What do we know about the Equifax data breach?

I shared my initial thoughts about the Equifax data breach in this post from Sept. 8, 2017.  And here is the recording from my WCCO Radio interview with Jordana Green and Paul Douglas.  What follows is an update as of Sept. 11, 2017.

(As of Sept. 14, 2017, this original post is now obsolete, but I’m leaving it intact to preserve the sequence of when we learned key facts. See the bottom for updates from Sept. 13, and Sept. 14 2017.)

The Equifax data breach announcement came on on Sept. 7, 2017.  As of Sept. 11, we still have few facts.  But we do have a tantalizing blog post from a news outlet named Quartz.  Check out this article.

The Quartz article references a Baird Equity Research report about how the breach will effect Equifax stock.  Here is the report.  This key sentence in the report is at the heart of lots of speculation:

Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw…

Apache Struts is a software framework for building Java applications. Struts has had two vulnerabilities recently. One was reported and patched in March, the other on Sept. 4.

Here is another article about Apache Struts from ZDnet.

And now speculation. The Equifax data breach announcement said the attack exploited a website flaw, but I can find no other details beyond that.  The Baird Equity Research report above is not clear about which Struts vulnerability, and doesn’t cite a source.

A few possible scenarios play out here. In the first scenario, Equifax never applied the patch for the March vulnerability and bad guys romped through its systems for two months undetected. This scenario is Equifax’s fault.

In the second scenario, bad guys discovered the new vulnerability before good guys found it. The patch didn’t come until Sept. 4. Smart bad guys could have easily covered their tracks while romping across the Equifax network, such that no automation looking for suspicious patterns would have uncovered it. Somehow, Equifax found the invasion on July 29. Under this scenario, the long wait for disclosure might make sense because there was no fix available until Sept. 4, and Equifax disclosed the breach Sept. 7.

I find this scenario hard to believe because five weeks – from July 29 until Sept. 4 – is a long time for anyone to fix a reported software vulnerability, especially one already in the wild.  The best open source developers pride themselves on great workmanship, and taking five weeks to patch a security flaw is inconceivable. Here is what the Apache Software Foundation had to say about Apache Struts and Equifax.

And the third scenario puts it right back on Equifax – maybe Apache Struts isn’t relevant, since we don’t know where the Baird Equity Research report got its information.

Let’s not rush to judgement yet because there is one credible scenario where Equifax disclosed this thing properly and is not culpable for the breach. I wrote a blog post about how proper disclosure should work right here.

But if Equifax wants to salvage its credibility, then the people with first-hand knowledge need to share what they know about what happened.

Update Wednesday, Sept. 13, 2017

USA Today reported yesterday that Equifax itself said an Apache Struts vulnerability was the attack vector.  But the article does not tell who from Equifax said it, which is frustrating. Here is the relevant paragraph.

On Tuesday, credit reporting company Equifax told USA TODAY the breach was due to an Apache Struts vulnerability. Apache Struts is free, open-source software used to create Java web applications. Several vulnerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach.

Update Thursday, Sept. 14, 2017

Equifax blew it.  Heads need to roll.  Scenario one above is what happened.  Equifax failed to patch the March Apache Struts vulnerability and allowed attackers to rampage through its network for two months.

The articles quoting the Equifax update are everywhere.  See this ZDnet article and this Ars Technica article.  Their source is the infamous EquifaxSecurity2017.com site. Click on the Sept. 13, 2017 progress update for consumers.

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Let’s summarize.  The people in charge at Equifax learned about the problem on July 29, but didn’t report it until September 7.  A week later, on September 14, after bungling the response they spent five weeks preparing, and only in the face of an uproar, they finally told us which vulnerability the attackers exploited. But they knew all along which vulnerability it was.  Why not report it in the first disclosure?

It gets worse. Three senior executives sold Equifax stock after discovering the breach and before the public announcement. Here’s an extract from this MarketWatch story:

As first reported by Bloomberg NewsChief Financial Officer John Gamble banked $946,374 on the sale, U.S. Information Solutions President Joseph Loughran made $584,099 and Consumer Information Solutions President Rodolfo Ploder earned $250,458. In the same filing, Loughran exercised an option to buy 3,000 shares at a price of $33.60.

Look closely at those titles.  Chief Financial Officer, US Information Solutions President, and Consumer Information Solutions President.  Equifax claims these senior executives had no idea somebody stole the data they were in charge of protecting when they sold their stock.  If true, these folks are incompetent.  If false, they’re crooks.

But wait. There’s more.

Take a look at this Krebs on Security post from Sept. 12.  It’s a story about Equifax operations in Argentina. I’ll quote one key paragraph.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

I’m still shaking my head.

Equifax CEO Richard Smith is expected to testify in front of Congress on Oct. 3.  I would love to be in the room and ask a few questions.

Somebody stole your personal information in the Equifax data breach. Now what?

(I originally posted this on Sept. 8, 2017. Here is an update from a week later.)

Here are a few articles about the Equifax data breach, first reported Sept. 7, 2017.

  • A New York Times article, here.
  • A nice Krebs on Security writeup, here.
  • SC Magazine posted a piece, here.
  • And a ZDnet article, here.

It’s all over the news.  Lots of noise so far, little information.  Here is a bulleted summary of what we know to date.

  • Attackers penetrated Equifax in May, 2017 and gained access to data about 143 million people.
  • Somebody discovered it on July 29, 2017.  Apparently, the attackers took advantage of a web site flaw.  As of Sept. 8, 2017, that’s all the tech details we know.
  • A few Equifax execs sold a bunch of stock around Aug. 1, 2017. Equifax PR people say the execs had no knowledge of the data breach.  Uh-huh.
  • Equifax hired Mandiant, a respected IT forensics firm, to investigate.
  • Equifax set up a website, https://www.equifaxsecurity2017.com, for anyone to look up whether they might be effected.  Feed it a last name and the last six social security number digits.  Note the irony of feeding a social security number to a website for a company that just reported somebody exploited a web site flaw to steal 143 million social security numbers from another company website.
  • Equifax told the world about the intrusion on Sept. 7, 2017.

This latest Equifax breach is a big deal, but the ugly truth is, after years of data breaches, our personal information is already up for sale. And it’s not the first Equifax breach.  Quoting the Krebs on Security article I linked above:

This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

And Equifax is not the first credit reporting agency to lose our personal information. Take a look at a tangled story about how Equifax competitor, Experian became an unwitting partner in an identity theft ring in the Krebs on Security post right here.  Here’s another article.

You read that word correctly.  I really did say, partner.  Experian unwittingly partnered with an identity theft ring from Vietnam a few years ago after buying a company named Court Ventures back in 2012.

Wonderful – we can’t trust the credit reporting agencies everyone uses to assess our trustworthiness. Now what?  The most workable solution I’ve found is setting up a credit freeze.  Which means paying money to these same credit reporting agencies to set it up and trusting they’ll do their jobs.

Here is a link to another Krebs on Security post with details. Here is a link to the US Federal Trade Commission page about credit freezes. And one more link to a Consumer Reports page about credit freezes, here.

The idea is, pay a fee to each credit reporting agency to flag your record with a freeze notification.  Anyone who wants to open an account in your name will theoretically check with one of these agencies and deny it, since it’s flagged as frozen.  But this is a hassle because if you want to borrow money for, say, a mortgage or a car, you have to spend money to unfreeze your credit with the relevant agency, and then spend more money to freeze it again. Not a bad gig if you’re a credit reporting agency.  A hassle if you’re a consumer, but it might save you from an identity thief.

Also, be on the lookout for emails claiming to come from Equifax with “click here” links claiming to set you up for free credit monitoring for a year.  As of this writing, I know of no such emails, but it’s inevitable some senior manager at Equifax who doesn’t know better will want to send one. It’s part of the typical pattern. Check your email header to make sure any email claiming to come from Equifax really does come from Equifax, and make sure the “click here” link really does point where it claims to point.  See my post about How to Spot a Phishy email for more.

I’ll update this post as new information becomes available.

Finally, keep an eye on my dgregscott.com website for resources.  I have a bunch of mini-seminars and blog posts with how-to information, and you’re welcome to all of it, no strings attached.  And if you like what I put together, I’d appreciate it if you would consider buying a copy of one of my books.  Here is a link for more book information.


What to do when your Internet doesn’t work

Internet trouble can make you crazy. You’re posting away on Facebook and suddenly your posts don’t post anymore.  Or maybe you’re emailing your sister and your email program complains it can’t connect to the server. Or maybe your fancy smartTV won’t connect to Netflix.

Now what?

Of course, you call for help.  But whom do you call?  And what do you tell the tech support specialist when they answer after you’ve waited on hold for who-knows-how-long?

Here is a quick diagnostic for anyone who suspects overall Internet trouble. Do this first, before you call, and you might save yourself and your telephone support technician hours of frustration.

But a caution – this means getting your hands dirty with technology.  If that scares you, get over it, for your own good. None of this is rocket science.

One more caution. None of this works with a smartphone or TV. Some smartphones and TVs have primitive diagnostic tools, but as of late summer, 2017, doing this right still requires a real computer.  Or, at minimum, a download into your phone.

This first test takes about 10 seconds. Launch a command line window (how-to details below). Don’t be freaked out that it looks like a 30-year-old step back in time. Inside that window, type this command:

ping www.google.com

and check the results. Here is how it looks from a Windows system when everything works. Macintoshes will behave similarly.

C:\Users\gregs>ping www.google.com

Pinging www.google.com [] with 32 bytes of data:
 Reply from bytes=32 time=20ms TTL=56
 Reply from bytes=32 time=20ms TTL=56
 Reply from bytes=32 time=20ms TTL=56
 Reply from bytes=32 time=20ms TTL=56

Ping statistics for
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 Approximate round trip times in milli-seconds:
 Minimum = 20ms, Maximum = 20ms, Average = 20ms


Ping sends a data packet to the destination you specify and waits for an echo reply. Just like the old submarine movies, only this is across the Internet. And it’s software, not real sounds. The idea is, ping a popular destination and watch for the reply to come back. Not everyone answers pings, but Google is kind enough to do so. If Google doesn’t reply reliably, then you probably have an overall Internet problem.

Also, watch the milliseconds – in my case above, it’s consistent at 20ms. That’s the round-trip time for the echo request to go out and the echo reply to come back. If your milliseconds bounce around all over the place, you may have a problem – or your Internet connection might just be busy from other family members streaming who-knows-what.

Here’s how to launch a command line window:

In Windows XP, click Start…Run.  In Windows 7 and 10, just click the Start button. In the box right next to the Start button, type CMD and press the Enter key. There are other ways to do it, but this is the easiest and it’s universal.

In Windows 8 and 8.1, press the Windows and R keys on your keyboard. The Windows key is on the bottom row of your keyboard, right next to the Alt key, on either side of the space bar. In the box, type “CMD” and press Enter.

If you have a Mac, launch the Terminal, found in /Applications/Utilities/

Next Step

Here is your troubleshooting decision tree.

If your pings show something like this:

C:\Users\gregs>ping www.google.com
 Ping request could not find host www.google.com. Please check the name and try again.


then you may have an overall connectivity issue, or maybe just a name translation problem. You need another test to be sure. Since we know one IP Address for Google from above, just try to ping that raw IP Address:


and see what it reports. If you see 4 replies and the milliseconds look reasonable, raw connectivity is good and you have a name translation problem. If you see errors, you probably have a raw connectivity problem. Do one more command. My example below is from Windows.  For Macintosh, the command will be “traceroute,” spelled out.


The tracert command traces the route from you to your destination. It’s kind of like looking at a map to find all the stops on a road trip between Minneapolis and Dallas. Or pick your favorite cities. Here is what it looks like when everything is normal – your hops will be different.


Tracing route to ord31s22-in-f4.1e100.net []
 over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms fw.infrasupport.local []
 2 <1 ms <1 ms <1 ms
 3 12 ms 10 ms 11 ms stpl-dsl-gw14.stpl.qwest.net []
 4 10 ms 11 ms 10 ms stpl-agw1.inet.qwest.net []
 5 20 ms 19 ms 20 ms cer-edge-17.inet.qwest.net []
 6 21 ms 20 ms 20 ms
 7 * * * Request timed out.
 8 20 ms 21 ms 20 ms
 9 20 ms 22 ms 21 ms ord31s22-in-f4.1e100.net []

Trace complete.


Notice one of the intermediate hops in-between Google and me did not respond. That’s normal. Sometimes routers on the Internet don’t answer echo requests. You don’t care about that – you care about whether and where the tracert dies, which means where all the rest of the hops report “Request timed out.”

The tracert will max out at 30 hops, but if you’re in a hurry, press the Ctrl and C keys on your keyboard to abort it.

Total time for all this – maybe 60 seconds.

And now you have something to give your tech support specialist when you call for help. If you talk to anyone beyond a brand-new rookie, they’ll appreciate you for taking these basic troubleshooting steps first and may take your problem reports more seriously than otherwise.

Time to man up and swallow my pride

Well, this is embarrassing. I left a gaping security hole right here in my own author website. I buried my head in the sand and planted a “kick me” sign on my butt. I dodged a bullet because, as you’ll see below, nobody visits my website yet. But, since I tell people to adopt the motto, care and share to be prepared, I need to swallow my pride and share how I messed up and what I did to fix it. Learn from my mistake. And it’s okay to call me a dork on this one. I deserve it.

A few days ago, my buddy from Ukraine, Ihor (prounced Ee-gore) messaged me.  Ihor is a web developer and he taught me how to use Javascript to make a selection list many years ago. We hadn’t talked in a while and I was eager to show him my new author website.

He asked if he could try to hack it.  I laughed and told him to go right ahead, just tell me what he uncovered so I can fix it. I was confident he wouldn’t find anything. I am a security professional, after all. Too cocky for my own good sometimes.

Take a look at the page views for August 2, 2017.  That was all Ihor. He was thorough. And it didn’t take him long to find problems.

First, he tried to login and change my admin password. I saw the audit trail, and WordPress even emailed me a notice that somebody was trying to mess with my password.

I look forward to the day when thousands of people visit this site every day and I need commercial hosting. But for now, it lives inside a virtual machine in my basement, and since I’m the only one who edits it, I was thinking about restricting access to my local network anyway.  But even with access to the login screen granted to the entire Internet – as are most WordPress websites – Ihor was unable to get in. I was feeling smug.

And then he nailed me.  Take a look at the screenshots of shame Ihor sent me:



He was able to look at directory listings of my website, which is about as bad as it gets. And he let me have it. Here are a few of his comments:

Greg )
Why? )))
come on ))))))))))
I think that’s only the beginning )))))))))
no no ))))))))))))))))
Greg ))

Ihor’s native language is Ukrainian, not English. This was his way to tell me I was sloppy and should have known better. He was right. I hung my head in shame and wallowed in self-pity for a few minutes.  I’m a busy guy. I don’t have time for this. Why is the world picking on me?

And then I forced myself to swallow my pride and find and fix the problem.  This gets technical.

First, I compared this website with other WordPress websites I’ve built.  None of them allowed directory listings.  What was different about this one?  With this one, I put the website underneath the standard httpd directory tree, at /var/www/html.  I might build a network of future websites, and it’s convenient to put them all in this directory tree. I never considered a network of websites with my earlier ones. I put them all into the WordPress standard location, /usr/share/wordpress. That was the only difference I could find.

How did putting this website into a different directory tree enable directory searches?  It was this section in the standard configuration file, /etc/httpd/conf/httpd.conf:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks

“Options Indexes” above means allow directory searches in the directory tree, /var/www/html.  It was an ugly default setting from the Linux distribution I’m using. But it’s my fault for trusting factory default settings and not testing. The cure was to insert this into the configuration file specific to this website, which overrides the default setting:

<Directory /var/www/html/wordpress>
    Options FollowSymLinks

I want to thank my friend, Ihor for doing a great penetration test for me. Care and share to be prepared. I would rather be embarrassed than penetrated. I hope my mistake helps others.

Your own worst enemy

When you wanna cry to your worst cyber-security enemy, hold up a mirror

In a July 20, 2017  interview with New York Times columnist Bret Stephens in a room full of very important people at the Aspen Institute, new CIA Director, Mike Pompeo, said, “WikiLeaks will take down America any way they can, and find any partner they can to help achieve that end.”

When I saw the quote, I wanted to barbecue him. Yet another Trump appointee who doesn’t know what he’s talking about with a knee-jerk reaction to cyber-security enemies.

Well, no, not this time.

This time, I had the knee-jerk reaction.  Pompeo is wrong about Wikileaks, but he’s right about lots of other things and I’m glad I listened to the whole conversation. I need to work on my own biases before I start barbecuing other people for theirs.

It’s an hour long conversation.  Go to the 26:01 mark to hear the quote out of context.  But invest the hour and listen to the whole conversation – you’ll be glad you did.

I did more homework on Pompeo. Here is what he said about cyber-security in this article, and he’s right.

“It is the next frontier of warfare. It’s not new in the sense that threat to America’s intellectual property has been out there for quite some time,” told the Wichita Eagle. “We now see hacking taking place by foreign governments and by private individuals all around the world. America has to invest more and be more prepared. And we all have an obligation to be more secure in the way that we handle our own private information. There is a role there for the government to play, but a lot of this is going to be done by private individuals and private entities in America taking upon themselves of keeping their information more secure.”

But he is wrong about Wikileaks. Unlike many people, I have first-hand experience with Wikileaks. It goes back to 2009 and the aftermath from the Norm Coleman for Senate campaign in Minnesota, when Coleman treated my personal information recklessly and got caught. Wikileaks emailed me with details and that was the only reason I found out about it. Although the Coleman camp didn’t like it, Wikileaks performed a service for me and the country that day. I wrote all about that episode, right here.

I will not defend what Wikileaks subsequently did with Bradley Manning (now Chelsea Manning), Edward Snowden, Reality Winner, or any of the other incidents where Wikileaks published classified information.  Those were mostly wrong.  But Wikileaks is a shade of grey, not black and white.

Wikileaks does not want to take down America.  Julian Assange might be a snake, but he’s not stupid.  If the United States falls, Julian will find himself in a world of hurt from other countries that don’t have the same view of justice as the United States.  No, Wikileaks does not want to destroy the United States, Wikileaks wants to enrich Wikileaks. Wikileaks is no friend of the United States, but it’s not a cyber-security enemy either.

Who are the United States’ real cyber-security enemies? For a hint, take a look at just a few headlines between July 19 and July 24, 2017:

5,300 University of Iowa Health Care records exposed for two years

Millions of SSN across 10 states leaked in Kansas Commerce Dept. breach

Chipotle data breach leads to illegal ATM withdrawal

Thieves find a new way to hack and steal Teslas

Inappropriate Access to Patient Records Spanned 14 Years

Sweden Grapples with Sensitive Data Leak Scandal

IoT Security Cameras Have a Major Security Flaw

Every one of these stories involves Americans exposing private information or losing it to potential attackers. Even the story from Sweden, which shows that Americans have plenty of sloppy company. I could have found many more.  And those five days are typical.

Beyond those headlines, the sorry list of recent cyber-attack victims reads like a who’s who in American industry. And, rubbing salt in the wound, too many of our leaders become unwitting partners with cyber-crooks because they’re embarrassed to be caught with their pants down.

Read about sloppy management and the sorry response at the United States Office of Personnel Management when it allowed the Chinese to steal details on everyone who applied for a security clearance, right here.   How many people died because of that fiasco? Read about hundreds of thousands of American identity theft victims because they filed their taxes electronically right here.  And here.  And here.  Read about Minnesota law enforcement officials abusing driver’s license records right here.

Closer to where Mike Pompeo works these days, how does the US Government justify at least a ten year history of questionable cyber-activity?  Read about Stuxnet, the cyber-attack against Iran to stop its nuclear program, right here, and think about what might happen when the Iranians turn that weapon against us.

To find our real cyber-threats, look in a mirror.  We are our own worst cyber-security enemies.  Not Russia. Not China. Not North Korea. Not the criminal underground. Not Wikileaks. Us. We, the people. The good guys.

But wait – maybe the examples I cited above are just sensational headlines and don’t reflect everyday reality.  Well, not so fast. Here is a taste of my everyday reality.

Consider the bank vice-president who refused to understand the difference between his bank’s website and the bank internal network. Or the dentist who told me he didn’t need computers to practice dentistry – but had no answer when I asked him what would happen when his antiquated Windows XP computer “server” finally died.  Or the business owner who didn’t want to listen to the Internet threats she was up against because the port-scan report I showed her was a bunch of numbers on a computer screen.  Or the medical clinic spewing data to who-knows-where that didn’t want to call law enforcement because the top managers didn’t want the publicity.  Or the nonprofit CFO who didn’t want to listen when I told him he needed an antivirus solution. Or the car dealer who insisted his antivirus solution was just fine, even though it crashed both computers where we tried it.

Just a few anecdotal stories I’ve been part of, first hand.

For busy people with no time to absorb details, here are six words that everyone who uses the Internet should take to heart.  This is everything you need to know about Internet security. It took me three years to come up with this. Here it is:

Care and share to be prepared.

Care enough about security to educate yourself.  Share what you learn and expect everyone to share with you.  I have plenty of mini-seminars that go deeper.  Here is one.

I wish Mike Pompeo the best in his tenure as United States CIA Director. I hope he helps all of us open our eyes.

Are you nuts? Never let anyone put an RFID tag microchip inside your body.

It’s all over the news.  Fifty employees of a company named Three Square Markets, in River Falls, Wisconsin, are lining up to have an RFID tag implanted between their thumb and forefinger.  With the company CEO and his family leading the way, employees are volunteering to have it done.  And they’re apparently excited about it.

Here is a link to one of the stories from CBS News.  Here is another one from the St. Paul Pioneer Press, which reprinted the original Washington Post story.  The Pioneer Press should be embarrassed that it had to reprint a Washington Post story about what’s going on in its own neighborhood, but that’s a different topic.

Implanting RFID tags in people is not new.  But it will always be a bad idea on many levels.  I’ll get to that in a minute.  First, how the technology works.

RFID (Radio Frequency Identification) tags are at least twenty years old.  They’re about the size of a grain of rice and they contain one piece of data; a unique ID.  Think of it as a serial number.  They’re passive, meaning they don’t need batteries, and they’re inexpensive at about fifteen cents per unit.  Pass an RFID tag near an RFID reader, and the reader triggers a tiny radio signal from the tag with that number.  The RFID reader “hears” the number and sends it to a computer. That’s it – that’s the technology.

The power is in the applications.  Retailers use RFID tags to track inventory.  Walk into a modern retailer and you’ll see RFID readers near the entrance.  We put RFID tags in dogs and cats to track our pets.  They’re in vehicles to automatically pay when passing through toll booths.  They’re in badges to enter secure doors.  Manufacturers use them to track work in progress.  Today’s world is awash in RFID tags.

What’s not to like? RFID revolutionized retailing and other industries by improving efficiency and driving down costs.

Imagine the convenience if we could uniquely identify every human being in the world by scanning a hand.  Wave a hand over a vending machine to buy a sandwich.  Walk past an RFID reader in a doctor’s office and a computer in the back room looks up all your medical records.  Keep a living will on file.  Or organ donor information, which could save lives.

The applications are limited only by our imaginations.

Which is one reason why implanting RFID tags in humans is bad.  Do I really need to spell out the dangers of databases that track everything there is to know about us?  All that convenience comes with a cost.  Do we really want to live in a world with RFID readers everywhere, in front of massive databases that track everything we do?

And it gets worse.  I’m a Christian, and I believe the Bible is the word of God, recorded by people and handed down to us over the generations. We can argue whether the authors of the Bible stories we read today told the truth, but it’s indisputable that lots of scholars have gone to lots of trouble to make sure today’s New Testament accurately reproduces what those authors said.

And in one book we’ve come to call Revelation, an Apostle named John, around 95 AD, predicted implanting today’s RFID tags into humans as a sign of really bad things in the world of his future.  Just read what he said, from Revelation, chapter 13:  I’ll quote verses 16 and 17:

16 It also forced all people, great and small, rich and poor, free and slave, to receive a mark on their right hands or on their foreheads, 17 so that they could not buy or sell unless they had the mark, which is the name of the beast or the number of its name.

There’s lots of context and discussion about these verses.  Start at http://www.biblegateway.com to see today’s translations for yourself.

I don’t mean to turn this blog post into a Bible study.  Here’s the point: with people apparently excited today about implanting these things in their bodies, it’s not much of a stretch to imagine these things becoming mainstream and a requirement soon.

Not inside my body.  I am not a serial number, I’m not a piece of inventory, I’m a flesh and blood human being. I’ll go to jail or worse before ever consenting to implanting one of those things inside me.

When your company cuts its own throat, you don’t need to cut yours

The Register recently published this article about IBM disallowing remote workers and it brought back a flood of memories.   The article should be titled, “IBM cuts its own throat.” Here’s the key paragraph:

According to well-placed sources, IBM’s Software and Systems unit began a transition similar to the marketing department’s upheaval late last year, with remote workers told they would have to move and work at one of a handful of city offices, or find a new job.

It’s a morale boosting move.  IBM’s chief marketing officer said so.

IBM has pitched all this change to employees as a way to improve the working environment and office culture. In a video message to her troops, seen by The Register, chief marketing officer Michelle Peluso said “there is something about a team being more powerful, more impactful, more creative, and frankly hopefully having more fun, when they are shoulder to shoulder.”

I thought that was satire at first.  But it’s real.  Apparently, workers have 30 days to decide; either move to the city where your team is located or you’re out.

Imagine working for a company, year after year, pouring time and emotional energy into your job, only to wake up one morning to find you have 30 days to either move across the country or quit. The beatings will continue until morale improves.

And that sums up why I have such a deep distrust of all big organizations.  It’s just plain wrong when a disconnected manager with a spreadsheet disrupts thousands of lives and hammers shareholders in the same move.

Death Spiral

Way back around 1993 or so, the company where I used to work was going through its own death spiral.  The weather was bad here one day, and traffic was backed up all over town, especially crossing the river that separates where I live from where I used to work.

I tried every river crossing between my house and the office.  They were all parking lots.  So, I turned around and drove back home.

I had a terminal. Yes, a real DEC VT220 terminal, and modem, and I dialed into work and started getting things done. There was a customer crisis and I talked to people over one phone and talked to computers over a modem on the other phone line. I kept right on working and next time I looked up, it was 5pm and time to go home. Except, I was already home, and I realized it was a productive day. I felt good.

Next day in the office, I caught an earful of grief about not showing up for work.  Nobody cared about the customer crisis. That attitude represents what killed Digital Equipment Corporation.  And it will help kill IBM.  Here is one more story.

Around 2014, when I was an IT equipment reseller, I needed a storage solution for a customer project.  A few IBMers wanted me to resell their product, and they treated me to lunch at a local diner.  As we ate lunch and talked, I could see burnout in their eyes.  Sometimes, you just recognize it.  Especially after living through it myself back in the early 90s.  But I signed up as an IBM reseller partner anyway, mostly because I’d been jerked around by the other guys and I’d heard good stories about IBM product quality.  So I overlooked the burnout and gave it a shot.

A note to non-tech readers here.  Don’t be intimidated by words like “server” and tech company names like IBM here.  This is about sales and money, not technology.  Think of an IT equipment reseller as similar to a car dealer. Except it’s computer equipment and services instead of cars.  And I went to customers, instead of customers coming to my showroom.

Just like car manufacturers offer sales incentives for dealers, IT equipment vendors offer sales incentives for reseller partners.  The most common is a process called deal registration.  When a reseller brings a vendor into a sales opportunity, the reseller registers that opportunity with the vendor and the vendor grants favorable pricing to that reseller.  It’s a reward for introducing the vendor to a new customer and it’s supposed to protect the reseller from cutthroat pricing competition.  Theoretically, nobody will be able to buy at a lower wholesale cost.

Shortly after my free lunch, and before IBM sold its Intel based server division to Lenovo, I pitched IBM servers to that customer.  It was a warm-up to the larger opportunity for storage, the real prize.  Wouldn’t you know it, Lenovo was the competition, and online store, CDW, teamed up with Lenovo to sell Lenovo servers at a retail price less than my preferred IBM wholesale cost.  I’m no economist, but I figured out a long time ago that selling for less than what you pay is a path to bankruptcy.

I lost that server deal.  But I have a hunch both CDW and Lenovo lost money to beat me.  Small comfort.

And then IBM dropped a bomb.  Because I brought IBM in and registered the opportunity and we lost, IBM punished me by prohibiting me from registering any more opportunities with this customer for 90 days.  This meant, if I wanted the privilege of selling IBM equipment to this customer during the next 90 days, not only would I make less money on any successful sale, but I would be at a pricing disadvantage to anyone else who might come along and register their own deal with IBM.  No good deed goes unpunished.

I complained all the way to the CEO’s office.  Lots of important people promised to make it better, but nobody could override an automated system apparently controlled by a group in the Philippines.  And not one IBM vice-president understood why I was upset.

I teamed up with a different storage vendor and eventually made the sale without IBM.  And that pretty much ended my short IBM partnership.

Now, it’s 2017 and IBM has gone through twenty consecutive quarters of revenue decline.  That’s five years of misery.  Combine desperation to turn around a shrinking revenue base with the bureaucracy gone nuts I tangled with, add disconnected senior managers with spreadsheets, and it’s a recipe for disaster.

And talk about irony.  The same IBM that wants to become a cloud provider decides now is the time to get rid of remote workers.  Tell me how that makes any sense.  Why would anyone  listen to IBM’s cloud message today, when IBM wants to run its own operations as if it were still 1982, when Reagan was president?

I would not want to be part of 2017 IBM.  This forced relocation will only drain talent and eventually kill the company.

Normally, this where I would end.  Yet another disconnected manager with a spreadsheet and a company in a death spiral.  End of story, right?

Creative Destruction

Not so fast.  We live in the United States, land of creativity and free enterprise.  And out of the ashes and pain from this IBM idiocy will rise a wave of creativity that will start something new and better.  Economists call it creative destruction.  Which means it must be common, since it has a name.  I might be the poster child for creative destruction on a small scale.

It doesn’t take a rocket scientist to figure out that this “offer” is really a way to get rid of people without spending money on layoffs and severance packages.  If you’re a twenty year IBM veteran, used to predictability, and with a mortgage and family to feed, you’re probably living in fear right now.  Do you uproot your family and keep working for managers who want you gone but don’t want to spend money to lay you off?  Or do you stay put and look for something else?  Whatever you choose, that perception of safety you’ve enjoyed since before your kids were born is over.  The clock is ticking.

My vote: Walk away now.  If you uproot your family and move across the country to keep your job, what happens in a few months with the next revenue crisis?   You can do better.  The world is bigger than IBM. Or any company.


<a href="http://www.infinite-it.co.uk/?p=1

click here

Prejudice and Respect

I earned my MBA degree in 1996. I share that tidbit to communicate that tech people really can do more than sit in dark rooms and play with computers.  Here’s more. I graduated in the top one hundred percent of my class, making me the opposite of a superstar.  This is a commentary about how I’ve observed tech people and non-tech people interact. That’s the prejudice part. And it’s a plea for respect.

Several years ago, one project in my MBA New Venture Finance course was a presentation about business plans for our proposed entrepreneurial venture. One classmate presented a venture idea to sell generic, low cost blood replacement products. The instructor ate it up. He thought the idea was creative, innovative, and unique. I’ve thought about that presentation over the years, and I don’t know about you, but if I’m on the operating table and a team of doctors need to pump replacement blood into my body to keep me alive, I want the good stuff. I don’t care about saving a few dollars with generic stuff.

I was up all night putting my presentation together, and my turn came next. My idea was to set up and operate an information utility, a 1990’s phrase for today’s cloud service. I used the word, modem, in the presentation, and my instructor stopped me in mid-sentence.

“Greg, you’re using techie words nobody understands. You need to work on that.”

Really?  The word, modem, is too technical for most people?  But cheap, generic blood is okay?

I passed the course, but nobody liked my business plan. Story of my life, I was a few years ahead of my time.

Shortly after the dot com bust of 1999, I tried exhibiting at a tradeshow. I had signs and displays describing all the amazing IT services my company could deliver, and I could not understand people’s reactions.  People glanced at my signs and then either turned the other way, or if they needed to walk past my table, crossed to the far side of the isle to avoid talking to me.

I finally walked out in the middle of the isle and cornered somebody to ask him why. He said he was tired of the technology treadmill, with broken software and constant upgrades, and wished he’d never seen a computer. IT was a necessary evil, and the last thing he wanted to talk about or think about at a business tradeshow was IT issues.

I have other stories. There’s the one about the banker who didn’t know or care about the difference between his internal bank network and his bank website, the dentist who needed his brother-in-law in Colorado to help start up his Windows PCs every morning so he could take patient X-Rays, the security company CEO who killed a project that would have saved his company hundreds of thousands of dollars because it used a computer, the medical device company with a CEO who refused to acknowledge Internet threats, and the charter schools who insisted on operating system versions that would never accommodate their projected number of users. Maybe I’ll write another book with stories about willful incompetence and its consequences.

The common theme to all this is prejudice and respect.

Prejudice first. As an IT professional, before we ever meet for the first time, I already have two strikes against me. Every word I say will be gobbledygook jargon, especially if I use a word like modem in a sentence. You probably think I still live in my parents’ basement and spend all my free time playing video games and watching Star Trek reruns. I don’t shower often, and because I do technology for a living, I am therefore not qualified to talk about business issues or anything that so-called normal people talk about. If your computer breaks, you’ll ask me to fix it, and I’ll do it because I want to show off my tech skills and I crave your approval. But I’ll never have a seat at your decision making table because I’m a technology resource, not a full-fledged human.

There’s another point of view on prejudice. You might feel like you have two strikes against you before we meet for the first time. Maybe you met an IT technician who ridiculed your choice of words because he—and he usually is a he—knew more about a piece of technology than you. Maybe he was power hungry and tried to use his tech skills to gain an unfair advantage. Maybe that left you with a bad impression of all tech people.

Or, maybe you just aren’t curious about how any of this stuff works, and when anyone tries to explain it, you shut down. Fair enough – but, like it or not, technology is fundamental to 21st century society. Stay intentionally ignorant at your own risk.

And that leads to respect. I need to work on how I communicate with you. This is a challenge for me, because I’ve done technology for a living my entire adult life, and the odds are good I’ll use words you’ve never heard of. Do me a favor. If I slip into tech jargon, just tell me and I’ll be happy to work on explaining it a different way.

If you don’t care how something works, let me know that too. But a caution; if you want me to fix your problem, be prepared for some education on how to avoid it next time. That’s my price for free labor. Learn to appreciate it.

I’m not a drone, I’m not a machine, and I’m not a resource. Just like you, I’m a full-fledged human. If we both treat each other with respect, maybe we can both learn some things.


A lot of people have asked me lately, “Greg, why do you write?”  I ask myself that same question all the time, especially in the middle of the night after I’ve fallen asleep in front of the keyboard and I wake up with a sore neck and drool running down the side of my chin.

Believe me, life would be simpler and easier if I just focused on being average.  I don’t remember the last time I went to bed at a normal time and stayed in bed all night.  And doubts about writing plague my mind every day, especially when friends and family constantly remind me that nobody cares about what I write.  They don’t come out and say it, but I can read between the lines.  And, so far, they’re right.  The raw truth is, nobody but me cares about what I write, or what I think, and the odds are good that nobody ever will.  Dreams are for idiots who don’t know better.

So, why not just admit I’m a failure and take the easy road?

It’s the dream.  I want to be a successful writer.  I want it badly enough to put in the time to learn this craft. I want it badly enough that it crowds out nearly all other thoughts. Writing is the last thing I think about before I pass out in bed, exhausted, and the first thing I think about when I get up in the morning, four or five hours later.

But there’s more to it.  I need to insert a sports metaphor.  Sort-of.

When I was much younger, I read biographies of lots of sports stars.  One was Bart Starr.  Bart Starr wanted to be an NFL quarterback.  But the experts said he was too small and his arm wasn’t strong enough to throw long passes.

The Green Bay Packers drafted Bart Star in the seventeenth round in 1956, and nobody expected him to still be there by the end of training camp.  According to what I read, he prepared by spending hour after hour after hour, day after day, throwing passes at a tire erected on a wooden frame.  He made it through training camp, through three miserable seasons, and then went on to become the greatest quarterback in the NFL.  He had talent, but he won because of hard work.

As a long-time Minnesota resident, I also watched Randy Moss play football for the Minnesota Vikings.  His nickname was “Super-freak” because his body could do things most human beings only dream about.  He is still the most talented wide receiver the NFL has ever seen.  He should have captured every NFL receiving record, but he flushed it all away by relying on his talent without putting in the hard work to compete with the best of the best.

Who is more admirable – the super-freak with superhuman talent, or the normal person with a superhuman work ethic?  I know who I admire more.

God gave me writing talent.  I could feel it all the way back in high school, when I discovered I had a knack for putting sentences together.  But I blew it.  I never tried to improve.  I never got better, even when I wrote a back page magazine column for five years.

Most of my life is over.  But I’m not dead yet, and I need to make up for lost time.  That’s why I keep at it, night after night, typo after typo, rejection after rejection, failure after failure.  Because, after all these years, maybe, just maybe, I might be able to finally make something out of myself.  Maybe even become a role model of success for my grandsons.  Maybe even leave them something after I’m gone.  If I die trying, at least I died trying, instead of dying wondering what it would be like.  And if an audience finds me, so much the better.

I have a message about talent for the two or three people who might read this someday.  God gave you talent.  You didn’t earn it, it was a gift.  Just because God gave you a talent, even super-freak talent, does not make you better than everyone else.  If God gave you a talent, then you have an obligation to nurture it, develop it, and do something good with it.  Don’t make the mistake I made and spend most of your life ignoring it.  And don’t make the mistake Randy Moss made by squandering it.


What made me care about IT security and why you should too

I’ve been asked many times why I care about IT security.  It started in earnest for me way back in 2000 when somebody invaded my house.  I first published this story in the February, 2001 edition of Enterprise Linux Magazine.

International Terrorism in Minnesota

I’ve written extensively in this column about a small Linux DNS server I run.  Imagine my surprise a few weeks ago when I found my system launching a denial of service attack against the Government of Brazil.  That set a chain of events in motion every bit as traumatic for me as the recent Presidential election was for everyone else.

It all started when I tried to access my email.  For some reason, the response time was unbelievably slow.  About that time, my wife complained she couldn’t get to the Martha Stewart Web site, or anywhere else on the Internet, and what did I do to the computers this time?

I started investigating and found my house LAN was indeed running very slow.  I looked at my hubs and found port 4 on one hub going nuts.  This was the port leading to my DNS server.  The ps –ax command showed me the following process:

ping -s 65000 -f nn.nn.nn.nn (I won’t share the target IP address.)

My DNS server was sending 65,000 byte packets as fast as it possibly could to a system across the Internet.  When I killed the process, performance went back to normal.

A feeling of dread came over me and my adrenaline started pumping.  Then I got mad as I realized some jerk broke into my DNS server and set up this attack.  Fortunately for the Internet, I don’t have enough bandwidth for anyone significant to seriously care about.  Unfortunately for me, this jerk found out where I am and how to break in to my network.  I felt violated, angry, and afraid all at the same time, especially when I thought about all the data I have squirreled away in various directories on computers all over my network.  I wanted to find this jerk and strangle him or her, but I didn’t have the tools to even know where to begin.

So I called my friends at Mission Critical Linux for help.  I explained the situation and we all agreed that somebody had compromised my system.  I learned a lot about network break-ins that day.  I learned that BIND 8.2.2-P5, the version of DNS bundled with Red Hat Linux 6.1, has “hundreds” of security vulnerabilities, and that Red Hat keeps a list of bug fixes and updates on its web site.  I should have periodically checked for these updates.

I learned to shut down services such as sendmail, telnet, and ftp because they serve no useful purpose on this machine.  Sendmail uses its own process while the inetd process controls ftp, telnet, and others.  These commands ensure they won’t start at boot time:

/sbin/chkconfig –level 345 sendmail off
/sbin/chkconfig –level 345 inet off.

That’s when I remembered that telnet had been behaving strangely.  When I tried to connect via telnet, it wouldn’t echo anything and lately would just tell me the process was ending.

The support person laughed and told me I’d been suckered by the oldest trick in the book.  Somebody probably replaced the real telnet with a fake version designed to steal passwords for later transmission to the bad guys.  The system had definitely been compromised.

The technical recommendation:  Wipe the hard drive and rebuild the system from scratch.  The next recommendation:  Call the FBI immediately because the IP address my system attacked belongs to the Brazilian National Government, and I could face legal trouble if I didn’t report it.

As soon as we hung up, I called the Minneapolis FBI office and asked for somebody who deals with computer crime.  The receptionist sent me to a lady.  The conversation went like this:

Greg:  “Hi – I need to report a computer crime.  Somebody broke into my DNS server and launched a denial of service attack against the government of Brazil.”

FBI Lady:  “Wait a minute.  Did you say D-E-S server?”

Greg:  “No, a DNS server.”

FBI Lady:  “Oh – D – N – S, OK.  What did they do to your computer?”

Greg:  “Somebody tried to use my computer to attack a computer that evidently belongs to the Brazilian Government.”

FBI Lady:  “OK, . . ., who did it?  Do you have their address?”

Greg:  “No.  See, a DNS server translates names to addresses on the Internet.  One of my computers is a DNS server and somebody out there on the Internet tried to use my computer to attack this other computer in Brazil.”

FBI Lady:  “OK, but we need to know who did it.  We need a name or address or some way to find this person.”

Greg:  “Well, I was kind of hoping you guys could help me figure that out.”

FBI Lady:  “There’s not much we can do if we don’t know who broke into your computer.  Don’t you have any idea how to find this person?”

Greg:  “I wish.  See, the Internet is a whole bunch of computers all around the world and they’re all connected to each other.  Somebody on one of those computers found my computer and made it do this attack.  Since all these computers are connected to the Internet, we don’t know if the attacker is next door or across the world someplace.  But maybe they left some clues inside my computer to help track them down.”

FBI Lady:  “OK, let me get your phone number and somebody will call you back.”

Greg:  (after giving my phone number)  “Any idea when I’ll hear from somebody?”

FBI Lady:  “No.  They’re all pretty busy, ya know.”

Greg:  “Thanks.”

I made that call on Tuesday, Nov. 11, 2000 at roughly 1 PM central time.  I called again at 4:30 PM the same day.  As of this writing on December 15, 2000, I still haven’t heard back from the FBI.  I don’t mean to complain, but I was hoping the FBI would be sharper than that.

I’ll share how I rebuilt my DNS server and a list of helpful books in a future column.

I realized later, I made a mistake on my dates in the article.  Nov. 11, 2000 was a Saturday.  I know I called the FBI on a Tuesday, so the correct date would have been either Nov. 7 or Nov. 14.  To this day, I have no idea how I came up with Nov. 11 for a date in the original article.  But this key detail gave me an insight into how the FBI works.

My phone rang one morning in Feb. 2001, a few days after the article ran.  It was a manager in the Minneapolis FBI office and he wanted to troubleshoot.  I thanked him for the call, but said I could not afford to shut down my life and wait three months for a callback from law enforcement.  I had long ago wiped and rebuilt that system.

That’s when he went into CYA mode.  He said that since I called on a Saturday (remember, I really called on a Tuesday) I must have connected to a weekend operator.  That was why they had no record that I had ever called.  Yeah.  Uh-huh.  My tax dollars at work.

Lesson learned – law enforcement is of little or no value in data breach scenarios.  Over the next several years, I would learn that lesson a few more times.

Here is why everyone should care about incidents like this.  Somebody exploited a flaw in one of my public facing systems to invade my house and use me as a drone in their attack against a third party.  Although nobody physically tramped through my house, the net result was the same–I was violated.  And I was on my own to fix it.  How many times since have we heard variations on that story?

If you’re running a business and somebody violates your company IT systems, the odds are slim that anybody from law enforcement will help you.  If you’re an individual consumer, the odds are even slimmer.  Read books like “Bullseye Breach” to educate yourself on how these violations happen, read earlier posts in this blog, and keep an eye on future posts for ideas to reduce your attack surface.

If you bury your head in the sand, don’t be surprised when somebody kicks your exposed rear-end.

(I first posted this on my Infrasupport website on Nov. 14, 2016 and backdated here to match the original posting date.)