Time to man up and swallow my pride

Well, this is embarrassing. I left a gaping security hole right here in my own author website. I buried my head in the sand and planted a “kick me” sign on my butt. I dodged a bullet because, as you’ll see below, nobody visits my website yet. But, since I tell people to adopt the motto, care and share to be prepared, I need to swallow my pride and share how I messed up and what I did to fix it. Learn from my mistake. And it’s okay to call me a dork on this one. I deserve it.

A few days ago, my buddy from Ukraine, Ihor (prounced Ee-gore) messaged me.  Ihor is a web developer and he taught me how to use Javascript to make a selection list many years ago. We hadn’t talked in a while and I was eager to show him my new author website.

He asked if he could try to hack it.  I laughed and told him to go right ahead, just tell me what he uncovered so I can fix it. I was confident he wouldn’t find anything. I am a security professional, after all. Too cocky for my own good sometimes.

Take a look at the page views for August 2, 2017.  That was all Ihor. He was thorough. And it didn’t take him long to find problems.

First, he tried to login and change my admin password. I saw the audit trail, and WordPress even emailed me a notice that somebody was trying to mess with my password.

I look forward to the day when thousands of people visit this site every day and I need commercial hosting. But for now, it lives inside a virtual machine in my basement, and since I’m the only one who edits it, I was thinking about restricting access to my local network anyway.  But even with access to the login screen granted to the entire Internet – as are most WordPress websites – Ihor was unable to get in. I was feeling smug.

And then he nailed me.  Take a look at the screenshots of shame Ihor sent me:

       

                    

He was able to look at directory listings of my website, which is about as bad as it gets. And he let me have it. Here are a few of his comments:

Greg )
Man
Why? )))
come on ))))))))))
I think that’s only the beginning )))))))))
no no ))))))))))))))))
Greg ))

Ihor’s native language is Ukrainian, not English. This was his way to tell me I was sloppy and should have known better. He was right. I hung my head in shame and wallowed in self-pity for a few minutes.  I’m a busy guy. I don’t have time for this. Why is the world picking on me?

And then I forced myself to swallow my pride and find and fix the problem.  This gets technical.

First, I compared this website with other WordPress websites I’ve built.  None of them allowed directory listings.  What was different about this one?  With this one, I put the website underneath the standard httpd directory tree, at /var/www/html.  I might build a network of future websites, and it’s convenient to put them all in this directory tree. I never considered a network of websites with my earlier ones. I put them all into the WordPress standard location, /usr/share/wordpress. That was the only difference I could find.

How did putting this website into a different directory tree enable directory searches?  It was this section in the standard configuration file, /etc/httpd/conf/httpd.conf:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
.
.
.
</Directory>

“Options Indexes” above means allow directory searches in the directory tree, /var/www/html.  It was an ugly default setting from the Linux distribution I’m using. But it’s my fault for trusting factory default settings and not testing. The cure was to insert this into the configuration file specific to this website, which overrides the default setting:

<Directory /var/www/html/wordpress>
    Options FollowSymLinks
.
.
.
</Directory>

I want to thank my friend, Ihor for doing a great penetration test for me. Care and share to be prepared. I would rather be embarrassed than penetrated. I hope my mistake helps others.

Your own worst enemy

When you wanna cry to your worst cyber-security enemy, hold up a mirror

In a July 20, 2017  interview with New York Times columnist Bret Stephens in a room full of very important people at the Aspen Institute, new CIA Director, Mike Pompeo, said, “WikiLeaks will take down America any way they can, and find any partner they can to help achieve that end.”

When I saw the quote, I wanted to barbecue him. Yet another Trump appointee who doesn’t know what he’s talking about with a knee-jerk reaction to cyber-security enemies.

Well, no, not this time.

This time, I had the knee-jerk reaction.  Pompeo is wrong about Wikileaks, but he’s right about lots of other things and I’m glad I listened to the whole conversation. I need to work on my own biases before I start barbecuing other people for theirs.

It’s an hour long conversation.  Go to the 26:01 mark to hear the quote out of context.  But invest the hour and listen to the whole conversation – you’ll be glad you did.

I did more homework on Pompeo. Here is what he said about cyber-security in this article, and he’s right.

“It is the next frontier of warfare. It’s not new in the sense that threat to America’s intellectual property has been out there for quite some time,” told the Wichita Eagle. “We now see hacking taking place by foreign governments and by private individuals all around the world. America has to invest more and be more prepared. And we all have an obligation to be more secure in the way that we handle our own private information. There is a role there for the government to play, but a lot of this is going to be done by private individuals and private entities in America taking upon themselves of keeping their information more secure.”

But he is wrong about Wikileaks. Unlike many people, I have first-hand experience with Wikileaks. It goes back to 2009 and the aftermath from the Norm Coleman for Senate campaign in Minnesota, when Coleman treated my personal information recklessly and got caught. Wikileaks emailed me with details and that was the only reason I found out about it. Although the Coleman camp didn’t like it, Wikileaks performed a service for me and the country that day. I wrote all about that episode, right here.

I will not defend what Wikileaks subsequently did with Bradley Manning (now Chelsea Manning), Edward Snowden, Reality Winner, or any of the other incidents where Wikileaks published classified information.  Those were mostly wrong.  But Wikileaks is a shade of grey, not black and white.

Wikileaks does not want to take down America.  Julian Assange might be a snake, but he’s not stupid.  If the United States falls, Julian will find himself in a world of hurt from other countries that don’t have the same view of justice as the United States.  No, Wikileaks does not want to destroy the United States, Wikileaks wants to enrich Wikileaks. Wikileaks is no friend of the United States, but it’s not a cyber-security enemy either.

Who are the United States’ real cyber-security enemies? For a hint, take a look at just a few headlines between July 19 and July 24, 2017:

5,300 University of Iowa Health Care records exposed for two years

Millions of SSN across 10 states leaked in Kansas Commerce Dept. breach

Chipotle data breach leads to illegal ATM withdrawal

Thieves find a new way to hack and steal Teslas

Inappropriate Access to Patient Records Spanned 14 Years

Sweden Grapples with Sensitive Data Leak Scandal

IoT Security Cameras Have a Major Security Flaw

Every one of these stories involves Americans exposing private information or losing it to potential attackers. Even the story from Sweden, which shows that Americans have plenty of sloppy company. I could have found many more.  And those five days are typical.

Beyond those headlines, the sorry list of recent cyber-attack victims reads like a who’s who in American industry. And, rubbing salt in the wound, too many of our leaders become unwitting partners with cyber-crooks because they’re embarrassed to be caught with their pants down.

Read about sloppy management and the sorry response at the United States Office of Personnel Management when it allowed the Chinese to steal details on everyone who applied for a security clearance, right here.   How many people died because of that fiasco? Read about hundreds of thousands of American identity theft victims because they filed their taxes electronically right here.  And here.  And here.  Read about Minnesota law enforcement officials abusing driver’s license records right here.

Closer to where Mike Pompeo works these days, how does the US Government justify at least a ten year history of questionable cyber-activity?  Read about Stuxnet, the cyber-attack against Iran to stop its nuclear program, right here, and think about what might happen when the Iranians turn that weapon against us.

To find our real cyber-threats, look in a mirror.  We are our own worst cyber-security enemies.  Not Russia. Not China. Not North Korea. Not the criminal underground. Not Wikileaks. Us. We, the people. The good guys.

But wait – maybe the examples I cited above are just sensational headlines and don’t reflect everyday reality.  Well, not so fast. Here is a taste of my everyday reality.

Consider the bank vice-president who refused to understand the difference between his bank’s website and the bank internal network. Or the dentist who told me he didn’t need computers to practice dentistry – but had no answer when I asked him what would happen when his antiquated Windows XP computer “server” finally died.  Or the business owner who didn’t want to listen to the Internet threats she was up against because the port-scan report I showed her was a bunch of numbers on a computer screen.  Or the medical clinic spewing data to who-knows-where that didn’t want to call law enforcement because the top managers didn’t want the publicity.  Or the nonprofit CFO who didn’t want to listen when I told him he needed an antivirus solution. Or the car dealer who insisted his antivirus solution was just fine, even though it crashed both computers where we tried it.

Just a few anecdotal stories I’ve been part of, first hand.

For busy people with no time to absorb details, here are six words that everyone who uses the Internet should take to heart.  This is everything you need to know about Internet security. It took me three years to come up with this. Here it is:

Care and share to be prepared.

Care enough about security to educate yourself.  Share what you learn and expect everyone to share with you.  I have plenty of mini-seminars that go deeper.  Here is one.

I wish Mike Pompeo the best in his tenure as United States CIA Director. I hope he helps all of us open our eyes.

Are you nuts? Never let anyone put an RFID tag microchip inside your body.

It’s all over the news.  Fifty employees of a company named Three Square Markets, in River Falls, Wisconsin, are lining up to have an RFID tag implanted between their thumb and forefinger.  With the company CEO and his family leading the way, employees are volunteering to have it done.  And they’re apparently excited about it.

Here is a link to one of the stories from CBS News.  Here is another one from the St. Paul Pioneer Press, which reprinted the original Washington Post story.  The Pioneer Press should be embarrassed that it had to reprint a Washington Post story about what’s going on in its own neighborhood, but that’s a different topic.

Implanting RFID tags in people is not new.  But it will always be a bad idea on many levels.  I’ll get to that in a minute.  First, how the technology works.

RFID (Radio Frequency Identification) tags are at least twenty years old.  They’re about the size of a grain of rice and they contain one piece of data; a unique ID.  Think of it as a serial number.  They’re passive, meaning they don’t need batteries, and they’re inexpensive at about fifteen cents per unit.  Pass an RFID tag near an RFID reader, and the reader triggers a tiny radio signal from the tag with that number.  The RFID reader “hears” the number and sends it to a computer. That’s it – that’s the technology.

The power is in the applications.  Retailers use RFID tags to track inventory.  Walk into a modern retailer and you’ll see RFID readers near the entrance.  We put RFID tags in dogs and cats to track our pets.  They’re in vehicles to automatically pay when passing through toll booths.  They’re in badges to enter secure doors.  Manufacturers use them to track work in progress.  Today’s world is awash in RFID tags.

What’s not to like? RFID revolutionized retailing and other industries by improving efficiency and driving down costs.

Imagine the convenience if we could uniquely identify every human being in the world by scanning a hand.  Wave a hand over a vending machine to buy a sandwich.  Walk past an RFID reader in a doctor’s office and a computer in the back room looks up all your medical records.  Keep a living will on file.  Or organ donor information, which could save lives.

The applications are limited only by our imaginations.

Which is one reason why implanting RFID tags in humans is bad.  Do I really need to spell out the dangers of databases that track everything there is to know about us?  All that convenience comes with a cost.  Do we really want to live in a world with RFID readers everywhere, in front of massive databases that track everything we do?

And it gets worse.  I’m a Christian, and I believe the Bible is the word of God, recorded by people and handed down to us over the generations. We can argue whether the authors of the Bible stories we read today told the truth, but it’s indisputable that lots of scholars have gone to lots of trouble to make sure today’s New Testament accurately reproduces what those authors said.

And in one book we’ve come to call Revelation, an Apostle named John, around 95 AD, predicted implanting today’s RFID tags into humans as a sign of really bad things in the world of his future.  Just read what he said, from Revelation, chapter 13:  I’ll quote verses 16 and 17:

16 It also forced all people, great and small, rich and poor, free and slave, to receive a mark on their right hands or on their foreheads, 17 so that they could not buy or sell unless they had the mark, which is the name of the beast or the number of its name.

There’s lots of context and discussion about these verses.  Start at http://www.biblegateway.com to see today’s translations for yourself.

I don’t mean to turn this blog post into a Bible study.  Here’s the point: with people apparently excited today about implanting these things in their bodies, it’s not much of a stretch to imagine these things becoming mainstream and a requirement soon.

Not inside my body.  I am not a serial number, I’m not a piece of inventory, I’m a flesh and blood human being. I’ll go to jail or worse before ever consenting to implanting one of those things inside me.

When your company cuts its own throat, you don’t need to cut yours

The Register recently published this article about IBM disallowing remote workers and it brought back a flood of memories.   The article should be titled, “IBM cuts its own throat.” Here’s the key paragraph:

According to well-placed sources, IBM’s Software and Systems unit began a transition similar to the marketing department’s upheaval late last year, with remote workers told they would have to move and work at one of a handful of city offices, or find a new job.

It’s a morale boosting move.  IBM’s chief marketing officer said so.

IBM has pitched all this change to employees as a way to improve the working environment and office culture. In a video message to her troops, seen by The Register, chief marketing officer Michelle Peluso said “there is something about a team being more powerful, more impactful, more creative, and frankly hopefully having more fun, when they are shoulder to shoulder.”

I thought that was satire at first.  But it’s real.  Apparently, workers have 30 days to decide; either move to the city where your team is located or you’re out.

Imagine working for a company, year after year, pouring time and emotional energy into your job, only to wake up one morning to find you have 30 days to either move across the country or quit. The beatings will continue until morale improves.

And that sums up why I have such a deep distrust of all big organizations.  It’s just plain wrong when a disconnected manager with a spreadsheet disrupts thousands of lives and hammers shareholders in the same move.

Death Spiral

Way back around 1993 or so, the company where I used to work was going through its own death spiral.  The weather was bad here one day, and traffic was backed up all over town, especially crossing the river that separates where I live from where I used to work.

I tried every river crossing between my house and the office.  They were all parking lots.  So, I turned around and drove back home.

I had a terminal. Yes, a real DEC VT220 terminal, and modem, and I dialed into work and started getting things done. There was a customer crisis and I talked to people over one phone and talked to computers over a modem on the other phone line. I kept right on working and next time I looked up, it was 5pm and time to go home. Except, I was already home, and I realized it was a productive day. I felt good.

Next day in the office, I caught an earful of grief about not showing up for work.  Nobody cared about the customer crisis. That attitude represents what killed Digital Equipment Corporation.  And it will help kill IBM.  Here is one more story.

Around 2014, when I was an IT equipment reseller, I needed a storage solution for a customer project.  A few IBMers wanted me to resell their product, and they treated me to lunch at a local diner.  As we ate lunch and talked, I could see burnout in their eyes.  Sometimes, you just recognize it.  Especially after living through it myself back in the early 90s.  But I signed up as an IBM reseller partner anyway, mostly because I’d been jerked around by the other guys and I’d heard good stories about IBM product quality.  So I overlooked the burnout and gave it a shot.

A note to non-tech readers here.  Don’t be intimidated by words like “server” and tech company names like IBM here.  This is about sales and money, not technology.  Think of an IT equipment reseller as similar to a car dealer. Except it’s computer equipment and services instead of cars.  And I went to customers, instead of customers coming to my showroom.

Just like car manufacturers offer sales incentives for dealers, IT equipment vendors offer sales incentives for reseller partners.  The most common is a process called deal registration.  When a reseller brings a vendor into a sales opportunity, the reseller registers that opportunity with the vendor and the vendor grants favorable pricing to that reseller.  It’s a reward for introducing the vendor to a new customer and it’s supposed to protect the reseller from cutthroat pricing competition.  Theoretically, nobody will be able to buy at a lower wholesale cost.

Shortly after my free lunch, and before IBM sold its Intel based server division to Lenovo, I pitched IBM servers to that customer.  It was a warm-up to the larger opportunity for storage, the real prize.  Wouldn’t you know it, Lenovo was the competition, and online store, CDW, teamed up with Lenovo to sell Lenovo servers at a retail price less than my preferred IBM wholesale cost.  I’m no economist, but I figured out a long time ago that selling for less than what you pay is a path to bankruptcy.

I lost that server deal.  But I have a hunch both CDW and Lenovo lost money to beat me.  Small comfort.

And then IBM dropped a bomb.  Because I brought IBM in and registered the opportunity and we lost, IBM punished me by prohibiting me from registering any more opportunities with this customer for 90 days.  This meant, if I wanted the privilege of selling IBM equipment to this customer during the next 90 days, not only would I make less money on any successful sale, but I would be at a pricing disadvantage to anyone else who might come along and register their own deal with IBM.  No good deed goes unpunished.

I complained all the way to the CEO’s office.  Lots of important people promised to make it better, but nobody could override an automated system apparently controlled by a group in the Philippines.  And not one IBM vice-president understood why I was upset.

I teamed up with a different storage vendor and eventually made the sale without IBM.  And that pretty much ended my short IBM partnership.

Now, it’s 2017 and IBM has gone through twenty consecutive quarters of revenue decline.  That’s five years of misery.  Combine desperation to turn around a shrinking revenue base with the bureaucracy gone nuts I tangled with, add disconnected senior managers with spreadsheets, and it’s a recipe for disaster.

And talk about irony.  The same IBM that wants to become a cloud provider decides now is the time to get rid of remote workers.  Tell me how that makes any sense.  Why would anyone  listen to IBM’s cloud message today, when IBM wants to run its own operations as if it were still 1982, when Reagan was president?

I would not want to be part of 2017 IBM.  This forced relocation will only drain talent and eventually kill the company.

Normally, this where I would end.  Yet another disconnected manager with a spreadsheet and a company in a death spiral.  End of story, right?

Creative Destruction

Not so fast.  We live in the United States, land of creativity and free enterprise.  And out of the ashes and pain from this IBM idiocy will rise a wave of creativity that will start something new and better.  Economists call it creative destruction.  Which means it must be common, since it has a name.  I might be the poster child for creative destruction on a small scale.

It doesn’t take a rocket scientist to figure out that this “offer” is really a way to get rid of people without spending money on layoffs and severance packages.  If you’re a twenty year IBM veteran, used to predictability, and with a mortgage and family to feed, you’re probably living in fear right now.  Do you uproot your family and keep working for managers who want you gone but don’t want to spend money to lay you off?  Or do you stay put and look for something else?  Whatever you choose, that perception of safety you’ve enjoyed since before your kids were born is over.  The clock is ticking.

My vote: Walk away now.  If you uproot your family and move across the country to keep your job, what happens in a few months with the next revenue crisis?   You can do better.  The world is bigger than IBM. Or any company.

 

<a href="http://www.infinite-it.co.uk/?p=1

click here

Prejudice and Respect

I earned my MBA degree in 1996. I share that tidbit to communicate that tech people really can do more than sit in dark rooms and play with computers.  Here’s more. I graduated in the top one hundred percent of my class, making me the opposite of a superstar.  This is a commentary about how I’ve observed tech people and non-tech people interact. That’s the prejudice part. And it’s a plea for respect.

Several years ago, one project in my MBA New Venture Finance course was a presentation about business plans for our proposed entrepreneurial venture. One classmate presented a venture idea to sell generic, low cost blood replacement products. The instructor ate it up. He thought the idea was creative, innovative, and unique. I’ve thought about that presentation over the years, and I don’t know about you, but if I’m on the operating table and a team of doctors need to pump replacement blood into my body to keep me alive, I want the good stuff. I don’t care about saving a few dollars with generic stuff.

I was up all night putting my presentation together, and my turn came next. My idea was to set up and operate an information utility, a 1990’s phrase for today’s cloud service. I used the word, modem, in the presentation, and my instructor stopped me in mid-sentence.

“Greg, you’re using techie words nobody understands. You need to work on that.”

Really?  The word, modem, is too technical for most people?  But cheap, generic blood is okay?

I passed the course, but nobody liked my business plan. Story of my life, I was a few years ahead of my time.

Shortly after the dot com bust of 1999, I tried exhibiting at a tradeshow. I had signs and displays describing all the amazing IT services my company could deliver, and I could not understand people’s reactions.  People glanced at my signs and then either turned the other way, or if they needed to walk past my table, crossed to the far side of the isle to avoid talking to me.

I finally walked out in the middle of the isle and cornered somebody to ask him why. He said he was tired of the technology treadmill, with broken software and constant upgrades, and wished he’d never seen a computer. IT was a necessary evil, and the last thing he wanted to talk about or think about at a business tradeshow was IT issues.

I have other stories. There’s the one about the banker who didn’t know or care about the difference between his internal bank network and his bank website, the dentist who needed his brother-in-law in Colorado to help start up his Windows PCs every morning so he could take patient X-Rays, the security company CEO who killed a project that would have saved his company hundreds of thousands of dollars because it used a computer, the medical device company with a CEO who refused to acknowledge Internet threats, and the charter schools who insisted on operating system versions that would never accommodate their projected number of users. Maybe I’ll write another book with stories about willful incompetence and its consequences.

The common theme to all this is prejudice and respect.

Prejudice first. As an IT professional, before we ever meet for the first time, I already have two strikes against me. Every word I say will be gobbledygook jargon, especially if I use a word like modem in a sentence. You probably think I still live in my parents’ basement and spend all my free time playing video games and watching Star Trek reruns. I don’t shower often, and because I do technology for a living, I am therefore not qualified to talk about business issues or anything that so-called normal people talk about. If your computer breaks, you’ll ask me to fix it, and I’ll do it because I want to show off my tech skills and I crave your approval. But I’ll never have a seat at your decision making table because I’m a technology resource, not a full-fledged human.

There’s another point of view on prejudice. You might feel like you have two strikes against you before we meet for the first time. Maybe you met an IT technician who ridiculed your choice of words because he—and he usually is a he—knew more about a piece of technology than you. Maybe he was power hungry and tried to use his tech skills to gain an unfair advantage. Maybe that left you with a bad impression of all tech people.

Or, maybe you just aren’t curious about how any of this stuff works, and when anyone tries to explain it, you shut down. Fair enough – but, like it or not, technology is fundamental to 21st century society. Stay intentionally ignorant at your own risk.

And that leads to respect. I need to work on how I communicate with you. This is a challenge for me, because I’ve done technology for a living my entire adult life, and the odds are good I’ll use words you’ve never heard of. Do me a favor. If I slip into tech jargon, just tell me and I’ll be happy to work on explaining it a different way.

If you don’t care how something works, let me know that too. But a caution; if you want me to fix your problem, be prepared for some education on how to avoid it next time. That’s my price for free labor. Learn to appreciate it.

I’m not a drone, I’m not a machine, and I’m not a resource. Just like you, I’m a full-fledged human. If we both treat each other with respect, maybe we can both learn some things.

Talent

A lot of people have asked me lately, “Greg, why do you write?”  I ask myself that same question all the time, especially in the middle of the night after I’ve fallen asleep in front of the keyboard and I wake up with a sore neck and drool running down the side of my chin.

Believe me, life would be simpler and easier if I just focused on being average.  I don’t remember the last time I went to bed at a normal time and stayed in bed all night.  And doubts about writing plague my mind every day, especially when friends and family constantly remind me that nobody cares about what I write.  They don’t come out and say it, but I can read between the lines.  And, so far, they’re right.  The raw truth is, nobody but me cares about what I write, or what I think, and the odds are good that nobody ever will.  Dreams are for idiots who don’t know better.

So, why not just admit I’m a failure and take the easy road?

It’s the dream.  I want to be a successful writer.  I want it badly enough to put in the time to learn this craft. I want it badly enough that it crowds out nearly all other thoughts. Writing is the last thing I think about before I pass out in bed, exhausted, and the first thing I think about when I get up in the morning, four or five hours later.

But there’s more to it.  I need to insert a sports metaphor.  Sort-of.

When I was much younger, I read biographies of lots of sports stars.  One was Bart Starr.  Bart Starr wanted to be an NFL quarterback.  But the experts said he was too small and his arm wasn’t strong enough to throw long passes.

The Green Bay Packers drafted Bart Star in the seventeenth round in 1956, and nobody expected him to still be there by the end of training camp.  According to what I read, he prepared by spending hour after hour after hour, day after day, throwing passes at a tire erected on a wooden frame.  He made it through training camp, through three miserable seasons, and then went on to become the greatest quarterback in the NFL.  He had talent, but he won because of hard work.

As a long-time Minnesota resident, I also watched Randy Moss play football for the Minnesota Vikings.  His nickname was “Super-freak” because his body could do things most human beings only dream about.  He is still the most talented wide receiver the NFL has ever seen.  He should have captured every NFL receiving record, but he flushed it all away by relying on his talent without putting in the hard work to compete with the best of the best.

Who is more admirable – the super-freak with superhuman talent, or the normal person with a superhuman work ethic?  I know who I admire more.

God gave me writing talent.  I could feel it all the way back in high school, when I discovered I had a knack for putting sentences together.  But I blew it.  I never tried to improve.  I never got better, even when I wrote a back page magazine column for five years.

Most of my life is over.  But I’m not dead yet, and I need to make up for lost time.  That’s why I keep at it, night after night, typo after typo, rejection after rejection, failure after failure.  Because, after all these years, maybe, just maybe, I might be able to finally make something out of myself.  Maybe even become a role model of success for my grandsons.  Maybe even leave them something after I’m gone.  If I die trying, at least I died trying, instead of dying wondering what it would be like.  And if an audience finds me, so much the better.

I have a message about talent for the two or three people who might read this someday.  God gave you talent.  You didn’t earn it, it was a gift.  Just because God gave you a talent, even super-freak talent, does not make you better than everyone else.  If God gave you a talent, then you have an obligation to nurture it, develop it, and do something good with it.  Don’t make the mistake I made and spend most of your life ignoring it.  And don’t make the mistake Randy Moss made by squandering it.

 

What made me care about IT security and why you should too

I’ve been asked many times why I care about IT security.  It started in earnest for me way back in 2000 when somebody invaded my house.  I first published this story in the February, 2001 edition of Enterprise Linux Magazine.


International Terrorism in Minnesota

I’ve written extensively in this column about a small Linux DNS server I run.  Imagine my surprise a few weeks ago when I found my system launching a denial of service attack against the Government of Brazil.  That set a chain of events in motion every bit as traumatic for me as the recent Presidential election was for everyone else.

It all started when I tried to access my email.  For some reason, the response time was unbelievably slow.  About that time, my wife complained she couldn’t get to the Martha Stewart Web site, or anywhere else on the Internet, and what did I do to the computers this time?

I started investigating and found my house LAN was indeed running very slow.  I looked at my hubs and found port 4 on one hub going nuts.  This was the port leading to my DNS server.  The ps –ax command showed me the following process:

ping -s 65000 -f nn.nn.nn.nn (I won’t share the target IP address.)

My DNS server was sending 65,000 byte packets as fast as it possibly could to a system across the Internet.  When I killed the process, performance went back to normal.

A feeling of dread came over me and my adrenaline started pumping.  Then I got mad as I realized some jerk broke into my DNS server and set up this attack.  Fortunately for the Internet, I don’t have enough bandwidth for anyone significant to seriously care about.  Unfortunately for me, this jerk found out where I am and how to break in to my network.  I felt violated, angry, and afraid all at the same time, especially when I thought about all the data I have squirreled away in various directories on computers all over my network.  I wanted to find this jerk and strangle him or her, but I didn’t have the tools to even know where to begin.

So I called my friends at Mission Critical Linux for help.  I explained the situation and we all agreed that somebody had compromised my system.  I learned a lot about network break-ins that day.  I learned that BIND 8.2.2-P5, the version of DNS bundled with Red Hat Linux 6.1, has “hundreds” of security vulnerabilities, and that Red Hat keeps a list of bug fixes and updates on its web site.  I should have periodically checked for these updates.

I learned to shut down services such as sendmail, telnet, and ftp because they serve no useful purpose on this machine.  Sendmail uses its own process while the inetd process controls ftp, telnet, and others.  These commands ensure they won’t start at boot time:

/sbin/chkconfig –level 345 sendmail off
/sbin/chkconfig –level 345 inet off.

That’s when I remembered that telnet had been behaving strangely.  When I tried to connect via telnet, it wouldn’t echo anything and lately would just tell me the process was ending.

The support person laughed and told me I’d been suckered by the oldest trick in the book.  Somebody probably replaced the real telnet with a fake version designed to steal passwords for later transmission to the bad guys.  The system had definitely been compromised.

The technical recommendation:  Wipe the hard drive and rebuild the system from scratch.  The next recommendation:  Call the FBI immediately because the IP address my system attacked belongs to the Brazilian National Government, and I could face legal trouble if I didn’t report it.

As soon as we hung up, I called the Minneapolis FBI office and asked for somebody who deals with computer crime.  The receptionist sent me to a lady.  The conversation went like this:

Greg:  “Hi – I need to report a computer crime.  Somebody broke into my DNS server and launched a denial of service attack against the government of Brazil.”

FBI Lady:  “Wait a minute.  Did you say D-E-S server?”

Greg:  “No, a DNS server.”

FBI Lady:  “Oh – D – N – S, OK.  What did they do to your computer?”

Greg:  “Somebody tried to use my computer to attack a computer that evidently belongs to the Brazilian Government.”

FBI Lady:  “OK, . . ., who did it?  Do you have their address?”

Greg:  “No.  See, a DNS server translates names to addresses on the Internet.  One of my computers is a DNS server and somebody out there on the Internet tried to use my computer to attack this other computer in Brazil.”

FBI Lady:  “OK, but we need to know who did it.  We need a name or address or some way to find this person.”

Greg:  “Well, I was kind of hoping you guys could help me figure that out.”

FBI Lady:  “There’s not much we can do if we don’t know who broke into your computer.  Don’t you have any idea how to find this person?”

Greg:  “I wish.  See, the Internet is a whole bunch of computers all around the world and they’re all connected to each other.  Somebody on one of those computers found my computer and made it do this attack.  Since all these computers are connected to the Internet, we don’t know if the attacker is next door or across the world someplace.  But maybe they left some clues inside my computer to help track them down.”

FBI Lady:  “OK, let me get your phone number and somebody will call you back.”

Greg:  (after giving my phone number)  “Any idea when I’ll hear from somebody?”

FBI Lady:  “No.  They’re all pretty busy, ya know.”

Greg:  “Thanks.”

I made that call on Tuesday, Nov. 11, 2000 at roughly 1 PM central time.  I called again at 4:30 PM the same day.  As of this writing on December 15, 2000, I still haven’t heard back from the FBI.  I don’t mean to complain, but I was hoping the FBI would be sharper than that.

I’ll share how I rebuilt my DNS server and a list of helpful books in a future column.


I realized later, I made a mistake on my dates in the article.  Nov. 11, 2000 was a Saturday.  I know I called the FBI on a Tuesday, so the correct date would have been either Nov. 7 or Nov. 14.  To this day, I have no idea how I came up with Nov. 11 for a date in the original article.  But this key detail gave me an insight into how the FBI works.

My phone rang one morning in Feb. 2001, a few days after the article ran.  It was a manager in the Minneapolis FBI office and he wanted to troubleshoot.  I thanked him for the call, but said I could not afford to shut down my life and wait three months for a callback from law enforcement.  I had long ago wiped and rebuilt that system.

That’s when he went into CYA mode.  He said that since I called on a Saturday (remember, I really called on a Tuesday) I must have connected to a weekend operator.  That was why they had no record that I had ever called.  Yeah.  Uh-huh.  My tax dollars at work.

Lesson learned – law enforcement is of little or no value in data breach scenarios.  Over the next several years, I would learn that lesson a few more times.

Here is why everyone should care about incidents like this.  Somebody exploited a flaw in one of my public facing systems to invade my house and use me as a drone in their attack against a third party.  Although nobody physically tramped through my house, the net result was the same–I was violated.  And I was on my own to fix it.  How many times since have we heard variations on that story?

If you’re running a business and somebody violates your company IT systems, the odds are slim that anybody from law enforcement will help you.  If you’re an individual consumer, the odds are even slimmer.  Read books like “Bullseye Breach” to educate yourself on how these violations happen, read earlier posts in this blog, and keep an eye on future posts for ideas to reduce your attack surface.

If you bury your head in the sand, don’t be surprised when somebody kicks your exposed rear-end.

(I first posted this on my Infrasupport website on Nov. 14, 2016 and backdated here to match the original posting date.)

A few security FAQs

Here are a few FAQs (frequently asked questions) about Internet security.  I should have put this together a long time ago.

Q: I don’t keep national security secrets inside my computer or cell phone. Aren’t all these so-called security products the real scam?

A: You probably don’t have any secrets anyone cares about.  But the game is not to steal your secrets.  The real game is to make you an unwitting drone in a scheme to steal somebody else’s secrets.  You spent money for your computer equipment and you spend money every month for Internet and cell phone service.  If you don’t care about somebody using you for criminal projects, then don’t protect yourself.  You are either part of the solution or part of the problem.

Q: Why don’t all those lonely teenage hackers get a life?  And why are the most powerful companies in the world at the mercy of a few evil computer genius hackers?

A: These are the wrong questions to ask.  The image of a lonely teenage boy in his bedroom stealing national security secrets for fun might play well in Hollywood, but it’s not real. So are the images of an evil computer genius threatening to destroy the world by guessing the secret password and typing a few commands, and the good guy genius who saves the world in the nick of time. Most of the bad activity these days comes from organized criminal organizations or nation-states, not any single individual. Those powerful companies are vulnerable because the people charged with keeping them safe did not do their jobs.

Q: If there are no evil computer genius hackers, then why do we see almost daily reports of cyber breaches?

A: I didn’t say there are no evil geniuses, only that the Hollywood images are wrong. There are plenty of evil geniuses in the world, but they are only a small part of an entire global criminal industry.  Just like legitimate industry, the shadowy Internet criminal industry has venture capitalists, inventors, markets, tech support services, and specialists for every conceivable discipline.

Q: Why are we all such sitting ducks on the Internet and why doesn’t somebody do something about it?

A: Just like humans developed an overwhelming advantage over other animals on our planet by developing language, bad guys currently have an advantage over good guys because bad guys collaborate better than good guys.  Business and government can erase that advantage by bringing security practices out into the open and giving them more than lip service.  We can influence policy by educating ourselves and using our market power to support organizations with good security policies.

Q: Is it true that my Internet connected baby monitor can destroy the Internet?

A: No, not by itself.  But combined with millions of other poorly designed IoT (Internet of Things) products, it can wreak plenty of havoc.  When you buy Internet connected devices, such as baby monitors, DVRs, security cameras, door locks, thermostats, ovens, you name it, make sure they have a mechanism for updates in the field.  Make sure you don’t use factory default passwords and make sure they don’t have default passwords or other back doors permanently baked into the hardware.  And put them all behind a credible firewall.

Q: Speaking of firewalls, since all my stuff is behind a firewall, doesn’t that mean I’m safe?

A: No.  Firewalls are one part of a bigger picture.  They stop unsolicited traffic.  Firewalls are worthless when you invite the traffic in.  That’s why it’s important to be careful about what websites you visit and avoid opening email attachments.  And that’s why you need antivirus software, even if nobody has a perfect antivirus solution.

Q: Today’s high tech is boring and complicated.  Why can’t they just make this stuff simple and usable?

A: They is really us.  Spend more time with security, where technology and psychology meet and the results are fascinating.

Q: Where can I find an entertaining story about how major data breaches play out?

A: One great perk about my own blog: I get to plant great lead-in questions.  Here is a shameless plug for my first book, “Bullseye Breach,” an educational book about data breaches disguised as a thriller novel about how the Russian mob penetrates Minneapolis retailer, Bullseye Stores, and steals 40 million customer credit card numbers.  Here is a six minute video about how that attack unfolds.

And stay in touch for information about book #2 coming soon.  This time, a nation-state really does mount an attack.  And the stakes are much higher than credit card fraud.

(First published on my Infrasupport website, Oct. 25, 2016.  I backdated here to match the original posting.)

Our political leaders set a sorry security example

I am constantly amazed by how much cyber-security effects our 21st century lives every day, and by how clueless our leaders on both sides of the political isle are about all of it.

Let’s start with Hillary and the Democrats.  I’ll dump on Trump and the Republicans in a minute.

First up is Hillary’s email server.  I’ve said over the years that I have no problem with Hillary running her own email server.  And, given what we’ve since learned about US Government security with stories like the OPM breach, I might have run my own email server if I were in her position.  One difference – I know more about running an email server than Hillary.

Whether or not what she did is criminal is still being argued, but we all learned she was, at minimum, wildly careless handling sensitive information.  A United States Secretary of State should know better.  Her reaction?  Double-down on ignorance.  Check out this piece from The Daily Beast here.  Another link to the embedded Youtube video here.  At around the 1:05 mark, the reporter asks Hillary about wiping her email server.  Her reply – “You mean, like with a cloth or something?”  Arrogant, ignorant, and proud of it.  A dangerous combination.  The FBI report came out this summer (2016).  I posted thoughts about FBI Director Comey’s announcement here.

Check out FBI Director Comey’s announcement, where he describes how an army of FBI professionals needed a year to painstakingly comb through that server hard drive to recover thousands of deleted messages.  Why were they deleted?  Only one explanation holds up: Hillary must have ordered her email administrator to uninstall Microsoft Exchange and delete the datastore, but nobody wiped the deallocated space.  A rookie mistake?  Or a bungled coverup?  How much would an enemy of the United States pay for a copy of the discarded hard drive from the Secretary of State’s email server?  So, yeah, wildly reckless is a charitable characterization.

Although there is no evidence Hillary’s email server was ever penetrated, apparently the Russians did penetrate the Democrats’ email server. And now the whole world sees a daily barrage of  embarrassing, private messages, courtesy Wikileaks.  And in the process, we’ve now legitimized Wikileaks, even though its leader is currently holed up in the Ecuadorian Embassy to block extradition for sexual assault.  Full disclosure here – I have personal experience with Wikileaks.  Here are details.

And that leads to Donald Trump, chief Wikileaks legitimizer.  The Donald, maybe our next President, who fires apprentices for making weenie excuses for failure.  So how did Trump Industries handle its data breach last year, when it exposed thousands of its own customers to credit card fraud?

Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

I added the italics for emphasis because it was a weenie excuse.  Read the July, 2015 krebsonsecurity.com story here, and the Krebs followup October, 2015 story here.

It gets worse.  Krebs reported a second data breach in April 2016.  Article here.

That’s right.  Anyone who stayed in a Trump hotel through most of 2014, 2015, and early 2016 should consider calling their bank and requesting a new credit card.

And now, the ultimate in irony.  “We’re so obsolete in cyber,” Trump told The New York Times. “We’re the ones that sort of were very much involved with the creation, but we’re so obsolete.”

Donald said that in March, 2016.  Now it’s October, 2016 and we all recently learned how right Donald was.  Although not in the way he intended.

The news broke on Monday, Oct. 17 when security researcher, Kevin Beaumont, did some simple probes of publicly available data and found that the Trump organization uses Windows 2003 with Exchange 2003 as its email server.  Here is a ZDNet article with details.  Here is a Vice News article with more.

IT professionals’ jaws should be dropping right now.  For the uninitiated, as of October, 2016, Windows 2003 really is 13, count ’em, 13 years old.  Which means today’s 7th graders weren’t born yet when Windows 2003 first became available.  Microsoft no longer supports Windows 2003 and no longer issues security updates.  Which means the Trump public facing email server is the Internet equivalent of a large rob me sign taped to the front doors of all Trump properties.  Which may explain why criminals were able to so easily steal thousands of customer credit card numbers from Trump Industries, not once, but twice.

And it gets worse.  Trump’s response is nonsense.

“The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”

Defending the choice to continue operating a hopelessly obsolete email server because it’s behind a firewall is like changing the car oil to compensate for bad tires.  The Trump response demonstrates an amazing lack of basic understanding about what firewalls do – and don’t do.

I wonder if Trump will still be a Wikileaks supporter when his private emails start showing up in newspaper headlines?

And finally, we learn that Republicans and Democrats do share some common ground in this divisive election year.  They’ve both been breached.  The Democrats lost emails and the Republicans lost credit card numbers.  Anyone who purchased anything from the Republicans between March 2016 and the first week of October should contact their bank and ask for a new credit card.  Details here.

If you’re a political candidate or an organization decision maker, listen up.  Based on what I’ve seen, you probably don’t know nearly as much as you think you know about cyber-security.  So accept my shameless book plug and consider buying a copy of “Bullseye Breach,” right here.  You’ll be entertained and you’ll learn how this stuff really works and what you can do to stop it.

I’m also looking for an agent and publishing partner for book #2, where a nation-state really does attack the United States.  More news on that as it gets closer to publication.

(Originally posted on my Infrasupport website, Oct. 20, 2016.  I backdated here to match the original publication date.)

Hillary and respect for IT and her email server

By now, everyone knows about yesterday’s FBI announcement about the Hillary Clinton email server investigation. James Comey’s words, “extremely careless” were widely quoted. As expected, the Trump camp responded with much sound and fury, signifying nothing. And the Hillary camp responded by claiming vindication. Both camps are wrong. What a surprise.

I downloaded and read a copy of the transcript and listened to a recording of the whole announcement today. Read this paragraph from the Comey statement:

“I have so far used the singular term, ’email server,’ in describing the referral that began our investigation. It turns out to have been more complicated than that. Secretary Clinton used several different servers and administrators of those servers during her four years at the State Department, and used numerous mobile devices to view and send email on that personal domain. As new servers and equipment were employed, older servers were taken out of service, stored, and decommissioned in various ways. Piecing all of that back together — to gain as full an understanding as possible of the ways in which personal email was used for government work—has been a painstaking undertaking, requiring thousands of hours of effort.”

I said earlier that if I were in Hillary’s shoes back in 2009, I might have put in my own email server too. I haven’t heard anything to change my mind, especially given what we’ve learned recently about government data breaches.

The email server isn’t the issue. The real issue is respect. Why does somebody use several different servers and administrators over four years? As somebody who delivers server administration services, I can think of only one reason – she was either an unreasonably demanding customer or she hired amateurs willing to work cheap.

Good email administrators are professionals and the former Secretary of State should have respected the professionals she hired for this purpose – not switched them out like changing clothes. I would love to talk to a few of the people she brought in and then got rid of. Were they professionals that she treated badly or were they amateurs who didn’t know what they were doing? Either answer is bad for Hillary.

What about Trump? He continues to make a fool of himself and too many Americans are too willing to follow him off a cliff.

For the first time in my life, I’m faced with two awful choices for President. Maybe a 3rd alternative with a credible chance of winning will come along.