Rod Rosenstein’s responsible encryption fantasy

The politicians are at it again. This time, US Deputy Attorney General, Rod Rosenstein, wants tech companies to come up with a concept he calls, “responsible encryption.”

I wrote a blog post about government putting its fingers in encryption in early 2016, when the FBI threatened war with Apple over the San Bernardino case.  Although they eventually resolved it peacefully, the deeper issue remains. And, unfortunately, so do the conclusions. No matter what government calls it, Rosenstein’s not-so-new concept of responsible encryption is a fantasy.

Here is the transcript of Rosenstein’s speech.

Rosenstein and other officials are correct when they point out that encryption enables unsavory activity. Child molesters, robbers, murders, terrorists, you name it, all use encryption. Encryption does have a dark side.

The policy challenge is, what can and should government do about it?

The US Government could force a central key repository, where it keeps a copy of encryption keys with a due process to use them.

Imagine a repository containing the billions, maybe trillions of encryption keys we use every day in 21st century society. Now imagine keeping all those keys safe from cyber-attack, keeping in mind the US government’s track record. Just ask any of the millions of OPM breach victims about government and cyber-security. Or read about repeated NSA breaches. Do we really want to trust the government with the encryption keys that keep modern society functioning?

But forget about criminals compromising a government key repository. Consider this – after pouring $billions into setting up a vast bureaucracy to manage all these keys, years of effort into design and implementation, and multiple acts of Congress to set up a legal framework for all this, I’ll click a few mouse buttons and spend $5 to buy end to end encryption software from an overseas supplier. And the US Government will have no ability to regulate me. All that money. All that time. All that effort. All wasted. Child molesters, robbers, murders, terrorists, you name it, will still use encryption.

Politicians like Rosenstein will argue that this notion of a key bureaucracy is a strawman, and if only tech companies used all their brainpower to come with better ideas, we could achieve responsible encryption. Rosenstein and the politicians are wrong. Encryption depends on keys and algorithms. There are two ways to grant government access to encrypted communication. Either give government access to the keys or weaken the algorithms. Both have so many opportunities for abuse, and so many easy workarounds, the cure is worse than the disease.

The tech industry, and every cyber-security expert I know of, is not putting profit above safety here. We’re just telling the truth.

I want to thank Ryan Conley with Bigger Law Firm, a publication dedicated to legal news, for quoting me in its article.  Here is a link.

 

Care and Share to be Prepared – Part 1, Caring

I’ve tried and failed to convince more people than I can remember why they should care about Internet security.  Typical responses include eye rolls, yawns, looking at their watch, and taking “important” cell phone calls. Yes, I do notice.

As an IT and security professional, I’m used to being ridiculed, ignored, and marginalized.  It should have an acronym, say, RIM, because it happens all the time, and it should be a verb, as in, “I was RIMed again.”

One organization leader offered this helpful feedback: “Just tell me what I need to know in twenty-five words or less.”  A few bystanders chuckled; another tech-weenie failing in an adult conversation.

It’s frustrating when nobody listens. When people say they want everything they need to know packaged into twenty-five words or less, the real message is, they see no value in learning anything about the subject matter because it’s somebody else’s problem.

But, in fact, they’re playing Russian Roulette.

Don’t believe me? Isn’t all this just meaningless numbers and letters on a computer screen?  Isn’t cyber-security a job for big companies and the NSA? Ask former US Senator, Norm Coleman about that.  Or the former Target CEO.  Or the former US Office of Personnel Management Director.  Or several top officers at Equifax.  Or a few identity theft victims.  Or millions of people now exposed to extortion, blackmail, and identity theft because of data breaches.  I don’t know about you, but I’m tired of watching CEO after CEO parade in front of the TV cameras to claim they take security seriously.  I have a hunch many of us want to ask the obvious question — if you take security so seriously, why don’t you do anything about it?

More than a year after publishing “Bullseye Breach,” a thought came to me. What if I could give busy people everything they need to know about security in twenty-five words or less?  If we give ’em what they want, maybe we won’t be RIMed so often.  Maybe they’ll pay attention.  And then the answer came.  Everything busy people need to know about cyber-security, packed into a six-word rhyme.

Care and share to be prepared.

Nineteen words to spare.  Care enough about Internet security to take action, share what you learn liberally.  I’ll talk about sharing in part 2.  Here, in part 1, I’ll make the case for caring.

If you’re a busy CEO, stop brushing off your security specialists with stupid excuses like, “We sell hammers.”  No matter what your organization does, private sector, public sector, nonprofit, you name it, the information you keep is your most valuable asset.

Think about that.  How much cash do you have?  What’s the secret formula for your world-changing invention?  How much inventory do you have on-hand?  Think about any hard asset or attribute about your organization. What good is any of it if you don’t know about it?  Criminals see value in your information; that’s why they keep stealing it.  Hello?  That should tell you something.  Stop treating your information as an afterthought.

I remember a meeting with a CEO a while ago.  He told me he liked to download and install random software on his laptop and then hand it to his IT Department to fix when it broke. He said it made his IT staff sharp. I have a hunch his IT staff had a different opinion.

Arrogant, ignorant, and proud of it is a dangerous combination for a leader.  Learn to respect the people who stay up all night keeping your company running while you spend quality time with your family.  Unless you enjoy facing TV cameras and resigning in disgrace.

If you’re a busy tech professional, maybe a software developer or system administrator, keep security and layers of defense in mind. Always. I saw a discussion with a rookie developer who did not understand why it was important to protect a few important files against access to anyone logged in.  His argument was, only administrators should access this system, so why go to the extra trouble of denying read access to the world?  Wrong.  Should and is are seldom the same, and what happens if a non-administrator somehow gets inside that system? The community gave that developer a lesson on layered defense. I hope he took it to heart.

If you’re a busy Internet user, educate yourself on the basics.  Just like our great-grandparents recognized basic literacy was important in the horse and buggy days, we need to recognize that basic Internet literacy is even more important today.  The Internet is here to stay.  It’s past time for the public to learn about the dark side of free cell phone ringtones and social media and search engines.

I’ve cleaned more computer viruses than I can count.  Reactions are always the same; people are mystified by how that malicious software got inside their computer, they’re usually worried about the family taxes and 20,000 pictures they never backed up, they still think lonely teenagers launch Internet attacks from their bedrooms, and they’re amazed when I tell them about botnets.

When I was an independent consultant, one end user complained they were unable to access email. I asked what email program they used.  The answer:  “I click on ’email,'”  followed by the usual eye-roll.  Another tech-weenie asking meaningless questions.

Ignorant and proud of it is dangerous for everyone, not just leaders.  It has to stop.

How you care for the confidentiality, integrity, and availability of your data, whether you’re an organization leader, a tech professional, or anyone else, speaks volumes about how much you care about overall quality.  It’s not just a tech thing – it’s how you approach life.  If caring about cyber-security is too techie for you, then care about quality.  Your identity and millions of your stakeholders’ identities could depend on it.

After the Equifax fiasco, how do we move forward?

Update Sept. 26, 2017

I put together three video presentations about what went wrong with the Equifax fiasco and what to do about it.

Here is a video presentation about what went wrong.

Here is a video presentation with a structural approach to fixing the system.

Here is a video presentation about killing passwords in favor of passphrases.

Original post from Sept. 19, 2017

Heads are starting to roll after the Equifax fiasco, while its PR agency pretends to offer timely communication and churns out CYA updates.  Follow the saga right here. In the Sept. 15 update, Equifax announced its CIO and CSO are retiring, effective immediately.  Uh-huh.

Here is one question of many I would love to ask Equifax execs – why did you wait until Sept. 15 to present a bulleted list of what happened back at the end of July?  I have a host of other non-question questions I want to ask, but let’s take a collective deep breath and learn self control.  Beyond eviscerating  the execs at Equifax, how do we move forward?

Here are some thoughts.

Should everyone freeze their credit?

A few days ago, I would have said yes.  But now, I’m not so sure.  Brian Krebs in his Krebs on Security blog popularized the idea back in 2015 – and it’s a good idea, but there are tradeoffs.  When you freeze your credit, it’s frozen until you un-freeze it. At least, that’s how it’s supposed to work, assuming the CRAs do their jobs. (CRA – Credit Reporting Agency).  If anyone tries to take out a loan in your name, presumably, the lender will check with the CRA, find out your credit is frozen, and turn down the loan.  Which is why you do it.  But if you try to take out a loan, the same thing happens. And now you might have pay to unfreeze it, do your transaction, and then freeze it again, times four CRAs, apparently at $10 or so each.

One of many aspects about this whole breach incident is, if CRAs charge for credit freezes, incompetent behavior turns into a windfall with millions of consumers parting with hard-earned money to freeze their credit with agencies who collected data about us without our consent.  Equifax is offering free credit freezes for a limited time – I’m not sure about the others.

Besides money, the challenge to freezing credit right now is, the CRAs are swamped with freeze requests.  CNN did a video a few days ago of somebody trying to freeze her credit with Equifax.  She tried doing it from that equifaxSecurity2017.com website and it referred her to a toll free phone number. She called the phone number and heard a recorded message to call back during normal business hours – the graphic on the story said she called around 10 am on a weekday.

I wish I could offer an easy answer to all this, but I don’t see one.  Keeping a close eye on bank and credit card transactions is always good, but if somebody uses my Social Security number to borrow a $zillion in my name, I won’t find out about it until it’s already happened.  And then I’m guilty until proven innocent and, at minimum, will spend hours unraveling the mess.

Reality bites sometimes.  Thanks Equifax.

Is the EquifaxSecurity2017 website tool any good?

That tool is… well, it needs improvement.  It’s supposed to make it easy for me to find out if I’m exposed, and then help me sign up for free credit monitoring.  I fed it my SSN with a bogus name last week and it said I may be affected.  I fed it a bogus SSN and name and it said it doesn’t appear that I’m affected.  With either choice, it presented a button to sign up for a free year of credit monitoring.  Oh joy.  Now I can feel secure that the company that let all my horses out of the barn will tell me when somebody steals my horse.

Is one year of Equifax credit monitoring false security?

Yes – false security indeed.  The main problem is, by the time you find out somebody borrowed $zillions in your name, it’s too late.  They’ve already stolen the money and they’re gone, leaving you holding the bag.  Every breach victim company offers credit monitoring because they’re nothing else they can do.  The horses are already out the barn door.  Freezing credit is one way to cope with a broken system, but it’s really just a workaround.

How do we fix the system?

Today’s system is fundamentally broken and something like this was bound to happen sooner or later.  And the bad news is, it’s not over yet.  But today’s broken system, which is bigger than Equifax, does not take Equifax off the hook and the law needs to hold Equifax execs accountable for their negligence.  In fact, since Equifax helped build today’s broken system, Equifax execs are even more culpable.  Heads need to roll.

But there is a solution.  Here are some rough first draft thoughts.

First – who are the stakeholders?  Consumers need access to credit.  Creditors need a way to assess risk and authenticate consumers.  The more efficient this process, the better for society.  That’s why we need CRAs – to match consumers with creditors.  CRAs play an important role.

One problem – consumers are CRA raw material and not CRA customers.  So CRAs have no incentive to care about the confidentiality, integrity, and availability of consumer data. Which means consumers have no power and no recourse when CRAs fail in their duty.

Another problem – CRAs adopted SSNs for authentication because every American has one, and that started a ticking time-bomb because SSNs never change.  The bomb went off years ago when many SSNs became public.  The public found out about it last week when 143 million of us were exposed.  When I provide an SSN, I don’t prove I’m me, I only prove I know the SSN that belongs to Daniel Gregory Scott.  Same for my driver’s license number, date of birth, mother’s maiden name, and anything else I might know that’s public knowledge.  The shorthand way to say this is, my SSN identifies me, but does not authenticate me.

A private passphrase could authenticate me.  Not a password, but a passphrase.  Passphrases are more secure than passwords because they have more characters and they’re easier to remember than passwords filled with random characters.  The passphrase, “Your mom wears army boots” is more secure and easier to remember than a password, say, “@rMyb00ts!”

A passphrase also has an advantage that I control it and I can change it any time I want.

So, for starters, let’s encrypt all that data CRAs hold about me with a passphrase I control.  Anyone who wants to look at my data goes through me first.  Which gives me all the advantages of a credit freeze with fewer hassles. Nobody can borrow money in my name, because nobody can check up on me with a CRA unless they know my passphrase.  CRAs don’t know the plaintext contents of my data – they only know the encrypted contents.  I control the key, which means I control the access.

That’s radical surgery.  CRAs will scream about how much work it will require to educate consumers and set all this up.  They’ll also scream because this idea takes away much of their power.

Many consumers will also scream about taking on the responsibility to remember a passphrase. And what happens if a consumer forgets their passphrase?  The easy answer – Banks or other institutions can offer a passphrase storage service.

And creditors will scream about how it complicates the system and makes offering credit more difficult than before.

I plead guilty on all charges.   But we have 143 million reasons to change the system, and either we do it in the private sector or the government will force something down everyone’s throat.  And, as a consumer, I should have control over data about me.  Millions of us should have demanded it 30 years ago.

Longer term, let’s task an industry group with all stakeholders represented to come up with standards for how all this stuff should work, and put it through the gauntlet of peer scrutiny, similarly to how other open standards are designed.  This group doesn’t need legal power, just credibility.  Enough credibility that everyone will listen and follow the standards it sets.

The system today is opaque and broken.  Let’s use this fiasco as an opportunity to open it up and redesign it for everyone’s benefit, including CRAs.

I want to thank Kim Insley with KARE-11 TV in Minneapolis for providing the questions to organize all these thoughts.

What do we know about the Equifax data breach?

I shared my initial thoughts about the Equifax data breach in this post from Sept. 8, 2017.  And here is the recording from my WCCO Radio interview with Jordana Green and Paul Douglas.  What follows is an update as of Sept. 11, 2017.

(As of Sept. 14, 2017, this original post is now obsolete, but I’m leaving it intact to preserve the sequence of when we learned key facts. See the bottom for updates from Sept. 13, and Sept. 14 2017.)

The Equifax data breach announcement came on on Sept. 7, 2017.  As of Sept. 11, we still have few facts.  But we do have a tantalizing blog post from a news outlet named Quartz.  Check out this article.

The Quartz article references a Baird Equity Research report about how the breach will effect Equifax stock.  Here is the report.  This key sentence in the report is at the heart of lots of speculation:

Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw…

Apache Struts is a software framework for building Java applications. Struts has had two vulnerabilities recently. One was reported and patched in March, the other on Sept. 4.

Here is another article about Apache Struts from ZDnet.

And now speculation. The Equifax data breach announcement said the attack exploited a website flaw, but I can find no other details beyond that.  The Baird Equity Research report above is not clear about which Struts vulnerability, and doesn’t cite a source.

A few possible scenarios play out here. In the first scenario, Equifax never applied the patch for the March vulnerability and bad guys romped through its systems for two months undetected. This scenario is Equifax’s fault.

In the second scenario, bad guys discovered the new vulnerability before good guys found it. The patch didn’t come until Sept. 4. Smart bad guys could have easily covered their tracks while romping across the Equifax network, such that no automation looking for suspicious patterns would have uncovered it. Somehow, Equifax found the invasion on July 29. Under this scenario, the long wait for disclosure might make sense because there was no fix available until Sept. 4, and Equifax disclosed the breach Sept. 7.

I find this scenario hard to believe because five weeks – from July 29 until Sept. 4 – is a long time for anyone to fix a reported software vulnerability, especially one already in the wild.  The best open source developers pride themselves on great workmanship, and taking five weeks to patch a security flaw is inconceivable. Here is what the Apache Software Foundation had to say about Apache Struts and Equifax.

And the third scenario puts it right back on Equifax – maybe Apache Struts isn’t relevant, since we don’t know where the Baird Equity Research report got its information.

Let’s not rush to judgement yet because there is one credible scenario where Equifax disclosed this thing properly and is not culpable for the breach. I wrote a blog post about how proper disclosure should work right here.

But if Equifax wants to salvage its credibility, then the people with first-hand knowledge need to share what they know about what happened.

Update Wednesday, Sept. 13, 2017

USA Today reported yesterday that Equifax itself said an Apache Struts vulnerability was the attack vector.  But the article does not tell who from Equifax said it, which is frustrating. Here is the relevant paragraph.

On Tuesday, credit reporting company Equifax told USA TODAY the breach was due to an Apache Struts vulnerability. Apache Struts is free, open-source software used to create Java web applications. Several vulnerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach.

Update Thursday, Sept. 14, 2017

Equifax blew it.  Heads need to roll.  Scenario one above is what happened.  Equifax failed to patch the March Apache Struts vulnerability and allowed attackers to rampage through its network for two months.

The articles quoting the Equifax update are everywhere.  See this ZDnet article and this Ars Technica article.  Their source is the infamous EquifaxSecurity2017.com site. Click on the Sept. 13, 2017 progress update for consumers.

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Let’s summarize.  The people in charge at Equifax learned about the problem on July 29, but didn’t report it until September 7.  A week later, on September 14, after bungling the response they spent five weeks preparing, and only in the face of an uproar, they finally told us which vulnerability the attackers exploited. But they knew all along which vulnerability it was.  Why not report it in the first disclosure?

It gets worse. Three senior executives sold Equifax stock after discovering the breach and before the public announcement. Here’s an extract from this MarketWatch story:

As first reported by Bloomberg NewsChief Financial Officer John Gamble banked $946,374 on the sale, U.S. Information Solutions President Joseph Loughran made $584,099 and Consumer Information Solutions President Rodolfo Ploder earned $250,458. In the same filing, Loughran exercised an option to buy 3,000 shares at a price of $33.60.

Look closely at those titles.  Chief Financial Officer, US Information Solutions President, and Consumer Information Solutions President.  Equifax claims these senior executives had no idea somebody stole the data they were in charge of protecting when they sold their stock.  If true, these folks are incompetent.  If false, they’re crooks.

But wait. There’s more.

Take a look at this Krebs on Security post from Sept. 12.  It’s a story about Equifax operations in Argentina. I’ll quote one key paragraph.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

I’m still shaking my head.

Equifax CEO Richard Smith is expected to testify in front of Congress on Oct. 3.  I would love to be in the room and ask a few questions.

Somebody stole your personal information in the Equifax data breach. Now what?

(I originally posted this on Sept. 8, 2017. Here is an update from a week later.)

Here are a few articles about the Equifax data breach, first reported Sept. 7, 2017.

  • A New York Times article, here.
  • A nice Krebs on Security writeup, here.
  • SC Magazine posted a piece, here.
  • And a ZDnet article, here.

It’s all over the news.  Lots of noise so far, little information.  Here is a bulleted summary of what we know to date.

  • Attackers penetrated Equifax in May, 2017 and gained access to data about 143 million people.
  • Somebody discovered it on July 29, 2017.  Apparently, the attackers took advantage of a web site flaw.  As of Sept. 8, 2017, that’s all the tech details we know.
  • A few Equifax execs sold a bunch of stock around Aug. 1, 2017. Equifax PR people say the execs had no knowledge of the data breach.  Uh-huh.
  • Equifax hired Mandiant, a respected IT forensics firm, to investigate.
  • Equifax set up a website, https://www.equifaxsecurity2017.com, for anyone to look up whether they might be effected.  Feed it a last name and the last six social security number digits.  Note the irony of feeding a social security number to a website for a company that just reported somebody exploited a web site flaw to steal 143 million social security numbers from another company website.
  • Equifax told the world about the intrusion on Sept. 7, 2017.

This latest Equifax breach is a big deal, but the ugly truth is, after years of data breaches, our personal information is already up for sale. And it’s not the first Equifax breach.  Quoting the Krebs on Security article I linked above:

This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

And Equifax is not the first credit reporting agency to lose our personal information. Take a look at a tangled story about how Equifax competitor, Experian became an unwitting partner in an identity theft ring in the Krebs on Security post right here.  Here’s another article.

You read that word correctly.  I really did say, partner.  Experian unwittingly partnered with an identity theft ring from Vietnam a few years ago after buying a company named Court Ventures back in 2012.

Wonderful – we can’t trust the credit reporting agencies everyone uses to assess our trustworthiness. Now what?  The most workable solution I’ve found is setting up a credit freeze.  Which means paying money to these same credit reporting agencies to set it up and trusting they’ll do their jobs.

Here is a link to another Krebs on Security post with details. Here is a link to the US Federal Trade Commission page about credit freezes. And one more link to a Consumer Reports page about credit freezes, here.

The idea is, pay a fee to each credit reporting agency to flag your record with a freeze notification.  Anyone who wants to open an account in your name will theoretically check with one of these agencies and deny it, since it’s flagged as frozen.  But this is a hassle because if you want to borrow money for, say, a mortgage or a car, you have to spend money to unfreeze your credit with the relevant agency, and then spend more money to freeze it again. Not a bad gig if you’re a credit reporting agency.  A hassle if you’re a consumer, but it might save you from an identity thief.

Also, be on the lookout for emails claiming to come from Equifax with “click here” links claiming to set you up for free credit monitoring for a year.  As of this writing, I know of no such emails, but it’s inevitable some senior manager at Equifax who doesn’t know better will want to send one. It’s part of the typical pattern. Check your email header to make sure any email claiming to come from Equifax really does come from Equifax, and make sure the “click here” link really does point where it claims to point.  See my post about How to Spot a Phishy email for more.

I’ll update this post as new information becomes available.

Finally, keep an eye on my dgregscott.com website for resources.  I have a bunch of mini-seminars and blog posts with how-to information, and you’re welcome to all of it, no strings attached.  And if you like what I put together, I’d appreciate it if you would consider buying a copy of one of my books.  Here is a link for more book information.

 

What to do when your Internet doesn’t work

Internet trouble can make you crazy. You’re posting away on Facebook and suddenly your posts don’t post anymore.  Or maybe you’re emailing your sister and your email program complains it can’t connect to the server. Or maybe your fancy smartTV won’t connect to Netflix.

Now what?

Of course, you call for help.  But whom do you call?  And what do you tell the tech support specialist when they answer after you’ve waited on hold for who-knows-how-long?

Here is a quick diagnostic for anyone who suspects overall Internet trouble. Do this first, before you call, and you might save yourself and your telephone support technician hours of frustration.

But a caution – this means getting your hands dirty with technology.  If that scares you, get over it, for your own good. None of this is rocket science.

One more caution. None of this works with a smartphone or TV. Some smartphones and TVs have primitive diagnostic tools, but as of late summer, 2017, doing this right still requires a real computer.  Or, at minimum, a download into your phone.

This first test takes about 10 seconds. Launch a command line window (how-to details below). Don’t be freaked out that it looks like a 30-year-old step back in time. Inside that window, type this command:

ping www.google.com

and check the results. Here is how it looks from a Windows system when everything works. Macintoshes will behave similarly.

C:\Users\gregs>ping www.google.com

Pinging www.google.com [216.58.216.228] with 32 bytes of data:
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56

Ping statistics for 216.58.216.228:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 Approximate round trip times in milli-seconds:
 Minimum = 20ms, Maximum = 20ms, Average = 20ms

C:\Users\gregs>

Ping sends a data packet to the destination you specify and waits for an echo reply. Just like the old submarine movies, only this is across the Internet. And it’s software, not real sounds. The idea is, ping a popular destination and watch for the reply to come back. Not everyone answers pings, but Google is kind enough to do so. If Google doesn’t reply reliably, then you probably have an overall Internet problem.

Also, watch the milliseconds – in my case above, it’s consistent at 20ms. That’s the round-trip time for the echo request to go out and the echo reply to come back. If your milliseconds bounce around all over the place, you may have a problem – or your Internet connection might just be busy from other family members streaming who-knows-what.

Here’s how to launch a command line window:

In Windows XP, click Start…Run.  In Windows 7 and 10, just click the Start button. In the box right next to the Start button, type CMD and press the Enter key. There are other ways to do it, but this is the easiest and it’s universal.

In Windows 8 and 8.1, press the Windows and R keys on your keyboard. The Windows key is on the bottom row of your keyboard, right next to the Alt key, on either side of the space bar. In the box, type “CMD” and press Enter.

If you have a Mac, launch the Terminal, found in /Applications/Utilities/

Next Step

Here is your troubleshooting decision tree.

If your pings show something like this:

C:\Users\gregs>ping www.google.com
 Ping request could not find host www.google.com. Please check the name and try again.

C:\Users\gregs>

then you may have an overall connectivity issue, or maybe just a name translation problem. You need another test to be sure. Since we know one IP Address for Google from above, just try to ping that raw IP Address:

ping 216.58.216.228

and see what it reports. If you see 4 replies and the milliseconds look reasonable, raw connectivity is good and you have a name translation problem. If you see errors, you probably have a raw connectivity problem. Do one more command. My example below is from Windows.  For Macintosh, the command will be “traceroute,” spelled out.

racert 216.58.216.228

The tracert command traces the route from you to your destination. It’s kind of like looking at a map to find all the stops on a road trip between Minneapolis and Dallas. Or pick your favorite cities. Here is what it looks like when everything is normal – your hops will be different.

C:\Users\gregs>tracert 216.58.216.228

Tracing route to ord31s22-in-f4.1e100.net [216.58.216.228]
 over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms fw.infrasupport.local [10.10.10.1]
 2 <1 ms <1 ms <1 ms 216.160.2.158
 3 12 ms 10 ms 11 ms stpl-dsl-gw14.stpl.qwest.net [207.109.2.14]
 4 10 ms 11 ms 10 ms stpl-agw1.inet.qwest.net [207.109.3.105]
 5 20 ms 19 ms 20 ms cer-edge-17.inet.qwest.net [67.14.8.90]
 6 21 ms 20 ms 20 ms 216.111.90.126
 7 * * * Request timed out.
 8 20 ms 21 ms 20 ms 209.85.249.73
 9 20 ms 22 ms 21 ms ord31s22-in-f4.1e100.net [216.58.216.228]

Trace complete.

C:\Users\gregs>

Notice one of the intermediate hops in-between Google and me did not respond. That’s normal. Sometimes routers on the Internet don’t answer echo requests. You don’t care about that – you care about whether and where the tracert dies, which means where all the rest of the hops report “Request timed out.”

The tracert will max out at 30 hops, but if you’re in a hurry, press the Ctrl and C keys on your keyboard to abort it.

Total time for all this – maybe 60 seconds.

And now you have something to give your tech support specialist when you call for help. If you talk to anyone beyond a brand-new rookie, they’ll appreciate you for taking these basic troubleshooting steps first and may take your problem reports more seriously than otherwise.

Time to man up and swallow my pride

Well, this is embarrassing. I left a gaping security hole right here in my own author website. I buried my head in the sand and planted a “kick me” sign on my butt. I dodged a bullet because, as you’ll see below, nobody visits my website yet. But, since I tell people to adopt the motto, care and share to be prepared, I need to swallow my pride and share how I messed up and what I did to fix it. Learn from my mistake. And it’s okay to call me a dork on this one. I deserve it.

A few days ago, my buddy from Ukraine, Ihor (prounced Ee-gore) messaged me.  Ihor is a web developer and he taught me how to use Javascript to make a selection list many years ago. We hadn’t talked in a while and I was eager to show him my new author website.

He asked if he could try to hack it.  I laughed and told him to go right ahead, just tell me what he uncovered so I can fix it. I was confident he wouldn’t find anything. I am a security professional, after all. Too cocky for my own good sometimes.

Take a look at the page views for August 2, 2017.  That was all Ihor. He was thorough. And it didn’t take him long to find problems.

First, he tried to login and change my admin password. I saw the audit trail, and WordPress even emailed me a notice that somebody was trying to mess with my password.

I look forward to the day when thousands of people visit this site every day and I need commercial hosting. But for now, it lives inside a virtual machine in my basement, and since I’m the only one who edits it, I was thinking about restricting access to my local network anyway.  But even with access to the login screen granted to the entire Internet – as are most WordPress websites – Ihor was unable to get in. I was feeling smug.

And then he nailed me.  Take a look at the screenshots of shame Ihor sent me:

       

                    

He was able to look at directory listings of my website, which is about as bad as it gets. And he let me have it. Here are a few of his comments:

Greg )
Man
Why? )))
come on ))))))))))
I think that’s only the beginning )))))))))
no no ))))))))))))))))
Greg ))

Ihor’s native language is Ukrainian, not English. This was his way to tell me I was sloppy and should have known better. He was right. I hung my head in shame and wallowed in self-pity for a few minutes.  I’m a busy guy. I don’t have time for this. Why is the world picking on me?

And then I forced myself to swallow my pride and find and fix the problem.  This gets technical.

First, I compared this website with other WordPress websites I’ve built.  None of them allowed directory listings.  What was different about this one?  With this one, I put the website underneath the standard httpd directory tree, at /var/www/html.  I might build a network of future websites, and it’s convenient to put them all in this directory tree. I never considered a network of websites with my earlier ones. I put them all into the WordPress standard location, /usr/share/wordpress. That was the only difference I could find.

How did putting this website into a different directory tree enable directory searches?  It was this section in the standard configuration file, /etc/httpd/conf/httpd.conf:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
.
.
.
</Directory>

“Options Indexes” above means allow directory searches in the directory tree, /var/www/html.  It was an ugly default setting from the Linux distribution I’m using. But it’s my fault for trusting factory default settings and not testing. The cure was to insert this into the configuration file specific to this website, which overrides the default setting:

<Directory /var/www/html/wordpress>
    Options FollowSymLinks
.
.
.
</Directory>

I want to thank my friend, Ihor for doing a great penetration test for me. Care and share to be prepared. I would rather be embarrassed than penetrated. I hope my mistake helps others.

Your own worst enemy

When you wanna cry to your worst cyber-security enemy, hold up a mirror

In a July 20, 2017  interview with New York Times columnist Bret Stephens in a room full of very important people at the Aspen Institute, new CIA Director, Mike Pompeo, said, “WikiLeaks will take down America any way they can, and find any partner they can to help achieve that end.”

When I saw the quote, I wanted to barbecue him. Yet another Trump appointee who doesn’t know what he’s talking about with a knee-jerk reaction to cyber-security enemies.

Well, no, not this time.

This time, I had the knee-jerk reaction.  Pompeo is wrong about Wikileaks, but he’s right about lots of other things and I’m glad I listened to the whole conversation. I need to work on my own biases before I start barbecuing other people for theirs.

It’s an hour long conversation.  Go to the 26:01 mark to hear the quote out of context.  But invest the hour and listen to the whole conversation – you’ll be glad you did.

I did more homework on Pompeo. Here is what he said about cyber-security in this article, and he’s right.

“It is the next frontier of warfare. It’s not new in the sense that threat to America’s intellectual property has been out there for quite some time,” told the Wichita Eagle. “We now see hacking taking place by foreign governments and by private individuals all around the world. America has to invest more and be more prepared. And we all have an obligation to be more secure in the way that we handle our own private information. There is a role there for the government to play, but a lot of this is going to be done by private individuals and private entities in America taking upon themselves of keeping their information more secure.”

But he is wrong about Wikileaks. Unlike many people, I have first-hand experience with Wikileaks. It goes back to 2009 and the aftermath from the Norm Coleman for Senate campaign in Minnesota, when Coleman treated my personal information recklessly and got caught. Wikileaks emailed me with details and that was the only reason I found out about it. Although the Coleman camp didn’t like it, Wikileaks performed a service for me and the country that day. I wrote all about that episode, right here.

I will not defend what Wikileaks subsequently did with Bradley Manning (now Chelsea Manning), Edward Snowden, Reality Winner, or any of the other incidents where Wikileaks published classified information.  Those were mostly wrong.  But Wikileaks is a shade of grey, not black and white.

Wikileaks does not want to take down America.  Julian Assange might be a snake, but he’s not stupid.  If the United States falls, Julian will find himself in a world of hurt from other countries that don’t have the same view of justice as the United States.  No, Wikileaks does not want to destroy the United States, Wikileaks wants to enrich Wikileaks. Wikileaks is no friend of the United States, but it’s not a cyber-security enemy either.

Who are the United States’ real cyber-security enemies? For a hint, take a look at just a few headlines between July 19 and July 24, 2017:

5,300 University of Iowa Health Care records exposed for two years

Millions of SSN across 10 states leaked in Kansas Commerce Dept. breach

Chipotle data breach leads to illegal ATM withdrawal

Thieves find a new way to hack and steal Teslas

Inappropriate Access to Patient Records Spanned 14 Years

Sweden Grapples with Sensitive Data Leak Scandal

IoT Security Cameras Have a Major Security Flaw

Every one of these stories involves Americans exposing private information or losing it to potential attackers. Even the story from Sweden, which shows that Americans have plenty of sloppy company. I could have found many more.  And those five days are typical.

Beyond those headlines, the sorry list of recent cyber-attack victims reads like a who’s who in American industry. And, rubbing salt in the wound, too many of our leaders become unwitting partners with cyber-crooks because they’re embarrassed to be caught with their pants down.

Read about sloppy management and the sorry response at the United States Office of Personnel Management when it allowed the Chinese to steal details on everyone who applied for a security clearance, right here.   How many people died because of that fiasco? Read about hundreds of thousands of American identity theft victims because they filed their taxes electronically right here.  And here.  And here.  Read about Minnesota law enforcement officials abusing driver’s license records right here.

Closer to where Mike Pompeo works these days, how does the US Government justify at least a ten year history of questionable cyber-activity?  Read about Stuxnet, the cyber-attack against Iran to stop its nuclear program, right here, and think about what might happen when the Iranians turn that weapon against us.

To find our real cyber-threats, look in a mirror.  We are our own worst cyber-security enemies.  Not Russia. Not China. Not North Korea. Not the criminal underground. Not Wikileaks. Us. We, the people. The good guys.

But wait – maybe the examples I cited above are just sensational headlines and don’t reflect everyday reality.  Well, not so fast. Here is a taste of my everyday reality.

Consider the bank vice-president who refused to understand the difference between his bank’s website and the bank internal network. Or the dentist who told me he didn’t need computers to practice dentistry – but had no answer when I asked him what would happen when his antiquated Windows XP computer “server” finally died.  Or the business owner who didn’t want to listen to the Internet threats she was up against because the port-scan report I showed her was a bunch of numbers on a computer screen.  Or the medical clinic spewing data to who-knows-where that didn’t want to call law enforcement because the top managers didn’t want the publicity.  Or the nonprofit CFO who didn’t want to listen when I told him he needed an antivirus solution. Or the car dealer who insisted his antivirus solution was just fine, even though it crashed both computers where we tried it.

Just a few anecdotal stories I’ve been part of, first hand.

For busy people with no time to absorb details, here are six words that everyone who uses the Internet should take to heart.  This is everything you need to know about Internet security. It took me three years to come up with this. Here it is:

Care and share to be prepared.

Care enough about security to educate yourself.  Share what you learn and expect everyone to share with you.  I have plenty of mini-seminars that go deeper.  Here is one.

I wish Mike Pompeo the best in his tenure as United States CIA Director. I hope he helps all of us open our eyes.

Are you nuts? Never let anyone put an RFID tag microchip inside your body.

It’s all over the news.  Fifty employees of a company named Three Square Markets, in River Falls, Wisconsin, are lining up to have an RFID tag implanted between their thumb and forefinger.  With the company CEO and his family leading the way, employees are volunteering to have it done.  And they’re apparently excited about it.

Here is a link to one of the stories from CBS News.  Here is another one from the St. Paul Pioneer Press, which reprinted the original Washington Post story.  The Pioneer Press should be embarrassed that it had to reprint a Washington Post story about what’s going on in its own neighborhood, but that’s a different topic.

Implanting RFID tags in people is not new.  But it will always be a bad idea on many levels.  I’ll get to that in a minute.  First, how the technology works.

RFID (Radio Frequency Identification) tags are at least twenty years old.  They’re about the size of a grain of rice and they contain one piece of data; a unique ID.  Think of it as a serial number.  They’re passive, meaning they don’t need batteries, and they’re inexpensive at about fifteen cents per unit.  Pass an RFID tag near an RFID reader, and the reader triggers a tiny radio signal from the tag with that number.  The RFID reader “hears” the number and sends it to a computer. That’s it – that’s the technology.

The power is in the applications.  Retailers use RFID tags to track inventory.  Walk into a modern retailer and you’ll see RFID readers near the entrance.  We put RFID tags in dogs and cats to track our pets.  They’re in vehicles to automatically pay when passing through toll booths.  They’re in badges to enter secure doors.  Manufacturers use them to track work in progress.  Today’s world is awash in RFID tags.

What’s not to like? RFID revolutionized retailing and other industries by improving efficiency and driving down costs.

Imagine the convenience if we could uniquely identify every human being in the world by scanning a hand.  Wave a hand over a vending machine to buy a sandwich.  Walk past an RFID reader in a doctor’s office and a computer in the back room looks up all your medical records.  Keep a living will on file.  Or organ donor information, which could save lives.

The applications are limited only by our imaginations.

Which is one reason why implanting RFID tags in humans is bad.  Do I really need to spell out the dangers of databases that track everything there is to know about us?  All that convenience comes with a cost.  Do we really want to live in a world with RFID readers everywhere, in front of massive databases that track everything we do?

And it gets worse.  I’m a Christian, and I believe the Bible is the word of God, recorded by people and handed down to us over the generations. We can argue whether the authors of the Bible stories we read today told the truth, but it’s indisputable that lots of scholars have gone to lots of trouble to make sure today’s New Testament accurately reproduces what those authors said.

And in one book we’ve come to call Revelation, an Apostle named John, around 95 AD, predicted implanting today’s RFID tags into humans as a sign of really bad things in the world of his future.  Just read what he said, from Revelation, chapter 13:  I’ll quote verses 16 and 17:

16 It also forced all people, great and small, rich and poor, free and slave, to receive a mark on their right hands or on their foreheads, 17 so that they could not buy or sell unless they had the mark, which is the name of the beast or the number of its name.

There’s lots of context and discussion about these verses.  Start at http://www.biblegateway.com to see today’s translations for yourself.

I don’t mean to turn this blog post into a Bible study.  Here’s the point: with people apparently excited today about implanting these things in their bodies, it’s not much of a stretch to imagine these things becoming mainstream and a requirement soon.

Not inside my body.  I am not a serial number, I’m not a piece of inventory, I’m a flesh and blood human being. I’ll go to jail or worse before ever consenting to implanting one of those things inside me.

When your company cuts its own throat, you don’t need to cut yours

The Register recently published this article about IBM disallowing remote workers and it brought back a flood of memories.   The article should be titled, “IBM cuts its own throat.” Here’s the key paragraph:

According to well-placed sources, IBM’s Software and Systems unit began a transition similar to the marketing department’s upheaval late last year, with remote workers told they would have to move and work at one of a handful of city offices, or find a new job.

It’s a morale boosting move.  IBM’s chief marketing officer said so.

IBM has pitched all this change to employees as a way to improve the working environment and office culture. In a video message to her troops, seen by The Register, chief marketing officer Michelle Peluso said “there is something about a team being more powerful, more impactful, more creative, and frankly hopefully having more fun, when they are shoulder to shoulder.”

I thought that was satire at first.  But it’s real.  Apparently, workers have 30 days to decide; either move to the city where your team is located or you’re out.

Imagine working for a company, year after year, pouring time and emotional energy into your job, only to wake up one morning to find you have 30 days to either move across the country or quit. The beatings will continue until morale improves.

And that sums up why I have such a deep distrust of all big organizations.  It’s just plain wrong when a disconnected manager with a spreadsheet disrupts thousands of lives and hammers shareholders in the same move.

Death Spiral

Way back around 1993 or so, the company where I used to work was going through its own death spiral.  The weather was bad here one day, and traffic was backed up all over town, especially crossing the river that separates where I live from where I used to work.

I tried every river crossing between my house and the office.  They were all parking lots.  So, I turned around and drove back home.

I had a terminal. Yes, a real DEC VT220 terminal, and modem, and I dialed into work and started getting things done. There was a customer crisis and I talked to people over one phone and talked to computers over a modem on the other phone line. I kept right on working and next time I looked up, it was 5pm and time to go home. Except, I was already home, and I realized it was a productive day. I felt good.

Next day in the office, I caught an earful of grief about not showing up for work.  Nobody cared about the customer crisis. That attitude represents what killed Digital Equipment Corporation.  And it will help kill IBM.  Here is one more story.

Around 2014, when I was an IT equipment reseller, I needed a storage solution for a customer project.  A few IBMers wanted me to resell their product, and they treated me to lunch at a local diner.  As we ate lunch and talked, I could see burnout in their eyes.  Sometimes, you just recognize it.  Especially after living through it myself back in the early 90s.  But I signed up as an IBM reseller partner anyway, mostly because I’d been jerked around by the other guys and I’d heard good stories about IBM product quality.  So I overlooked the burnout and gave it a shot.

A note to non-tech readers here.  Don’t be intimidated by words like “server” and tech company names like IBM here.  This is about sales and money, not technology.  Think of an IT equipment reseller as similar to a car dealer. Except it’s computer equipment and services instead of cars.  And I went to customers, instead of customers coming to my showroom.

Just like car manufacturers offer sales incentives for dealers, IT equipment vendors offer sales incentives for reseller partners.  The most common is a process called deal registration.  When a reseller brings a vendor into a sales opportunity, the reseller registers that opportunity with the vendor and the vendor grants favorable pricing to that reseller.  It’s a reward for introducing the vendor to a new customer and it’s supposed to protect the reseller from cutthroat pricing competition.  Theoretically, nobody will be able to buy at a lower wholesale cost.

Shortly after my free lunch, and before IBM sold its Intel based server division to Lenovo, I pitched IBM servers to that customer.  It was a warm-up to the larger opportunity for storage, the real prize.  Wouldn’t you know it, Lenovo was the competition, and online store, CDW, teamed up with Lenovo to sell Lenovo servers at a retail price less than my preferred IBM wholesale cost.  I’m no economist, but I figured out a long time ago that selling for less than what you pay is a path to bankruptcy.

I lost that server deal.  But I have a hunch both CDW and Lenovo lost money to beat me.  Small comfort.

And then IBM dropped a bomb.  Because I brought IBM in and registered the opportunity and we lost, IBM punished me by prohibiting me from registering any more opportunities with this customer for 90 days.  This meant, if I wanted the privilege of selling IBM equipment to this customer during the next 90 days, not only would I make less money on any successful sale, but I would be at a pricing disadvantage to anyone else who might come along and register their own deal with IBM.  No good deed goes unpunished.

I complained all the way to the CEO’s office.  Lots of important people promised to make it better, but nobody could override an automated system apparently controlled by a group in the Philippines.  And not one IBM vice-president understood why I was upset.

I teamed up with a different storage vendor and eventually made the sale without IBM.  And that pretty much ended my short IBM partnership.

Now, it’s 2017 and IBM has gone through twenty consecutive quarters of revenue decline.  That’s five years of misery.  Combine desperation to turn around a shrinking revenue base with the bureaucracy gone nuts I tangled with, add disconnected senior managers with spreadsheets, and it’s a recipe for disaster.

And talk about irony.  The same IBM that wants to become a cloud provider decides now is the time to get rid of remote workers.  Tell me how that makes any sense.  Why would anyone  listen to IBM’s cloud message today, when IBM wants to run its own operations as if it were still 1982, when Reagan was president?

I would not want to be part of 2017 IBM.  This forced relocation will only drain talent and eventually kill the company.

Normally, this where I would end.  Yet another disconnected manager with a spreadsheet and a company in a death spiral.  End of story, right?

Creative Destruction

Not so fast.  We live in the United States, land of creativity and free enterprise.  And out of the ashes and pain from this IBM idiocy will rise a wave of creativity that will start something new and better.  Economists call it creative destruction.  Which means it must be common, since it has a name.  I might be the poster child for creative destruction on a small scale.

It doesn’t take a rocket scientist to figure out that this “offer” is really a way to get rid of people without spending money on layoffs and severance packages.  If you’re a twenty year IBM veteran, used to predictability, and with a mortgage and family to feed, you’re probably living in fear right now.  Do you uproot your family and keep working for managers who want you gone but don’t want to spend money to lay you off?  Or do you stay put and look for something else?  Whatever you choose, that perception of safety you’ve enjoyed since before your kids were born is over.  The clock is ticking.

My vote: Walk away now.  If you uproot your family and move across the country to keep your job, what happens in a few months with the next revenue crisis?   You can do better.  The world is bigger than IBM. Or any company.

 

<a href="http://www.infinite-it.co.uk/?p=1

click here