Poor passwords

I work in computer security. The following were recently shared in one of the threat intel channels I follow.

Rather lame, but it’s what Hyatt Hotel prohibits as passwords in their network: https://www.hyattconnect.com/files/passwordpolicy/dictionary.txt

This is claimed to be the largest collection of actual passwords ever assembled.

The download link on the web page given by the link above is very scary (if you can even find it). I downloaded the .gz file, decompressed it, and packaged it up as a .zip file here: http://www.joehuffman.org/misc/RockYou2021.zip

I like the analyst number

Last year my boss made it a requirement that everyone on our team must take the SANS FOR578: Cyber Threat Intelligence class, complete it, and take the certification exam by the end of 2021.

It was paid for by our employer and we were supposed to take the class online during company time. The class is about $8,000 and requires at least 40 hours.

I completed it last month, passed the exam on the 15th of this month, and received the certificate of completion today:

image

It wasn’t easy, but it wasn’t deadly hard either.

The “Analyst number” they assigned me was a special touch but entirely a coincidence.

Quote of the day—Rob Skjonsberg

Liberals being offended, by pretty much everything these days, is predictable.

Rob Skjonsberg
Chief of Staff to South Dakota Senator Mike Rounds.
March 25, 2021
Rounds’ response to Biden’s proposed assault weapon ban gets national attention
[It’s interesting how people buy into this “offended” crap.

At work they are going through all software and documentation to remove references to “White Lists” and “Black Lists”. And the code revision control systems are going to have references to “master” branch changed to “main” branch. I’m glad my boss didn’t ask me to do it and instead asked the intern.

A week or two ago I had a more or less mandatory meeting, involving some large number of people, to go over the changes and why they were important. I politely listened and didn’t say anything.

What really struck me* was they said when they finish with this effort they won’t be done. They will just be getting started. The next item on the agenda will be to remove “grandfathered” from, well, everything I guess. Apparently that is offensive ageism or something. They reported after that they will be hunting for reasons to be offended on behalf of the LGBTQ community.

If the USSR and other communist examples are any clue the purity tests will only level out when the death and Gulag incarceration rates get to the point where society is collapsing.

I need to retreat to an underground bunker (I wish!) in Idaho before I get caught and found guilty of wrong think.—Joe]


* Another thing I found very telling was the presentation was of marginal “quality”. The slides had typos and grammar errors. The presentation itself was substandard too. There were lots of hesitation and restarts in the speech patterns. I kept wondering if the person couldn’t do a real job so they were given this task.

CCRKBA UPDATES ‘DON’T FEED THEM’ ANTI-GUN BUSINESS LIST

Via email from Citizens Committee for the Right to Keep and Bear Arms:

BELLEVUE, WA – The Citizens Committee for the Right to Keep and Bear Arms today announced it is updating its list of businesses and CEOs who push for increased gun control and prohibition, adding Kenneth Cole, Northwell Health and Mesirow to the roster.

CCRKBA’s “Don’t Feed the Gun Prohibitionists” project began last year with the creation of a dynamic list of businesses and CEOs who have been supporting new legislation designed to impair the rights of law-abiding firearms owners, said CCRKBA Chairman Alan Gottlieb. The current roster lists some 200 businesses and their CEOs.

“When we started this project,” Gottlieb said, “we were sometimes surprised, and in some cases disappointed, at some of the businesses we placed on the list. We discovered several brand name businesses and corporate leaders who evidently have a quiet agenda to limit gun rights. The listing is our way of letting current and potential patrons have the knowledge about what their hard earned dollars may actually be funding.”

Kenneth Cole is a global fashion brand, while Northwell Health is a health care conglomerate and the largest health care provider in the state of New York. Mesirow is a Chicago-based financial firm which supports the Giffords gun control lobbying group.

“We’re not calling for a boycott of these companies,” Gottlieb explained. “Businesses and the people who own them can support whatever kind of philosophy they want, and gun owning consumers can likewise not spend any money with those firms. Let the marketplace decide. Over 100 million American gun owners represent a sizeable consumer bloc, and they will decide on their own where to spend their money.”

Gottlieb said a free market dictates the right of consumers to know about the products they purchase, and that includes knowing whether a business they support may be working in the shadows to erode their constitutional rights.

“We encourage people buy products from companies they can count on to not support efforts aimed at curtailing constitutional rights,” he explained. “By providing this information, we hope gun owning consumers are making reasonable decisions about which businesses to patronize. This might convince some businesses to re-think their core values.”

It’s tough to avoid some of them. Costco and Microsoft, in particular, makes me very sad.

And I had a couple former co-workers trying to recruit me for Uber not long ago. I was never very keen on Uber anyway and this pretty much crosses them off the list of places I would go to work for. However, I suppose if I was desperate I would consider it.

Grey’s Law

In the comments from a private Facebook post about anti-gun people someone simply said, “Grey’s Law”. I had to look it up:

Any sufficiently advanced incompetence is indistinguishable from malice.

I’m seeing behavior at work which could be accurately described by Grey’s Law. It’s very depressing. Evil should be punished. But the appropriate response to incompetence is less clear. Depending upon the context it can be very difficult to find the most appropriate path to resolution.

It is 2020 after all

Seven year-old grandson Bryce shared this in his parents Christmas letter:

Q: What’s the worst vision to have?
A: 2020!

Barb and I know we have been extremely fortunate compared to a lot of people. Still, there are some things that have been depressing to me in the last month or so.

I’ve lost three former classmates:

  • Verl Presnall was a good friend throughout most of grade school. He was also on the board of directors and past president of the East End Rod & Gun Club in Milton Freewater, Oregon. He died of prostrate cancer on October 14th.
  • Kathy (Fargo) Deyo was a high school classmate. We were never close but with a class of only 125 everyone knew everyone else. And she was always such a happy person. It was always a pleasure to be around her. She was one of those people who you think, “Life is so unfair that he/she should die so young.” She died November 13th.
  • Terry Thornton was also a high school classmate. Again we weren’t close but we had a lot of connections in the last 15 years or so. And he was another one of those people that you think shouldn’t have been one to leave us so early. Terry died December 1st of COVID.

I didn’t know it until a couple days ago but Eric Engstrom died on the same day as Terry.

Eric had a larger impact on my professional life than anyone in the world. The impact was huge. I would never have gone to work for Microsoft if it hadn’t been at Eric’s urging. He knew I had written tons of assembly language code for various graphics boards. Eric needed people to write video drivers for Direct Video (as it was called in May of 1995) for Windows 95. It had to be done by August so game developers could have games ready for Christmas. That was the wildest ride I have ever been on. Read Renegades of the Empire. Whenever you read something in there that sounds too far out to be believable double the “far out” quotient and you will be in the ball park of reality. I saw a hole kicked in a wall when I reported a bug I had found and fixed. I didn’t create the bug, it was from the manufacture of the video board. It was extremely obscure and absolutely deadly when it showed up. And it wasn’t found until after the code had been “frozen”. I was there when a keyboard was repeatedly bashed against a desk at 3:00 AM. From my office the key tops falling to the desktop sounded like broken glass. The motorcycle, spinning it’s tire in the hallway, burned a hole through the carpet all the way to the concrete. There was the illegal fireworks on campus, the Humvee driven across the grass field on campus (and getting stuck there), and the persistent thief who kept stealing RAM out of our computers in the middle of the night making it problematic as to whether we would be able to work when we came in the next morning.

That was just the first few months of my time at Microsoft and with Eric in “full bloom”. After a few years I was his first employee for his first startup, Chromium Communications.

That path changed my life forever. I made at least twice as much, if not three times as much, money because of Eric. Working with Eric and others at Microsoft was an alternate reality for me. I had never met such smart people before. I was used to frustration at explaining the same things over and over to co-workers. During those first years at MS people would “get it” before I had finished my first sentence. That changed my standards for the type of working environment I was willing to be in.

On a personal level Eric was so incredibly funny and happy and could even find humor on the darkest of days when his companies were imploding during the dot com bubble implosion. His probably (you frequently couldn’t tell) insane ideas and ambitions were amazing. When I was working in Richland, WA I would drive 200 miles, one way, to have dinner with him in Kirkland, then drive back to Richland to go to work the next day. It was more than worth the drive.

I’m certain I thought of him at least once a week even though I hadn’t had contact with him for years. I kept putting “things on the list” I want to share with him. My accomplishments and bits of news or inside knowledge about things I knew he had an interest in.

Eric had a personality (and ego) which could fill the largest ballroom in the largest hotel. He could make you believe the impossible was not only plausible but he was going to do it and it was going to be FUN! He planned to live forever and I though he probably would succeed. He failed and the shock will be with me for a long time.

2020 sucks.

Then this morning, this is just minor punctuation mark on the 2020 ledge, some thief stole the presents from our font steps. Daughter Jaime had Amazon ship them to us and we didn’t notice they had been delivered last night. Amazon didn’t put them in the package box. I checked the video this morning and saw this:

FullScreen

Package theft in Bellevue is up 72% last month compared to last year. We just contributed to the statistics for December.

It is 2020 after all.

I did get some good news late yesterday. Dad tried to buy a particular piece of prime properties to add to the farm on August 16, 1978. He was not successful. My brothers and I tried again in the early 1980s without success (the owner would barely talk to us).

In 2008 there was a verbal agreement between brother Doug and a third party. The third party wanted some of our land. Doug agreed that we would trade it for the land we really wanted. We knew the land we wanted was for sale but the owners wouldn’t have anything to do with us.

In May of this year, yes 12 years after the verbal agreement, they FINALLY, signed a contract to follow through with their verbal agreement. The contract said the deal would closed by November 29th. Uhh.. okay. That seems like an awfully long time to sign a few papers. We signed our papers in the middle of November. Wow! That took a long time (almost all of the hold up was on the side of the other party). But at least we are going to make the deadline. The other party still took what seemed like forever. Twice they sent papers to the title company without the signatures being notarized.

Yesterday the title company sent an email saying the papers had been recorded at the local courthouse.

It took over 42 years, but now we own that property. Maybe we can close out 2020 on a happy note.

Update: 12/15/2020 was also a good for another reason. I did the final review on a new patent application from the lawyer. I’ve solved tougher problems but I’m more proud of this patent application than any of the others. I thought of Eric a lot when working on this. Last January through March I worked an average 16 hours a day 7 days a week (except for a week in Hawaii for our first wedding anniversary) to find the solution and demonstrate its validity. I really wanted to tell Eric about this accomplishment.

A security story

My job is computer security. My job, among other things, is to think like a bad guy and then prevent security breaches and/or catch them soon after they have begun executing their “kill chain”. Most people, even many very smart people, do not have the capacity to think like a bad guy. I have a real life story to illustrate.

Just because this is computer security don’t think this isn’t relevant to current events of a vital importance to the entire nation. I’ll tie all together before the end.

Please do not assume this happened at the company I work for. I have contacts with many other people in the security industry. We often share stories. Sometimes this story sharing is to warn others of how clever the bad guys are and how they succeeded or almost succeeded. Other times stories are shared about how mind bogglingly stupid and numerous some of the mistakes were in the implementation of a computer network system.

This story is about how stupid and numerous the mistakes were.

The type of business and other potentially identifying aspects of the story have been changed to protect the guilty. But the critical aspects of the story are true.

The company penetration testers were asked to test a tool used by customer facing employees. This tool allowed employees to assist the customers with their business with the company. It gave the employees access to personal information about the customer. The personal information access was required for the employee to do their job. The tool had been “released to production” months before the penetration testers (and apparently or other security professionals) took a look at things.

A simplified view of the tool architecture looked something like this:image

Database Servers A & B are the only servers applicable to the Customer Assist Tool. The other Database Servers are for other web applications unrelated to the Customer Assist Tool.

Everything from the Load Balancer up were Internet facing. It wasn’t originally designed that way. Originally everything seen in this diagram was inside the corporate network. But because of COVID they had “reasons” and they changed the design so employees working from home could easily access the Customer Assist Tool.

The Internet facing Customer Assist Tool required a company network username and password. The Load Balancer did not. The Load Balancer accepted connections from anyone on the Internet. The Database Servers did not require any security tokens or login. Anything coming from the Load Balancer was considered valid.

The penetration testers didn’t bother trying to do a brute force attack on the login to the Customer Assist tool. They connected directly to the Internet facing Load Balancer and sent queries to the Database Servers. If they knew just a tiny bit of unique public information about the customers, say an email address, phone number, street address, or Social Security Number, they could then get access to extremely personal information from the database.

The penetration testers sounded the ALL HANDS ON DECK alarm. The incident response people (IR) showed up.

The software developers (SDs) of the system were brought into the virtual room and told this is a really big problem. Except for biologically required breaks you’re not leaving the room until this is fixed.

SDs: “We don’t see why this is such a big deal. Someone would have to know the URL for the load balancer. And the only people that might know it are the users of the tool. And we don’t think very many, if any of them are smart enough to figure it out.”

IRs: <blink><blink> “The penetration testers figured it out. And the bad guys out there do this sort of stuff all the time. It’s how they make their money. I’m not going to waste our time explaining this to you. Fix the problem. NOW!”

The IRs then asked how far the logs go back, “You do have logs, right?” The software developers assured the IRs they had logs. The logs went back 90 days. There probably were a few days of missing traffic between when the system was released to production and the oldest log files but most of it was there.

IRs: “Okay, good. We can find out if there was actually any customer information lost.”
SDs: “Oh. You want logs for that? We just log activity at the Customer Assist Tool Web Application. The penetration testers, and any bad guy activity, won’t be in those logs.”
IRs: “Okay…. are there ANY log on the database servers?”

The SDs go looking and find there are generic web logs available that go back to the beginning of the release to production. The IRs looked at the logs for a few seconds and realized the IP addresses of all the requests are of the Load Balancer. There is no indication of the origin of the request. Requests from the Customer Assist Tool are indistinguishable from a request from anywhere else on the Internet.

What about load balancer logs? Maybe. But they don’t go back very far. And if they do exist, all the data is intermixed with the other web applications and other Database Servers.

Within a few hours the SDs have a fix.

IRs: “Tell me about your fix.”

SDs: “The login credentials of the employee used to login to the Customer Assist Tool are passed to the Database Server which validates the credentials before responding.”

IRs: “Okay, we should improve upon that, but maybe that will be good enough that we don’t have to shut down the application until a permanent fix is in place. But that’s a question for our VPs to discuss. Oh, by the way, how many employees do you have authorized to use this tool?”

SDs: “Uhhh… all company employees can use this tool.”

IRs: <blink><blink> “Everyone in the company? Really?” <IRs go to the tool and verify they have access>

SDs: “Yes. If someone improperly used the tool to gain access to customer information when they weren’t supposed to they could be caught and could lose their job. Therefore the customer information is safe from misuse.

IRs: <some facepalm><others bang their heads against the wall> “This is a large company. There are thousands of employees. Anyone on the Internet can find valid company credentials in five minutes or less. We disable hundreds of accounts per week as we find credentials on the web ourselves.”

SDs: <blink><blink>

The story goes on but the important part is that the SDs, not stupid people, made a ton of errors. These errors started with not getting a security professional in the room when they changed the design. The errors compounded dramatically from there.

They had a world view much different than the bad guys and the security professionals.Things which could not even be imagined by the SDs were child’s play to the penetration testers and the IRs.

Now to tie this to current events. Our recent election.

Several courts reviewing the lawsuits claiming foul play have concluded the election was fair and honest.or, at least, there was insufficient evidence of widespread fraud to change the results.

As seen in the story above there are failures modes which not only allow unauthorized access/fraud but make it impossible to determine if such access/fraud occurred. Furthermore, unless someone is experienced in thinking like a bad guy they can honestly believe everything is “fair and honest” and be completely, totally, catastrophically, wrong.

I trust the courts to know their profession. I don’t trust them with security issues. I trust them to accurately asses the integrity of our election far less than the SDs could accurately asses the security of their system. The system they designed and built.

The legal professionals of the court did not design or build the election system. They did not evaluate the security after the (supposedly) COVID inspired changes were made from the viewpoint of a security professional. The original election security features had evolved over hundreds of years and thousands of people poking at it, finding faults, and attempting to prevent future fraud and errors. In the span of a few months a few people made changes which did not go through nearly as rigorous review as the pre COVID system.

I don’t know with a 100% guarantee that sufficient fraud occurred to change the election results. I do know, with 100% certainty, that many people were highly motivated to commit fraud. I do know, with 100% certainly, that some fraud occurred. I’m nearly certain the system in use has issues which make it impossible to detect fraud after the fact.

The bottom line to this is that anyone who says the election was fair and honest because the courts say it was is either lying or placing their trust in a body of people that don’t know anywhere enough about security to make that call.

Truth

I was nearly finished with a 20 page paper (of sorts) on searching for bots in computer networks when I took a break and scanned the contents of my RSS feeds. This struck me as particularly timely and funny:

garbage_math_2x

As I told my boss last week I was disappointed in the algorithms used in what is considered “state of the art” tools. I actually found a strong inverse correlation in the “scoring” of network traffic of highly suspicious traffic compared to clearly normal traffic. The higher scoring traffic should indicate high probability of the traffic being communication with a Command and Control Server (C2 Server) and lower scores with normal traffic. I easily found instances where just the opposite was true.

When I used synthesized data I could get the expected scoring results but real world data demands new detection algorithms. It looks to me like bot builders also do research. Existing algorithms appear to be essentially garbage.

Quote of the day—RyanSepe

All this awareness would make us liable. Without them its ignorance, if we hire them it becomes negligence and I prefer ignorance.

RyanSepe
February 28, 2020
Suggested caption to this cartoon:


[There is way too much truth in this.

Companies have finite resources. They have to prioritize their cyber security efforts. If something is documented as an active issue, or even a potential weakness, and they don’t address it in a timely manner they have legal liability issues to deal with as well as fixing the problem.

In the “big picture” view of things companies have a lot of motivation to “not put it in writing” until they have the resources to deal with it. On the other hand, if managers don’t show they have a backlog and are overworked they aren’t going to get the resources to fix things in a timely manner. I have more than a little sympathy for cyber security managers caught in this dilemma.

After illegal computer access incidents have been made public Barb sometimes tells me, “I wish they would just stop doing that!” I would be out of a job, but the world would be a better place. So much money is spent on security that from a big picture you see it as huge waste of human and even natural resources (millions of computers monitor and guard against intrusion as their sole purpose). Even when the criminals are caught (extremely rare) they will never have to pay for all the resources spent in finding them and bringing them to justice.

And, of course, it’s never going to happen. Some of these criminals do it for the “free” money. Others do it for the thrill. And some do because they are spies in search of information useful to their country. There are always going to be those type of people. The best we can do is find them, stop them, and prosecute them if we can build a case against them.—Joe]

Mandatory “social distancing”?

Hmmm…

Gov. Inslee says ‘mandatory measures’ under consideration to combat coronavirus in Washington

Since the novel coronavirus emerged as a threat in Washington, officials have sought to keep people here from infecting each other by offering advice, health care and other assistance. What they haven’t yet done to slow the spread of the virus is tell residents what they can and can’t do.

That could change at some point, however.

Officials are considering mandatory measures for social distancing as part of the state’s effort to combat the outbreak, Gov. Jay Inslee said Sunday.

Barb, my oldest daughter, her spouse, and I, all in Bellevue, have been doing our part for the last week. We have been working from home and minimizing contact outside our homes. We are also prepared for several more weeks as needed.

We live in interesting times.

Pushing the limits

I like pushing the limits in certain directions.

Recently I have been spending nearly every waking hour working on my Bird Dog software for work.* I’m dealing with information on billions of network connections. I extract the stuff of interest and present it in an way which makes it easier to find the wood slivers in the hay stack. After using all the algorithmic tricks available I started finding places to do more parallel processing.

It was with great satisfaction that I found that I pretty much continuously keep all eight logical processers at 100 percent when doing certain tasks:

Limits

Each one of those processors is over 1000 times more powerful than the single processer I had on my first personal computer. And just the Bird Dog executable would take up over 75% of the hard disk space on that computer. Never mind the O/S or the database software which wouldn’t fit on a dozen hard disks I was so proud of at the time I first purchased it. “I’ll never run out of room on this disk!”, I foolishly told myself.

I now routinely open up text files in Vim for review and/or editing that are 50 to 100 times larger than what that hard disk could contain.

I like living in the future.


* I received an email from the company patent team earlier this week. They told me they are pursuing a patent on Bird Dog. I think the existing invention disclosure is okay, but the next one will be AWESOME! I’m really excited about what is coming up next. It’s as if a decade or more of my life’s work is coming to a focus on this one thing. I’ll probably need a more powerful computer, or set of computers, though.

Working from home

Health officials in King County (Seattle area) are recommending, among other things:

Workplaces should enact measures that allow people who can work from home to do so.

About 5:00 PM on Wednesday a blog reader told me::

Microsoft just told all employees who can WFH to do so until March 25

My employer said something similar yesterday. My team started WFH the day before that.

I can work from home for almost everything except meetings where someone is likely to be using a real whiteboard (we have virtual whiteboards in some conference rooms).

My first thought was, “Will the VPNs fall over?” So far both my MS contact and I have had not had any problems with our Internet connections to work. I suspect they have self-scaling VPNs.

Barb has been working from home exclusively for years now. It’s a little odd for both of us to be working from home every day. It’s nice but it just feels a little odd to only see each other for such extended periods. I wonder how it will feel after three weeks.

Yesterday I asked Barb if we are going to get “cabin fever” and get irritable or something. She thinks she will be okay as long as she doesn’t feel physically trapped as in being snowed in or something.

We’ll probably will go for walks occasionally. That should help and it should be safe as long as we don’t have contact with other people.

Overheard at work

Chris: We thought we bought a stool. We’ve been sold one leg of a stool. Now they are trying to sell us the other two legs of a stool and I think I’ve got a stick up my ass. What do you think?

Devin: I think I would rather not sit down.

That’s odd

I’ve frequently read that important discoveries and inventions more often start with “That’s odd.” than with “Eureka!”

And so it was with a discovery of mine a week ago today.

I write software tools for the cyber security team at a major corporation. The culture is somewhat freewheeling. In the first couple of days when I started work my boss told me something to the effect of “People create their own positions here.” After the first couple of months I would talk to him no more than once a month. Sometimes it would be far longer than that. I did, pretty much, whatever I wanted. At review time I would be told, “We really like what you are doing and keep it up.” My model was look at what people around me were doing and write tools to make their job easier, faster, and enable better results.

I sometimes would joke that my goal was to eliminate the jobs of the people around me by writing the software to replace them. In reality what I did just meant people could be far more productive. Cyber security is never ending and I don’t see an end in sight for a job in this field as long as we have computer networks and human nature is what it is.

Nearly everything I did was little web application which would do things like check IP addresses for being on black lists and geolocate them, pull data and reformat from sensors, and graph data on “dashboards” for management to look at. My background task was working on something much bigger. I would see patterns in some of the data I was pulling from sensors and would try to get someone to investigate what I thought was suspicious activity.

The investigators would look at it for a few seconds and tell me something to the effect of, “I can see anything here. I need to see A, B, and C as well in order to know if this is anything.” So, a week or two later, I would show them similar data with A, B, and C added to the set. Again they would look at it for a few seconds, not see what I was seeing, and tell me they needed X, Y, and Z as well.

This went on for some time. I was somewhat frustrated and annoyed but I was learning how they did their jobs and what data they needed from multiple sources to evaluate a potential threat. But tens of thousands of rows in a spreadsheet with dozens of columns still didn’t allow people to quickly see the patterns I believed I was seeing. About two years ago I had kind of an eureka moment and I came up with a much better way of viewing the data (patent idea submitted to our attorneys was made late last year).

I started writing the software and explained it to anyone who expressed the slightest bit of interest in what I was doing. I gave the software the name “Bird Dog”. It essence it’s hunting through the grass and brush searching for specific things of interest to the (cyber security threat) hunter. It then points them out and then, when given the command, flushes them into the “air” such that only the the blind could not see them.

Everyone that sees it thinks it’s awesome but as much as I try I’m the only one that uses it. Everyone likes the data it produces but they don’t use it themselves. I think I need to make it easier to use but that’s a different story.

Last weekend I was putting in extra hours working on Bird Dog because I had gone through a major rewrite and it was to the point where things were working again as features were reenabled and new features were showing up. It’s very exciting to see what things will show up in the data with the proper visualization.

One of the things I had occasionally done in the past was to run a set of our externally facing IP addresses against the lists of “high risk” IPs. I didn’t have a complete set of our IP addresses but I had gathered some from public sources and had somewhat automated the process. I still had to copy and paste the list into a web app, click a button, and download the .CSV file into Excel. It didn’t take long but I never found anything and didn’t do it very often.

After the rewrite Bird Dog had a new data source. The new data source included more of our externally facing IP addresses. Bird Dog would now have not just my hand crafted list of IPs but IPs from the firewalls and other sources that might not be on any easily available list. And Bird Dog automatically added the risk scores to every public IP it saw, not just the IP addresses which were not ours (a previous limitation).

Last week during my testing of the new Bird Dog code one of our IPs was given a risk score indicating it was considered “Malicious”. That’s odd. I have been doing those sort of checks for years and I had never seen that before. But, it was one of the new features of Bird Dog and I knew it was possible.

I pointed it out to my boss. He and I spent a few minutes on it. We tried to find out why it was considered high risk but the supplier of the risk score for that IP had a 404 error on the web page for that one IP.

Another investigator was assigned and we looked some more. We didn’t make much progress and could create a story matching all the data that it was a false positive and we didn’t need to worry about it. We were about to close the case and move on when the vendor who had supplied the risk scores showed up for a meeting.

One of the guys (who plans to attend Boomershoot this year, BTW) stopped by my desk and asked how things were going. We chatted about Boomershoot some and then I told him I was a little frustrated about the missing risk score “evidence” for the one IP address. They get their information from various sources and had provided a link to the original source which where I was getting the 404 error from. He pointed out his company had cached the web page and we could just click on a different link. It wasn’t obvious to either I or the other investigator and we both missed it.

Together the vendor and I looked at the cached web page. We quickly determined that as far as our network security was concerned it was certainly a false positive. But the data was something we couldn’t ignore.

When my boss, a former police officer, came back to the office I showed it to him and asked if it should be forwarded to the police for investigation. He asked me to write it up and forward it to him and he would forward it to Corporate Investigations who handles all interaction with law enforcement.

Within a couple hours the referral had been made. Later that day my boss wrote an email to our director (some details redacted, indicated by XXX, for various reasons):

Joe was working on his Bird Dog code and identified a XXX IP address labeled “High Risk” by XXX.  After additional analysis, Joe and Mike found the IP address was listed in a cached webpage where someone posted XXX links to suspected child pornography

This was immediately handed off to XXX and the appropriate LE referral was made to the National Center for Missing and Exploited Children.

Great work by the entire team to keep digging and hopefully contribute to protecting a vulnerable child!

Neither I nor anyone I know clicked on the links. We all know better than to do that. You never want to go there.

This is probably the best, for certain measures of best, find so far by Bird Dog. And it was totally inadvertent. Sometimes it’s the odd things that are the most important to follow up on.

Quote of the day—Brad Smith

The pressure to put data centers in more countries is giving rise to what is rapidly becoming one of the world’s most important human rights issues. With everyone’s personal information stored in the cloud, an authoritarian regime bent on broad surveillances can unleash draconian demands to monitor not only what people are communicating, but even what they are reading and watching online. And armed with this knowledge, governments can prosecute, persecute, or even execute those individuals they consider threats.

This is a fundamental fact of life that everyone in works in the tech sector needs to remember every day.

Brad Smith
President and chief legal officer of Microsoft
September 2019
Page 45 in Tools and Weapons: The Promise and the Peril of the Digital Age


[One of Barb’s brother-in-laws recommended this book to me a few days ago as we were having a discussion about privacy and security.

I’m only about 20% of the way through the book but I’m really enjoying it. What I’m hearing matches the general tone of the culture when I worked at Microsoft. They take customer privacy seriously.

They have a team of about 50 people that work full time to respond to government requests and push back if the request is out of line with the law. They have promised to go to court rather than comply with requests that don’t have the warrants and documentation all in order. And they have gone to court numerous times. Smith claims they win in court 90% of the time.

I don’t know the details of the level of cooperation my current employer and the government have but I know that on the security side of things we take things very seriously. I also know that, IIRC, we have about 100 full time people who deal with government requests for information. I’ve talked with some of them and they too seem to believe it’s critical to keep the government on the straight and narrow.

I only see the criminal side of things but if we know or suspect customer personal information has been compromised, by either insider or outsiders, we put a stop to it as quickly as possible. And in the past year or two I’ve been seeing names of the people we chased end up in the news as being arrested, prosecuted, and convicted. None of them have been government officials, but that’s probably a little too much to expect.—Joe]

Project Diesel Memento

This morning I received an email from Ken in NH:

Raymond doesn’t name check you, but you are mentioned indirectly:
https://devblogs.microsoft.com/oldnewthing/20190930-00/?p=102942 

Also, I think you promised to tell us about the ammonium nitrate souvenirs some time ago. Any interest in writing that soon?

I sort of remember making that “promise”. I went to Raymond’s blog and found Ken had linked to my post on the same topic making it easier to find. Raymond makes reference to me in his post with:

One of the DirectX developers owned a farm and gave each team member a small plastic bag of ammonium nitrate as a souvenir.

You might think it odd he mentions the farm but not Boomershoot. This was in 1997, over a year before the first Boomershoot event. I was working on the explosives at the time but had not yet found something that worked. I had the ammonium nitrate but hadn’t yet figured out how to make it go boom with rifle fire.

Back to the 13 year old “promise”. It’s time to deliver.

I went looking for the 22 year old Word document. Yeah, I’m a packrat and knew I wouldn’t have deliberately deleted it.

I found two documents:

Directory of H:\Humor

09/30/2019  11:33 AM    <DIR>          .
09/30/2019  11:33 AM    <DIR>          ..
07/22/1997  03:56 PM            35,328 Diesel.doc
07/22/1997  04:00 PM            19,456 Diesel2.doc

Diesel.doc:

Project Diesel Memento

Enclosed you will find about 1/4 pound of ammonium nitrate (N2H4O3). When mixed with approximately 1 teaspoon of diesel this common farm fertilizer could be made to explode with the force of several sticks of dynamite. If the charge were properly placed in the ground it would probably make a hole about large enough to bury a person (or two in the case of Raymond Chen).

As it stands, and even if mixed with diesel, it is extremely difficult to detonate. On the farm we used 1/2 stick of dynamite which itself required a blasting cap to be detonated. It requires extremely high pressures (several thousand PSI) and heat to detonate. On the farm we would bore a hole in the hard dirt and clay under a stump and firmly pack in about a pound of it (mixed with diesel and the dynamite booster) to “liberate” the stump from the ground.

Other means of detonation exist, see for example New and Improved C-4 — Better-Than-Ever Recipes for Half the Money and Double the Fun by Ragnar Benson or The Anarchist Cookbook. I have extreme doubts about the accuracy of the recipes in The Anarchist Cookbook and have been unable to get Benson’s recipes to work when attempting to detonate the mixture with rifle fire (as he claims will work). So, if you want to use this to blow something up you will probably have to obtain some dynamite and blasting caps or ask Timothy McVeigh for help (I believe he actually used nitromethane, not diesel).

Regards,

Militia Joe from Idaho

The Militia Joe from Idaho reference is to a skit I created for a Swine Before Pearls television show in 1995 while I was working at Microsoft on Direct X 1, The Manhattan Project.

Diesel2.doc:

July 22, 1997

Raymond,

One is for you (if you want it). Please give one to NWilt. The others you can distribute as you see fit (trinkets for the natives, whatever).

Have fun!

See you soon. You are coming over for harvest, right?

Regards,

I printed something like 20 copies of “Project Diesel Memento”. I put about a quarter pound of ammonium nitrate in “Seal a Meal” (as they were called at the time) bags. This was sealed off in the bottom part of the bag and the printed text was put in the top part of the bag and sealed. I then shipped the entire set to Raymond at Microsoft with the cover letter shown in Diesel2.doc.

NWilt was my manager when I worked on Direct X 5, Project Diesel. It was probably about 2012 when NWilt contacted me and invited me out to lunch. He told me he still had the Project Diesel Memento.

And now you know the mementos story I “promised” to tell so long ago.

Mugme Street news

I used to work downtown Seattle in the Century Square building which has one side on 3rd Avenue between Pike and Pine streets. Barb calls this street “Mugme Street” because all your warning flags go up as soon as you poke your head out of the building along that one block length of 3rd. When I was working there I blogged about it fairly often.

Last night there was a “dispute” at 3rd and Pine which moved below the street to Westlake Tunnel (and bus station). The end result was three people shot and one dead:

Police are looking for a gunman who shot three people, killing one of the victims, near the Westlake light rail station in downtown Seattle Friday night.

Authorities said three people were struck by gunfire about 9:30 p.m. Two of the victims were found near Third Avenue and Pine Street. The third victim was at Fifth Avenue and Pine Street.

It is important to note that the locations were all underground at Westlake Station.

Police believe a dispute started above ground near the McDonald’s on Third Avenue and moved below to the Westlake Tunnel. They also believe there is only one suspect.

I used to take the bus into town and get off at Westlake Station.

That McDonald’s has to be one of the most dangerous to eat at in the country. I almost never got food there and it just really bothered me to even linger in the area.

I’m so glad neither Barb nor I work downtown now.

Update: A suspect has been arrested: 20-year-old Westlake Station shooting suspect held on $2M bail

Overheard at work

I work in computer security. I write software to search for “interesting” data in billions of connections between millions of computers. Many times the “interesting” stuff I find turns out to be not quite as “interesting” as I initially thought. I always run it by others to do a “reality check” before investing too much time investigating or raising an alarm of some sort.

I showed my boss some “interesting” data recently:

Chris (my boss): Do you every feel like that guy in a movie sitting in front of radar screen saying, “I don’t think that is a flock of birds!”?

Me: All the time.

Chris: Yeah, well, I don’t think this is a flock of birds.

Overheard at work

Caity: Do you remember the time we had to write the report on the electromagnetic pulse? A solar storm or something?

Joe: I remember the report on the possibility of North Korea setting off a nuke and creating an EMP.

Kelsey: I remember that! That was really depressing. It was like, “Time to go to Idaho and hide in a bunker.”

[Laughter from everyone and they all look at me.]

Joe: I don’t have a bunker in Idaho! I may have an explosives production facility in Idaho but I don’t have a bunker.

[laughter from everyone]

Joe: It’s all about offense, not defense.

Belated Halloween picture

I was organizing my photos and ran across this one from last month. It is my desk top at work when I came into work the day after Halloween.

20181101_083636

Apparently there was a spider infestation in the office.