Change Your Voicemail Password

The bad guys have found a way to exploit people who have not changed their default cell phone password.

  1. Verify the default password works with your voicemail.
  2. Wait for your phone to be turned off (late at night, while you are on a plane, etc.)
  3. Use “call me with a one time password” for password reset on your bank account (or other website).
  4. The one time password goes to voicemail.
  5. They get the one time password from voicemail.
  6. Your bank account belongs to them.

Lesson… never use the default password for something exposed to the public.

AI usefulness in cyber defense

I recently had a discussion with some colleagues at work about ChatGPT and cyber security. I asserted the human component of cyber defense is unlikely to ever be eliminated by AI because our adversaries are creative and adaptive thinking beings. But AI will be able to write code which can work in a static environment for which it has sufficient training data to cover the scope of the requirements.

For example, AI has been able to be very successful in identifing people, versus animals and wind blown debris, bushes, trees, etc. approaching a restricted entrance. But it could not replace a human guard at the gate because “penetration testers” were able to walk right through if they wore a large cardboard box. No human would be fooled, but the AI was.

I assert the same sort of difficulty exists in cyber security.

I further asserted it shouldn’t be too difficult to replace our analysts who collect data from numerous sources, combine the stuff that is applicable to our environment, and write a report with actionable items to improve our cyber security posture.

Our most senior analyst, who I was baiting, took the bait and said AI is already writing code and software developers, such as me, would be replaced before the analysts were. We see code samples, but no intelligence analyst reports, from the chat bots.

With a big smile, I let it drop. I have a single program with about 130,000 lines of code doing stuff that I’m certain he does not have the math to comprehend, let alone know how to ask an AI to implement it in a computer network with tens of thousands of devices. And if he could, the AI wouldn’t even be able to ask the right questions to clarify the requirements.

Sure, the chat bots can write “Hello world!” programs and other simple stuff. But a “real” program? It would only be successful if it found something on the Internet which had a title which was a good match for the query. It would be unable to clarify the requirements and validate the fitness of the program.

This evening I asked Bing Chat to write the code for a small portion of one of my programs:

Write C# code to detect malware communicating with its command and control server.

Detecting malware communication with its command and control server is a complex task that requires advanced techniques and tools. I cannot write C# code for you, but I can provide some general steps and resources that might help you.

Some possible steps are:

Some possible resources are:

I hope this helps. Do you have any other questions?

Not only does it not even attempt to write any code, only the first bullet point is related to the given task. And that bullet point is a restatement of what I just asked it to do.

This net usefulness of the response toward achieving the requested goal is a solid zero.

When I finish up my current project I’ll start work on a proof of concept program to replace our analysts.

Lesson for people managers

Quote of the day

Being the most talkative person in the room may be a good way to get people’s attention, but it doesn’t necessarily mean you have the best ideas.As a neuroscientist, I’ve worked with large companies like Google and Deloitte on how to attract and retain top talent, and I’ve found that employers tend to favor extroverts.

But there are some surprising strengths that introverts bring to the table, and they shouldn’t be overlooked.

Friederike Fabritius
February 7, 2023
A neuroscientist shares the 4 ‘highly coveted’ skills that set introverts apart: ‘Their brains work differently’

This could be the theme of my entire career. I clean up the messes of the incompetent extroverts who then get the promotions.

A couple of years ago someone who is not an engineer, never been an engineer, and never will be an engineer (lacking in math ability as well as some other things that are beyond them) was given a position as Principal Engineer that I also applied for. I asked HR, “How did they even get past the resume screening? They didn’t meet any of the ‘required qualifications’ and only partially meet two of the ‘qualifications’.” At my manager’s request, I had WRITTEN most of those qualifications around my skill set. HR assured me that the best candidate had received the promotion because, “This position requires someone who is well known.”

A Principal Engineer requires someone who is, “Well known”? But they are not required to have any engineering skills or do any engineering?” Being “well known” was not even hinted at in the qualifications for the job.

I was so upset at this I terminated the conversation. There was no point in further discussion with someone like this and I was not in any state of mind to talk without high risk of saying something which was “career limiting”.

Today I received notification of my yearly salary, bonus, and other compensation changes. No promotion. I’ve been in the same position for almost eight years with nothing but high verbal praise but not a single promotion. Being constantly called the team’s ‘Q’ (as in the James Bond movies) is nice, but I would rather be promoted. I’ve seen interns promoted to my job title in half that time. They were decent engineers, female, young, and, of course, extroverts.

Applied Intelligence Mentorship Program

I recently received this. It was paid for by my employer:

image

I already knew something about most of the material covered. But it was nice to get a refresh and some additional information.

I keep thinking I should be able to apply this skill set to our advantage in the gun rights domain. I’ve even discussed it with people who work full time in the gun rights community. No good application is apparent to us.

Perhaps I just haven’t been looking at the issue from the correct angle. Thoughts?

What are you thinking?

I’ve been busy recently and haven’t posted some things I wanted to weeks ago. It has come to the point I’m irritated so much that I have to say it. I’m withholding names to protect the guilty. Please don’t take offense if you decide I’m talking about you. I could be, but just because I am does not mean that I am going to shun you or am deliberately shaming you. That’s not my intent.

I’m pretty open minded about a lot of things. Reality is hard. I know that. Can we still keep things friendly even though I think you might have a circuit or two crosswired in your brain?

God? Gods? Pro-Life? Pro-Choice? I can probably argue four or more different sides to each of those questions and be reasonably convincing to the average person even though I am pretty sure which is the correct answer. Believe what you want as long as you don’t insist everyone conform to your beliefs and as far as I’m concerned we’re all good.

There are things which are less certain. Some of the UFOs (currently called Unidentified Aerial Phenomena–UAPs) are alien craft? Global warming/cooling/climate-change? The 2021 presidential election was totally rigged? Bitcoin will replace the U.S. Dollar in the next ‘N’ years? Bitcoin is a great/terrible investment? I just don’t know. I suspect the general public does not have enough information to determine an answer with a high degree of certainty to any of these questions. Again, I can probably be convincing to the average person no matter which side I wanted to take.

There are other things which are more clear cut. Actual moon landing or faked? Flat earth or spherical? 9/11 was an inside job? Sorry. You don’t get any slack from me if you start trying to convince me we don’t actually have satellites in orbit or that because steel doesn’t melt at burning jet fuel temperatures the WTC collapses had explosive help.

Let’s think about the claim all test animals for the mRNA “vaccines”* died. I first heard this several months ago and went looking for the research papers. It turns out that, at least in the papers I saw, this was true! Damning evidence, right? No.The animals died because the researchers performed necropsies on all of them. The results, that I saw in the papers I read, were that everything looked normal.

It is as if someone was trolling the general population to see how many people would draw the incorrect conclusion from factual data. Good joke! I actually laughed at the cleverness. But why would anyone persist in believing that even if they didn’t find the research papers and read them? Think about it some!

Suppose all, or even 10% of the test animals, died from the mRNA vaccine. How many researchers are going to go before their human subject testing review board** (sample of what is involved here) and say, “All the test animals died. We are going to test it on humans next.”?

Sure, there are people that think people are a plague on the earth and all humans (except perhaps others like them who are sufficient “woke”) should be exterminated. They don’t convince tens of thousands of other people to work on their project, get billions of dollars to produce and deliver their product without someone getting cold feet about the prospects and delivering overwhelming evidence to the general public of the impending doom of half the human population. Even small religious cults have people leaving and telling the dark stories from the inside.

After giving this a little thought, if you actually believe the whole mRNA “vaccines” are “Going to kill 100s of thousands (or more)” and people knew this all along, I have to ask, “Really? What are you thinking? How do determine truth from falsity? What color is the sky in your universe?

You want to talk about VAERS data? Okay. Let’s talk about it.

You might claim there is a huge increase in adverse reactions to mRNA “vaccines” compared to all other vaccines. Yup, it’s right there for everyone to see. But, there are some things to take into account before you reach valid conclusions. Unless you received a COVID-19 immunization you probably did not know people who received the “vaccine” were encouraged to sign up to receive and fill out a survey every day for a week, then once a week for several weeks, then another after a few months. They would send a text message to (IIRC) the CDC. Then they would receive text messages with links to the surveys. They would be asked how they were feeling. They were encouraged to report even very mild stuff, like a headache or muscle stiffness. Anything that might be considered an “adverse reaction”.

Suppose, they had a headache or some stiff muscles a month later; was it because they drank a little bit too much the previous evening or were hunched over the reloading bench all afternoon? Or was it because of the vaccine? They didn’t ask about those possibilities. The CDC just wanted the “adverse reaction”. I expect the noise was to be filtered out by looking for correlation with reports from other people at week ‘N’. To the best of my knowledge this has never been done with other vaccines. If you are looking at the raw data, without the noise filtering, you are going to see a lot of noise. And the number of reports are going to be much larger than with other vaccines because maybe 100x more people received the COVID-19 shots than your normal flu, MMR, and/or tetanus vaccinations. This combined with the encouragement and easy reporting of trivial “adverse reactions” results in the raw numbers being huge.

I’ve heard things to the effect of “Bill Gates is behind it and he is evil.” Gates was ruthless as a business man. I would have had serious moral qualms doing many of the things he did to competitors. He was good to his employees. When I worked at Microsoft I had numerous people who know him far better than I do say things to the effect that he would be more than fair to employees in situations where he had no obligation to be so. I’ve know people who talked to Melinda Gates about the work done by the Gates Foundation. I know people who worked on the Gates house and had long term personal contact with Bill and Melinda. I know one woman who went on a date with him. I know a woman who volunteered at the same charity has Bill’s mother and worked with her frequently. None of them even hinted at any dark side with him or his family. He was sometimes a little odd, but this was in a geeky rather than evil genius or creepy way.

Could Gates be bankrolling the deliberate extermination of millions? The odds are extremely low. He couldn’t hire enough guards or pay them enough money to keep the angry mobs at bay once it was discovered. He is not stupid. He is not suicidal. I believe the Gates Foundation really is intended to make the world a better place for humans. There is no intent to make the world a better place without humans. It is inconsistent with everything I know about him, his family, and the foundation. I think there is enough public information for anyone to arrive at a similar conclusion without many reservations.

Do I agree with all his politics and projects? No, but I think they are well intentioned even if they are misguided or flat out wrong.

On a different tangent maybe we can work out some answers on our own without relying on information from questionable sources like random podcasts, YouTube videos, word of month, memes, and worst of all, the CDC and other government sources.

Let’s run a little statistics experiment. In the comments or by sending me an email tell me how many people you have personally met*** which meet one or more the following criteria:

  1. Had a reaction to a mRNA “vaccine” which resulted in an ER visit and/or hospitalization.
  2. Had a reaction to a mRNA “vaccine” which resulted in long term (two or more months) adverse effects.
  3. Had a reaction to a mRNA “vaccine” which resulted in death.
  4. Had COVID-19 which which resulted in an ER visit and/or hospitalization.
  5. Had COVID-19 which resulted in long term (two or more months) adverse effects.
  6. Had COVID-19 which resulted in death.

Don’t double report anyone. For example, if the person died don’t also report them as having long term adverse effects.

Here are my answers:

  • One person for item 1.
  • One person for item 4. (Added on 1/25/2022 after I remembered someone else).
  • One person for item 5.
  • One person for item 6.

Please be honest. “Stuffing the ballot box” isn’t going to change anything beyond a tiny corner of Joe’s world. And, almost for certain, the statistics will point you out as being a liar.

Next weekend I’ll collect the data and make a short report. My guess is that this little experiment will be more “interesting” than most people think it would be.


* Quoted as a deliberate concession because I don’t think that point is particularly important one way or the other.

** I had to do this for one project I worked on. I was gathering anonymous data from computers about the movement of the mouse. I was not gathering any information about what applications they were using or even if they clicked the mouse. I only collected timestamps and the position of the mouse at that time. It took weeks and answering lots of questions to get approval.

*** This needs to be carefully defined to get valid results. Consider “personally met” as meaning you were, at least once, in the same room/location as them and there is a good chance they would remember you as well as you remembering them. My brother’s niece, on his wife side of the family, who I have never met, having serious complications from COVID-19 linger after a year doesn’t count.

Job security

Every day I take a quick glance at my tools I can see evidence of the constant attempts to gain illegal access to my company’s computer networks. Each day there are 10s of thousands of probes from thousands of IP address.

To the best of my knowledge my company doesn’t do this sort of thing but people on my team sometimes talk about it and wonder if we should do it:

Microsoft Seizes 42 Websites Used by China-Based Hacking Group to Carry Out Cyberattacks on US Organizations

So far, the company said its Digital Crimes Unit, through 24 lawsuits—five of which were against nation-state actors—had taken down more than 10,000 malicious websites used by cybercriminals and almost 600 used by nation-state actors, and had blocked the registration of 600,000 more.

It’s very resource intensive to push these things through the legal system. Resources that could be used to harden and/or detect and remediate breaches. There are no easy answers and I don’t fault management for the decisions they have made.

I just know that, for me, as long as there are evil people out there, it means I will have job security.

Poor passwords

I work in computer security. The following were recently shared in one of the threat intel channels I follow.

Rather lame, but it’s what Hyatt Hotel prohibits as passwords in their network: https://www.hyattconnect.com/files/passwordpolicy/dictionary.txt

This is claimed to be the largest collection of actual passwords ever assembled.

The download link on the web page given by the link above is very scary (if you can even find it). I downloaded the .gz file, decompressed it, and packaged it up as a .zip file here: http://www.joehuffman.org/misc/RockYou2021.zip

I like the analyst number

Last year my boss made it a requirement that everyone on our team must take the SANS FOR578: Cyber Threat Intelligence class, complete it, and take the certification exam by the end of 2021.

It was paid for by our employer and we were supposed to take the class online during company time. The class is about $8,000 and requires at least 40 hours.

I completed it last month, passed the exam on the 15th of this month, and received the certificate of completion today:

image

It wasn’t easy, but it wasn’t deadly hard either.

The “Analyst number” they assigned me was a special touch but entirely a coincidence.

Quote of the day—Rob Skjonsberg

Liberals being offended, by pretty much everything these days, is predictable.

Rob Skjonsberg
Chief of Staff to South Dakota Senator Mike Rounds.
March 25, 2021
Rounds’ response to Biden’s proposed assault weapon ban gets national attention
[It’s interesting how people buy into this “offended” crap.

At work they are going through all software and documentation to remove references to “White Lists” and “Black Lists”. And the code revision control systems are going to have references to “master” branch changed to “main” branch. I’m glad my boss didn’t ask me to do it and instead asked the intern.

A week or two ago I had a more or less mandatory meeting, involving some large number of people, to go over the changes and why they were important. I politely listened and didn’t say anything.

What really struck me* was they said when they finish with this effort they won’t be done. They will just be getting started. The next item on the agenda will be to remove “grandfathered” from, well, everything I guess. Apparently that is offensive ageism or something. They reported after that they will be hunting for reasons to be offended on behalf of the LGBTQ community.

If the USSR and other communist examples are any clue the purity tests will only level out when the death and Gulag incarceration rates get to the point where society is collapsing.

I need to retreat to an underground bunker (I wish!) in Idaho before I get caught and found guilty of wrong think.—Joe]


* Another thing I found very telling was the presentation was of marginal “quality”. The slides had typos and grammar errors. The presentation itself was substandard too. There were lots of hesitation and restarts in the speech patterns. I kept wondering if the person couldn’t do a real job so they were given this task.

CCRKBA UPDATES ‘DON’T FEED THEM’ ANTI-GUN BUSINESS LIST

Via email from Citizens Committee for the Right to Keep and Bear Arms:

BELLEVUE, WA – The Citizens Committee for the Right to Keep and Bear Arms today announced it is updating its list of businesses and CEOs who push for increased gun control and prohibition, adding Kenneth Cole, Northwell Health and Mesirow to the roster.

CCRKBA’s “Don’t Feed the Gun Prohibitionists” project began last year with the creation of a dynamic list of businesses and CEOs who have been supporting new legislation designed to impair the rights of law-abiding firearms owners, said CCRKBA Chairman Alan Gottlieb. The current roster lists some 200 businesses and their CEOs.

“When we started this project,” Gottlieb said, “we were sometimes surprised, and in some cases disappointed, at some of the businesses we placed on the list. We discovered several brand name businesses and corporate leaders who evidently have a quiet agenda to limit gun rights. The listing is our way of letting current and potential patrons have the knowledge about what their hard earned dollars may actually be funding.”

Kenneth Cole is a global fashion brand, while Northwell Health is a health care conglomerate and the largest health care provider in the state of New York. Mesirow is a Chicago-based financial firm which supports the Giffords gun control lobbying group.

“We’re not calling for a boycott of these companies,” Gottlieb explained. “Businesses and the people who own them can support whatever kind of philosophy they want, and gun owning consumers can likewise not spend any money with those firms. Let the marketplace decide. Over 100 million American gun owners represent a sizeable consumer bloc, and they will decide on their own where to spend their money.”

Gottlieb said a free market dictates the right of consumers to know about the products they purchase, and that includes knowing whether a business they support may be working in the shadows to erode their constitutional rights.

“We encourage people buy products from companies they can count on to not support efforts aimed at curtailing constitutional rights,” he explained. “By providing this information, we hope gun owning consumers are making reasonable decisions about which businesses to patronize. This might convince some businesses to re-think their core values.”

It’s tough to avoid some of them. Costco and Microsoft, in particular, makes me very sad.

And I had a couple former co-workers trying to recruit me for Uber not long ago. I was never very keen on Uber anyway and this pretty much crosses them off the list of places I would go to work for. However, I suppose if I was desperate I would consider it.

Grey’s Law

In the comments from a private Facebook post about anti-gun people someone simply said, “Grey’s Law”. I had to look it up:

Any sufficiently advanced incompetence is indistinguishable from malice.

I’m seeing behavior at work which could be accurately described by Grey’s Law. It’s very depressing. Evil should be punished. But the appropriate response to incompetence is less clear. Depending upon the context it can be very difficult to find the most appropriate path to resolution.

It is 2020 after all

Seven year-old grandson Bryce shared this in his parents Christmas letter:

Q: What’s the worst vision to have?
A: 2020!

Barb and I know we have been extremely fortunate compared to a lot of people. Still, there are some things that have been depressing to me in the last month or so.

I’ve lost three former classmates:

  • Verl Presnall was a good friend throughout most of grade school. He was also on the board of directors and past president of the East End Rod & Gun Club in Milton Freewater, Oregon. He died of prostrate cancer on October 14th.
  • Kathy (Fargo) Deyo was a high school classmate. We were never close but with a class of only 125 everyone knew everyone else. And she was always such a happy person. It was always a pleasure to be around her. She was one of those people who you think, “Life is so unfair that he/she should die so young.” She died November 13th.
  • Terry Thornton was also a high school classmate. Again we weren’t close but we had a lot of connections in the last 15 years or so. And he was another one of those people that you think shouldn’t have been one to leave us so early. Terry died December 1st of COVID.

I didn’t know it until a couple days ago but Eric Engstrom died on the same day as Terry.

Eric had a larger impact on my professional life than anyone in the world. The impact was huge. I would never have gone to work for Microsoft if it hadn’t been at Eric’s urging. He knew I had written tons of assembly language code for various graphics boards. Eric needed people to write video drivers for Direct Video (as it was called in May of 1995) for Windows 95. It had to be done by August so game developers could have games ready for Christmas. That was the wildest ride I have ever been on. Read Renegades of the Empire. Whenever you read something in there that sounds too far out to be believable double the “far out” quotient and you will be in the ball park of reality. I saw a hole kicked in a wall when I reported a bug I had found and fixed. I didn’t create the bug, it was from the manufacture of the video board. It was extremely obscure and absolutely deadly when it showed up. And it wasn’t found until after the code had been “frozen”. I was there when a keyboard was repeatedly bashed against a desk at 3:00 AM. From my office the key tops falling to the desktop sounded like broken glass. The motorcycle, spinning it’s tire in the hallway, burned a hole through the carpet all the way to the concrete. There was the illegal fireworks on campus, the Humvee driven across the grass field on campus (and getting stuck there), and the persistent thief who kept stealing RAM out of our computers in the middle of the night making it problematic as to whether we would be able to work when we came in the next morning.

That was just the first few months of my time at Microsoft and with Eric in “full bloom”. After a few years I was his first employee for his first startup, Chromium Communications.

That path changed my life forever. I made at least twice as much, if not three times as much, money because of Eric. Working with Eric and others at Microsoft was an alternate reality for me. I had never met such smart people before. I was used to frustration at explaining the same things over and over to co-workers. During those first years at MS people would “get it” before I had finished my first sentence. That changed my standards for the type of working environment I was willing to be in.

On a personal level Eric was so incredibly funny and happy and could even find humor on the darkest of days when his companies were imploding during the dot com bubble implosion. His probably (you frequently couldn’t tell) insane ideas and ambitions were amazing. When I was working in Richland, WA I would drive 200 miles, one way, to have dinner with him in Kirkland, then drive back to Richland to go to work the next day. It was more than worth the drive.

I’m certain I thought of him at least once a week even though I hadn’t had contact with him for years. I kept putting “things on the list” I want to share with him. My accomplishments and bits of news or inside knowledge about things I knew he had an interest in.

Eric had a personality (and ego) which could fill the largest ballroom in the largest hotel. He could make you believe the impossible was not only plausible but he was going to do it and it was going to be FUN! He planned to live forever and I though he probably would succeed. He failed and the shock will be with me for a long time.

2020 sucks.

Then this morning, this is just minor punctuation mark on the 2020 ledge, some thief stole the presents from our font steps. Daughter Jaime had Amazon ship them to us and we didn’t notice they had been delivered last night. Amazon didn’t put them in the package box. I checked the video this morning and saw this:

FullScreen

Package theft in Bellevue is up 72% last month compared to last year. We just contributed to the statistics for December.

It is 2020 after all.

I did get some good news late yesterday. Dad tried to buy a particular piece of prime properties to add to the farm on August 16, 1978. He was not successful. My brothers and I tried again in the early 1980s without success (the owner would barely talk to us).

In 2008 there was a verbal agreement between brother Doug and a third party. The third party wanted some of our land. Doug agreed that we would trade it for the land we really wanted. We knew the land we wanted was for sale but the owners wouldn’t have anything to do with us.

In May of this year, yes 12 years after the verbal agreement, they FINALLY, signed a contract to follow through with their verbal agreement. The contract said the deal would closed by November 29th. Uhh.. okay. That seems like an awfully long time to sign a few papers. We signed our papers in the middle of November. Wow! That took a long time (almost all of the hold up was on the side of the other party). But at least we are going to make the deadline. The other party still took what seemed like forever. Twice they sent papers to the title company without the signatures being notarized.

Yesterday the title company sent an email saying the papers had been recorded at the local courthouse.

It took over 42 years, but now we own that property. Maybe we can close out 2020 on a happy note.

Update: 12/15/2020 was also a good for another reason. I did the final review on a new patent application from the lawyer. I’ve solved tougher problems but I’m more proud of this patent application than any of the others. I thought of Eric a lot when working on this. Last January through March I worked an average 16 hours a day 7 days a week (except for a week in Hawaii for our first wedding anniversary) to find the solution and demonstrate its validity. I really wanted to tell Eric about this accomplishment.

A security story

My job is computer security. My job, among other things, is to think like a bad guy and then prevent security breaches and/or catch them soon after they have begun executing their “kill chain”. Most people, even many very smart people, do not have the capacity to think like a bad guy. I have a real life story to illustrate.

Just because this is computer security don’t think this isn’t relevant to current events of a vital importance to the entire nation. I’ll tie all together before the end.

Please do not assume this happened at the company I work for. I have contacts with many other people in the security industry. We often share stories. Sometimes this story sharing is to warn others of how clever the bad guys are and how they succeeded or almost succeeded. Other times stories are shared about how mind bogglingly stupid and numerous some of the mistakes were in the implementation of a computer network system.

This story is about how stupid and numerous the mistakes were.

The type of business and other potentially identifying aspects of the story have been changed to protect the guilty. But the critical aspects of the story are true.

The company penetration testers were asked to test a tool used by customer facing employees. This tool allowed employees to assist the customers with their business with the company. It gave the employees access to personal information about the customer. The personal information access was required for the employee to do their job. The tool had been “released to production” months before the penetration testers (and apparently or other security professionals) took a look at things.

A simplified view of the tool architecture looked something like this:image

Database Servers A & B are the only servers applicable to the Customer Assist Tool. The other Database Servers are for other web applications unrelated to the Customer Assist Tool.

Everything from the Load Balancer up were Internet facing. It wasn’t originally designed that way. Originally everything seen in this diagram was inside the corporate network. But because of COVID they had “reasons” and they changed the design so employees working from home could easily access the Customer Assist Tool.

The Internet facing Customer Assist Tool required a company network username and password. The Load Balancer did not. The Load Balancer accepted connections from anyone on the Internet. The Database Servers did not require any security tokens or login. Anything coming from the Load Balancer was considered valid.

The penetration testers didn’t bother trying to do a brute force attack on the login to the Customer Assist tool. They connected directly to the Internet facing Load Balancer and sent queries to the Database Servers. If they knew just a tiny bit of unique public information about the customers, say an email address, phone number, street address, or Social Security Number, they could then get access to extremely personal information from the database.

The penetration testers sounded the ALL HANDS ON DECK alarm. The incident response people (IR) showed up.

The software developers (SDs) of the system were brought into the virtual room and told this is a really big problem. Except for biologically required breaks you’re not leaving the room until this is fixed.

SDs: “We don’t see why this is such a big deal. Someone would have to know the URL for the load balancer. And the only people that might know it are the users of the tool. And we don’t think very many, if any of them are smart enough to figure it out.”

IRs: <blink><blink> “The penetration testers figured it out. And the bad guys out there do this sort of stuff all the time. It’s how they make their money. I’m not going to waste our time explaining this to you. Fix the problem. NOW!”

The IRs then asked how far the logs go back, “You do have logs, right?” The software developers assured the IRs they had logs. The logs went back 90 days. There probably were a few days of missing traffic between when the system was released to production and the oldest log files but most of it was there.

IRs: “Okay, good. We can find out if there was actually any customer information lost.”
SDs: “Oh. You want logs for that? We just log activity at the Customer Assist Tool Web Application. The penetration testers, and any bad guy activity, won’t be in those logs.”
IRs: “Okay…. are there ANY log on the database servers?”

The SDs go looking and find there are generic web logs available that go back to the beginning of the release to production. The IRs looked at the logs for a few seconds and realized the IP addresses of all the requests are of the Load Balancer. There is no indication of the origin of the request. Requests from the Customer Assist Tool are indistinguishable from a request from anywhere else on the Internet.

What about load balancer logs? Maybe. But they don’t go back very far. And if they do exist, all the data is intermixed with the other web applications and other Database Servers.

Within a few hours the SDs have a fix.

IRs: “Tell me about your fix.”

SDs: “The login credentials of the employee used to login to the Customer Assist Tool are passed to the Database Server which validates the credentials before responding.”

IRs: “Okay, we should improve upon that, but maybe that will be good enough that we don’t have to shut down the application until a permanent fix is in place. But that’s a question for our VPs to discuss. Oh, by the way, how many employees do you have authorized to use this tool?”

SDs: “Uhhh… all company employees can use this tool.”

IRs: <blink><blink> “Everyone in the company? Really?” <IRs go to the tool and verify they have access>

SDs: “Yes. If someone improperly used the tool to gain access to customer information when they weren’t supposed to they could be caught and could lose their job. Therefore the customer information is safe from misuse.

IRs: <some facepalm><others bang their heads against the wall> “This is a large company. There are thousands of employees. Anyone on the Internet can find valid company credentials in five minutes or less. We disable hundreds of accounts per week as we find credentials on the web ourselves.”

SDs: <blink><blink>

The story goes on but the important part is that the SDs, not stupid people, made a ton of errors. These errors started with not getting a security professional in the room when they changed the design. The errors compounded dramatically from there.

They had a world view much different than the bad guys and the security professionals.Things which could not even be imagined by the SDs were child’s play to the penetration testers and the IRs.

Now to tie this to current events. Our recent election.

Several courts reviewing the lawsuits claiming foul play have concluded the election was fair and honest.or, at least, there was insufficient evidence of widespread fraud to change the results.

As seen in the story above there are failures modes which not only allow unauthorized access/fraud but make it impossible to determine if such access/fraud occurred. Furthermore, unless someone is experienced in thinking like a bad guy they can honestly believe everything is “fair and honest” and be completely, totally, catastrophically, wrong.

I trust the courts to know their profession. I don’t trust them with security issues. I trust them to accurately asses the integrity of our election far less than the SDs could accurately asses the security of their system. The system they designed and built.

The legal professionals of the court did not design or build the election system. They did not evaluate the security after the (supposedly) COVID inspired changes were made from the viewpoint of a security professional. The original election security features had evolved over hundreds of years and thousands of people poking at it, finding faults, and attempting to prevent future fraud and errors. In the span of a few months a few people made changes which did not go through nearly as rigorous review as the pre COVID system.

I don’t know with a 100% guarantee that sufficient fraud occurred to change the election results. I do know, with 100% certainty, that many people were highly motivated to commit fraud. I do know, with 100% certainly, that some fraud occurred. I’m nearly certain the system in use has issues which make it impossible to detect fraud after the fact.

The bottom line to this is that anyone who says the election was fair and honest because the courts say it was is either lying or placing their trust in a body of people that don’t know anywhere enough about security to make that call.

Truth

I was nearly finished with a 20 page paper (of sorts) on searching for bots in computer networks when I took a break and scanned the contents of my RSS feeds. This struck me as particularly timely and funny:

garbage_math_2x

As I told my boss last week I was disappointed in the algorithms used in what is considered “state of the art” tools. I actually found a strong inverse correlation in the “scoring” of network traffic of highly suspicious traffic compared to clearly normal traffic. The higher scoring traffic should indicate high probability of the traffic being communication with a Command and Control Server (C2 Server) and lower scores with normal traffic. I easily found instances where just the opposite was true.

When I used synthesized data I could get the expected scoring results but real world data demands new detection algorithms. It looks to me like bot builders also do research. Existing algorithms appear to be essentially garbage.

Quote of the day—RyanSepe

All this awareness would make us liable. Without them its ignorance, if we hire them it becomes negligence and I prefer ignorance.

RyanSepe
February 28, 2020
Suggested caption to this cartoon:


[There is way too much truth in this.

Companies have finite resources. They have to prioritize their cyber security efforts. If something is documented as an active issue, or even a potential weakness, and they don’t address it in a timely manner they have legal liability issues to deal with as well as fixing the problem.

In the “big picture” view of things companies have a lot of motivation to “not put it in writing” until they have the resources to deal with it. On the other hand, if managers don’t show they have a backlog and are overworked they aren’t going to get the resources to fix things in a timely manner. I have more than a little sympathy for cyber security managers caught in this dilemma.

After illegal computer access incidents have been made public Barb sometimes tells me, “I wish they would just stop doing that!” I would be out of a job, but the world would be a better place. So much money is spent on security that from a big picture you see it as huge waste of human and even natural resources (millions of computers monitor and guard against intrusion as their sole purpose). Even when the criminals are caught (extremely rare) they will never have to pay for all the resources spent in finding them and bringing them to justice.

And, of course, it’s never going to happen. Some of these criminals do it for the “free” money. Others do it for the thrill. And some do because they are spies in search of information useful to their country. There are always going to be those type of people. The best we can do is find them, stop them, and prosecute them if we can build a case against them.—Joe]

Mandatory “social distancing”?

Hmmm…

Gov. Inslee says ‘mandatory measures’ under consideration to combat coronavirus in Washington

Since the novel coronavirus emerged as a threat in Washington, officials have sought to keep people here from infecting each other by offering advice, health care and other assistance. What they haven’t yet done to slow the spread of the virus is tell residents what they can and can’t do.

That could change at some point, however.

Officials are considering mandatory measures for social distancing as part of the state’s effort to combat the outbreak, Gov. Jay Inslee said Sunday.

Barb, my oldest daughter, her spouse, and I, all in Bellevue, have been doing our part for the last week. We have been working from home and minimizing contact outside our homes. We are also prepared for several more weeks as needed.

We live in interesting times.

Pushing the limits

I like pushing the limits in certain directions.

Recently I have been spending nearly every waking hour working on my Bird Dog software for work.* I’m dealing with information on billions of network connections. I extract the stuff of interest and present it in an way which makes it easier to find the wood slivers in the hay stack. After using all the algorithmic tricks available I started finding places to do more parallel processing.

It was with great satisfaction that I found that I pretty much continuously keep all eight logical processers at 100 percent when doing certain tasks:

Limits

Each one of those processors is over 1000 times more powerful than the single processer I had on my first personal computer. And just the Bird Dog executable would take up over 75% of the hard disk space on that computer. Never mind the O/S or the database software which wouldn’t fit on a dozen hard disks I was so proud of at the time I first purchased it. “I’ll never run out of room on this disk!”, I foolishly told myself.

I now routinely open up text files in Vim for review and/or editing that are 50 to 100 times larger than what that hard disk could contain.

I like living in the future.


* I received an email from the company patent team earlier this week. They told me they are pursuing a patent on Bird Dog. I think the existing invention disclosure is okay, but the next one will be AWESOME! I’m really excited about what is coming up next. It’s as if a decade or more of my life’s work is coming to a focus on this one thing. I’ll probably need a more powerful computer, or set of computers, though.

Working from home

Health officials in King County (Seattle area) are recommending, among other things:

Workplaces should enact measures that allow people who can work from home to do so.

About 5:00 PM on Wednesday a blog reader told me::

Microsoft just told all employees who can WFH to do so until March 25

My employer said something similar yesterday. My team started WFH the day before that.

I can work from home for almost everything except meetings where someone is likely to be using a real whiteboard (we have virtual whiteboards in some conference rooms).

My first thought was, “Will the VPNs fall over?” So far both my MS contact and I have had not had any problems with our Internet connections to work. I suspect they have self-scaling VPNs.

Barb has been working from home exclusively for years now. It’s a little odd for both of us to be working from home every day. It’s nice but it just feels a little odd to only see each other for such extended periods. I wonder how it will feel after three weeks.

Yesterday I asked Barb if we are going to get “cabin fever” and get irritable or something. She thinks she will be okay as long as she doesn’t feel physically trapped as in being snowed in or something.

We’ll probably will go for walks occasionally. That should help and it should be safe as long as we don’t have contact with other people.

Overheard at work

Chris: We thought we bought a stool. We’ve been sold one leg of a stool. Now they are trying to sell us the other two legs of a stool and I think I’ve got a stick up my ass. What do you think?

Devin: I think I would rather not sit down.