my family along the way (after equating them with the same viewpoint); after they found out the truth and I found out that most of them are actually wonderful, caring people who really don’t see a problem I’ve been trying to rebuild some bridges. It’s hard to keep in touch when you’re a continent away but Facebook helps a lot, and I’m looking forward to getting an opportunity to see them again soon. I miss having parents but it’s taken me a long, long time to get over the way they made me feel about myself, and I don’t know that I can cope yet with re-introducing that into my life. Some day, perhaps, but not today.

It’s hard to think of a “best thing” that’s come out of this for me – there are so many. I love finally being able to dress the way I want to, I love wearing makeup (I like to think I’m pretty good with it by now), I love understanding myself and being able to have true, close friends. I love being able to interact with the world in a way that actually makes sense to me, and have the world interact with me in similar fashion; I love seeing the effect that my vanishing depression has had on my wife as her constant worrying about me lifts and eases. I love my life, I love my friends, and while (of course) there’s still things I would change, I’ve finally found a place in this world that I’m happy with.

So hi. I’m Kristin, a 2-year-old woman. Would you like to be friends? :)

Shmoocon 2012

In the absence of an “official” download link for these so far (although I’m sure they’ll be up on the Shmoocon page soon enough), my slides from Shmoocon this year. Seems it got a little press coverage and a whole bunch of attention on Twitter, so I figured I should get these out ASAP.

Hopefully video will be up soon but if anyone has questions about the talk in the meantime please ping me (ideally on twitter) and I’ll update the FAQ as and when I can.


What hardware / software were you using?
I used a Vivopay 4500 contactless card reader, an MSE-750 magstripe reader/writer, a Square dongle for my cellphone (on Android, not iPhone), and some code I wrote based on 3ricj‘s PwnPass code (no longer publicly available, afaik).

How did you get magstripe data from a contactless read?
The contactless reader spits out magstripe-formatted data as its intended mode of operation. I get valid Track1 / Track2 info (lacking only the name, which is usually “Valued Cardmember” or some such), which I just copy and paste to T1 / T2 on the MSR. There’s really not much to it – and yes, I’m processing credit card transactions without knowing the cardholder’s name.

Can you use the resultant card data online?
I get a valid cardnumber and expiry date (both usually the same as printed on the face of the card) and a single-use CVV value. If you can find somewhere online that’ll let you process a transaction with nothing but a card number and expiry date then yes you could, but otherwise you’re restricted to writing a magstripe and using that.

This is old news – XYZ did this years ago
I’m certainly not the first person to demo RFID vulnerabilities in payment cards. I haven’t heard of a full end-to-end demo before (RFID -> magstripe -> Square -> Profit!) but that doesn’t mean it’s not been done; I won’t be the last either as long as the industry keeps denying the problems. Now that it’s been irrefutably proven live on-stage that contactless fraud is possible I’m hoping that some of these issues can be addressed; if not don’t expect me to be the last person to talk about it either.

So what’s the deal with the CVV?
Credit cards have 3 CVV codes, one printed on the back of the card, a second encoded onto the magstripe, and a third from the RFID which changes with each read. Square (as well as some other combinations of PoS terminal + backend processor) is unable to tell the difference between an RFID transaction and a magstripe transaction, so as long as the CVV is valid (i.e. it’s being played back in-sequence with no repeats) the transaction goes through.