What Grover Can Teach Us About Breaching Perimeter Defenses

When a firm has a known point of ingress from the Internet, it will secure that connection. It will use firewalls, IPS devices, proxy servers, all kinds of good stuff. Those defenses will pass audits, no problem. But what about ways to get into the corporate network that aren’t known to central IT staff? What are the consequences of those unmanaged points of ingress?

We turn to Grover the Muppet for that lesson. In the video I linked, it is ostensibly about bringing a bowl of soup to a sick friend. However, on another level, it is teaching penetration testing techniques to five-year-olds.

Shalom Sesame: Mitzvah Impossible

Grover first encounters a wall. Call it a firewall, if you want. Rather than give up, Grover finds one way around it – going over. His friend finds another way – going around. In both cases, the wall did not cover all possible ingress paths, so it did not provide sufficient security. Later, when Grover encounters a cow blocking his path much like an IPS does, he need only pass a weak test – basically a declaration that his traffic is business critical – to continue forward with his payload.

Grover’s activity would be analogous to an attacker entering a network via an insecure ingress path and then using traffic defined as legitimate to continue with his operation. He uses methods so simple, a five-year-old could grasp them. Maybe those over five would do well to review the security video I linked to…

At any rate, the wall is very nice and blocks traffic that does not route around it. Had the wall been fitted over a cave mouth, it would have been much more difficult to route around, and that would be possible only if there was another unsecured path of entrance into the cave system. As it is, it needs to be taller and wider to cover those available paths of ingress.

How many firms have frustrated employees? I suspect it’s all of them. That’s bad news, because frustrated employees are also those that are most likely to call up a local ISP for a DSL line out of their local budget so that they can have Internet access for some purpose. Nobody higher up or in the central office approved the line: they just put it together themselves. And if central IT refused to allow that connection to hook up with the corporate network, that’s not a problem. They can buy some inexpensive small business switches and hubs and allow their PCs to connect to the corporate network and the shadow IT network at the same time.

How many firms have web developers on a tight schedule? Oh my, that’s a very high percentage… That’s bad news because those developers might set up VPN servers – only for emergency purposes, of course – so that they can connect from home to the test environment more effectively than they can if they use the corporate VPN. Or maybe they have a fileshare server opened up so it can offer its files on the Internet, making things much easier. Or maybe they use an insecure coding shortcut that gets the site up that much faster, even if it means it now allows quite a lot of malicious activity over HTTP and HTTPS.

How many firms have employees that click on links in emails? How many firms have contractors whose contracts have ended, but their workstations stayed logged in… and unpatched… and maintaining a dual-homed Internet connection on the guest network? How many firms have subsidiary or ancillary organizations that manage their own Internet connections… badly… and that have full trust relationships with the parent organization?

Well, that’s bad news, because… well, I’m sure you see the pattern here. None of these paths of ingress are properly managed, let alone secured. Malicious Grovers are carrying bowls of malware-infested chicken soup to servers and workstations that lap the stuff up without questioning.

So now the problem is finding the unmanaged ingress points. The solution is simple: look at your traffic. See if there is traffic on your network that has an outside IP as its source. Next, take a look to see what ports the traffic is using. If those ports are blocked on your firewalls, and I mean *all* your firewalls, see if there are routing paths to that outside IP that take odd twists and turns in your network. Perhaps they lead to that unauthorized ISP connection or that rogue VPN server.

Once you find those things and have them shut down, check your traffic again. You may very well see those IPs again on your network, now with new routes back out. Those will lead to other paths you want to close off.

You have to check constantly, because you will never know when someone creates a new path of ingress that endangers your network. You can also check for dual-homed devices and abandoned devices and try to police links in email messages. All those measures will help to keep five-year-old kids who saw the above video and got the wrong idea from hacking up your network.

Now, the disclaimer… I work for a vendor that not only makes a product that covers most of the detection methods and remediation items mentioned above, I’ve also used it in an environment that thought it had closed off all those other ways into its network. When I told them about the IP addresses in China that were scanning for the Cisco Smart Install port, they soon discovered that there yet remained more ways in that they would have to deal with.

This is not FUD. This is a realistic assessment of stuff that happens, most likely under everyone’s noses. Not everyone knows to look for this stuff, let alone knows how to look for this stuff, which is how it can go on and on. If auditors only know to check the managed gear, then a firm could conceivably pass audits and still have these issues happening.

So, take a tip from Grover and start looking for ways people break into your network that go over, around, or right on through your perimeter defenses.

Do I Miss Teaching?

It’s been about 5 years since I decided to end my career as a teacher and return to IT. People still ask me from time to time if I miss teaching. The short answer is no, but the long answer is yes.

For the short answer, I love not just my current job, but my current career. Once I had started back in IT, not one day did I wake up and desire to return to the classroom that I had left. I had dreams about teaching, but they involved either dull routine that I was glad to have left behind, or they were about packing up and leaving. Both gave me a sense of closure, that I was done with the profession.

Which leads to the long answer, the “yes”. Truth is, I was missing the classroom my whole last year of teaching. The work I had been able to do, both in the 90s as well as the 00s, that was no more by 2012-2013. School administrations no longer trusted a teacher’s ability to exercise professional discretion in preparing and delivering coursework. When I was doing IT work in the late 90s, I often yearned for the classroom. I had the same yearning during my last year of teaching.

Being forced to buy into the culture of testing that now exists meant selling out on my hopes of continuing to be the kind of teacher that could be flexible enough in the classroom to find a way to make a critical difference in people’s lives. I know I couldn’t impact everyone and that I could come off as a pompous ass to a lot of people… but I also knew that I had a much bigger audience that liked what I did and, within those audiences, I could make connections that would help guide lives.

All that was evaporating before my eyes as I saw mid-level administrators, living in fear of budget cuts that would axe their positions in a heartbeat, spread a culture of fear. Their jobs were safe if they could convince top administrators that their jobs were necessary to maintain the almighty test scores. This was happening not just in my district, but pretty much every urban and suburban district with 2 or more high schools.

So yes, while I miss teaching, I also know that what I once had is gone. It’s not coming back. I can think about the good times, but I have to move forward. I am fortunate and grateful that I have been able to return to IT. I’m working with people that trust my professional discretion, and that makes all the difference.

The Earth Wrapped Up As a Scroll

What is meant by the expression, found in the Bible and elsewhere, about “the Earth wrapped up as a scroll”? Several things, all at the same time, because of the precision of God’s language.
1. When one finishes reading a scroll, one wraps it back up before returning it to the shelf upon which it is stored. The Earth, at the end of its time, will be prepared to return to where it once was – wrapped as a scroll.
2. In addition to the simile’s implication of return, there is also the implication of finality. There is a time, after which, we do not continue to experience time as such, but return to where God is: and where God is, there is no time.
3. Physics. Particularly those of a higher-dimensional order. Just as we can take a line of string, let that represent one dimension, we can bend it through a second for it to meet itself as a circle. Just as we can take a sheet of paper, let that represent two dimensions, we can bend it through a third for it to meet itself as a tube.
Given that God exists in a realm where time is not a relentless crumbler of mountains, such as we see it, but a direction that goes this way and that, then it stands to reason that the realm of God has sufficient dimensions necessary to behold the whole of creation as one.
Therefore, it stands to reason that with those sufficient dimensions, they would include those sufficient to bend the earth so that it meets itself in a higher-dimensional construct our language has not words to describe, but God’s language would, and precise ones, at that.
Speculation – the “wrapping together” would be, perhaps, a similar preparation as what was required for Moses, Abraham, and others to behold God? That all things must be transfigured in order to return to God and that, without a pure soul to match the pure body, we endure pain and discomfort in God’s presence, so much so that it would be best described as a burning lake of fire, or some other nigh-unthinkable torture to our minds?
Yet, such tortures are scripturally described solely as natural phenomena. There is no mention of God or any servant of God, or even Satan or his followers, meting out such punishments. These phenomena arise naturally, out of conditions brought about via a dichotomy of a pure body housing an impure spirit. The only cure for which is an appropriate distance from God.

Maturity in Belief

Often, I see people that claim to have a belief in something, but then go on to undermine the ability of others to share in that belief because these people are too strident or over-the-top in trying to present their views. To them, things are so crystal clear: what could be wrong with someone that does not agree completely with their views? Are they ignorant? Or are they willful enemies?

By leaving out the ability of others to judge things differently, which I call spiritual immaturity, such people are prone to hardline views, are less able to forgive, are more likely to use contentious or confrontational language and, ultimately, commit acts of violence. They will do these things, all the while believing that they are in the right and are justified in their actions.

Spiritual maturity, on the other hand, allows one to accept that other people will walk other paths. Indeed, that each person walks a unique path, some in a similar direction, others not. A spiritually mature person would hope to influence the path of another, but will also recognize when such influence is either unwanted or won’t be understood, or both – and then, in such cases, to refrain from attempting such influence.

Sadly, the spiritually immature can see this maturity as a threat to their own narrow views and lash out against it as heresy, putting it on the same level as their paranoid reactions towards supposed enemies outside their faith. To the immature, the mature can seem as traitors from within because they will not join in crusades or other acts of forcible conversion. Rather, they live and let live and somehow seem to allow evil to flourish.

In truth, it is the mature person that is not allowing evil to color his or her actions and pervert his or her beliefs.

I’ve been the immature person before, thinking that standing my ground in a heated argument lasting for hours was a sort of victory. In truth, it was all wasted words, as I did not convince the others of my views and served only to make them more ready to disagree with anything I proffered in the future. I’ve been that way about my religion, my politics, my views on music, my tastes in arts, and so many other subjective areas. It’s taken me many years to develop the ability to let others have the last word, even when it contradicts what I’ve been trying to say. It’s a sort of long game for me, because if I’m known to let others have a fair say, then I’m more likely to be listened to in the future by those I disagree with. And, maybe in that future day, my arguments might find their way into the hearts and minds of those others that disagree with me today.

Perhaps this is why I’m drawn to teachings of live and let live that are common among Daoist philosophers, Zhuangzi in particular. Perhaps this is why I see value in the Zen koans. While I myself am neither Daoist or Buddhist, I find a sympathetic maturity in their sentiments, in the way they serve to remove masks and illusions that so often bedevil our views, and then allow us to better penetrate the darkness between our souls and enlightenment.

How Musicians Speak to the Press

I’m wondering how much stuff any person in a band says is due to contractual obligations to promote current work. How much of slagging previous work is considered necessary and appropriate to build up one’s current product?

ORIGINAL BAND: “Everything we’re doing now is bold and imaginative, we’re really like nothing else.”

PROMINENT TALENT GOES SOLO: “It was all rehashing of old blues numbers in Original Band, I got tired of going nowhere musically. I’m so glad that I can truly express myself on my solo albums.”

THE REUNION: “What I did as a solo artist, I had to do, had to get it out of my system. Just a flight of fancy. It’s so great to be making magic again with Original Band, the stuff we’re making now is as great as the old stuff.”

AFTER A DISPUTE OVER PERCENTAGES: “I have left Original Band, effective immediately. Please consult the legal firm of Dewey, Cheatham, and Howe for further comment.”

JOINS ANOTHER BAND: “The Original Band reunion was a disaster. Of course, you read about my departure in the press, and I’ll give you the REAL story after I mention how awesome and liberating it is to be with Another Band. These guys are amazing, this is the best work I’ve done.”

SECOND REUNION OF ORIGINAL BAND: “It’s like I never left home. This is the only real music I’ve ever done, my work with Original Band. Our new album will not disappoint!”

NEW ALBUM DISAPPOINTS, DOES ANOTHER SOLO ALBUM: “Most of the reason behind the second reunion was money. I wanted to make music, they just wanted the money. Such a pity. But I’m glad I can fly free again.”

GETS BACK WITH ANOTHER BAND: “We’re not doing the songs recorded by the guy I replaced. They’re not my music and, frankly, I don’t consider them to be truly Another Band. When I’m with Another Band, then, yes, you can be sure it’s really Another Band.”

PARTIAL REUNION OF ORIGINAL BAND: “Me and the guitar player, we were always the core of Original Band. We don’t need the other guys to play amazing stuff.”

FULL REUNION OF ORIGINAL BAND: “If it’s not all four of us together, it’s simply just not Original Band, full stop. Don’t let anyone say otherwise.”

DRUMMER OF ORIGINAL BAND DIES IN FREAK GARDENING ACCIDENT: “We will miss him dearly, but we will also carry on. Original Band will rise from the ashes and continue forth to newer, better triumphs.”

SLIGHT ISSUE REGARDING DISTRIBUTION OF MERCHANDISING PROFITS: “I’m glad to be done with those money-grubbers and, frankly, they can all go to hell, where they can join up with their ex-drummer.”

ISSUE IS RESOLVED, WORLD TOUR RESUMES: “Me and my mates are inseperable! God bless them all, and I wish our ex-drummer were here instead of ‘up there’, where I know he’s drumming with Hendrix.”

OFFERED MORE MONEY TO TOUR WITH ANOTHER BAND: “My heart has always been with Another Band. Original Band, sure I had some laughs with them. But Another Band is where I’ve always felt like I was freest to explore, where we could play like no other band in the world.”

And so on, and so on, and so on…

Prioritizing Security Spending

I’ll put on my manager/owner hat, since I have one laying about the house, and will look at the receiving side of my constant cries to emphasize security spending. There, it’s on, although it seems to restrict blood flow to the part of my brain that handles technological details… never mind, let’s get to budgeting!

First off, security is very important. It’s so important, I’ll use a few more “verys” to emphasize that importance. It’s very very very very very important. But, before I can pay for security, I have to pay for a few other things.

Out of my revenue, first to go through are my loan payments. If I don’t keep current on my merchant loan companies and business loans, I close my doors. That’s a certainty. Ditto for payroll, rent, and utilities. I have to pay those, on time, every month, or I *will* close my doors.

Next up, I have to pay for my materials that I use in my business, whether those materials be solid manufacturing inputs or intangible information, it’s what I use to make my stuff. Without those inputs, my business is no more.

Then there’s advertising. I have to have that, right? I also need money for fees, which I pay to local, regional, and national government authorities in order to stay in business. If I don’t pay those, my business will certainly not be able to operate.

Now, I’ve got some money left over. Part of me wants to have a little more for myself, to compensate for all those days I lived out of my office, getting this business off the ground. That’s why I went into business, right, to make a little something for myself, over and above what The Man would pay me in a regular gig? I’ve got a business partner, as well, and we’ve been through everything together, all these years. I’ve got to give him his cut, fair’s fair.

What’s left is my IT budget. Before anyone panics, let me assure you that there’s still quite a lot of money in that pot.

But, before I pay for any security, I need to pay for my existing licenses. If my PCs don’t have an operating system, they don’t run, and I don’t have a business anymore. Then I pay for my productivity software because what’s the point of having PCs if they don’t do anything useful? No, I must have word processors, spreadsheets, and email! No compromise on that!

If I have specialized software for my line of business, you better believe there are some big-time license fees to run that stuff. But, without it, I can’t produce what my customers want. Honestly, security is important to me, you saw how many “verys” I used up there, but I have to first allocate money for what’s core to my business.

But I’m almost to security in my line-items. Let me first cover printing costs, VoIP services, Internet connections, and a new box fan for my server closet. As long as we keep the fans on and the door open, the servers won’t overheat. That’s a good feeling to have, the feeling you get when you know the servers won’t overheat.

Now that I’m ready to buy some security, please don’t bring up the issue of locks on the doors. I can lock the outside doors, but if I lock the door to the server closet, we’re finished as a going concern.

Looking at the budget, there’s not a lot, so maybe I should get the most important piece of security gear and hope it does most of the work I need it to do. I’ll get a firewall and pay for that annual license/maintenance.

Then there’s an antivirus program that’s only $21.95 per workstation when I buy in bulk, I’ll get that. I don’t know if it’s any good, but it’s at least something.

I need to buy a backup and recovery solution, so that’s going to set me back a bit.

I also have to pay for spam filtering and DDoS protection through my ISP, or I get shut down by spammers and/or DDoSers. This expenditure, in fact, should have come before the backup and recovery.

When I ask the guy that comes in twice a week after lunch to do my IT about what else I should get, he’s got a long list of cool stuff. But when I look at the prices he quotes for them, I have to shake my head. I really can’t afford to spend thousands on a big piece of hardware like a proxy server or an IPS. Maybe if I saved up, I could, but I can’t spend that kind of money right now. And don’t even talk to me about IP protection or UEBA or other big systems like that, there’s no way I can buy one of those solutions.

The thing is, security is a matter of maybe I’ll lose my business if I don’t have it. The other things are a matter of I *WILL* lose my business if I don’t have them. Will beats maybe, every time. That good feeling I have about the servers not overheating is countered by the worry I have that one day, maybe tomorrow, I’m the next small business that gets hit with something that the firewall, antivirus, and/or antispam-antiDDoS can’t deal with. But that’s a maybe, a roll of the dice.

Eventually, I learn to live with “maybe” and I just focus on running my business, the best I can.

And if all my PCs, unbeknownst to me, are secretly mining bitcoins for North Korea or participating in Mafia-run botnets, it’s no concern to me as long as I keep in business. What I don’t know doesn’t impact my bottom line.

I’m not being callow or flippant about wanting to emphasize security but simply not having the budget for it. That’s a reality. And if I get to where the “maybe” doesn’t nag at me anymore, then I can live with myself and my decisions.

I just took off my manager/owner hat and read that over. It does make sense to me. As a security person, I see all the breaches and crashes and outbreaks. But I don’t see that, for most people, these are only rumors, things that happen to someone else. Daily bashing away at firewalls, constant spam and DDoS, legacy malware trying to infect your PC like it’s 1999, those are the constants that happen to everyone. Businesses must protect against them. The other stuff, though, that’s in the realm of “maybe” and that’s not a strong enough case to justify a major expenditure, particularly one that could cut deep into the profitability of a firm.

Insecure Social Media, Russians, and US Elections

For social media companies, insecurity is an integral part of their business model. It’s all down to how they work. They want to sell advertising and their rates are determined by the popularity of the pages where the ads run. More popular pages means higher ad rates, so anything that boosts popularity also boosts revenue for the social media companies.

Of course, when accounts that are liking and following are found to be fraudulent, advertisers cry foul and demand a purging of those fake accounts and also a reduction in their ad rates. This creates an incentive for social media companies to obscure account ownership so that fake accounts are less likely to be discovered. There’s also an incentive to engage in clickfraud, but I’ll pass over that for now. Instead, I’d like to focus in on how those fraudulent accounts can do more than just hike up revenues.

The Russian intelligence agency Федеральная служба безопасности Российской Федерации (ФСБ) – FSB to English-speakers – has made use of misinformation and agitprop since it was the FSK, and before that the KGB, and before that the MGB, and before that the NKVD, and before that the NKGB, and before that the Cheka, and before that the Okhrana. One could say that misinformation and agitprop have been hobbies of Russian intelligence agencies for about 130 years. What is new for this age are the avenues available to the FSB to spread its poison messages.

Before social media concerns, Russians wishing to whip up extremist political movements and create internal discord in Western democracies had to buy their own presses and pay for their own mouthpieces, which could be quite expensive. If one of those were unmasked, then the expensive operation would be compromised and that expense and effort would go to waste.

But with FaceBook and Twitter and blogs, the FSB now has drastically reduced costs and much higher levels of cover. It’s Agitprop as a Service! Consider how easy it is to run multiple fake online accounts, compared to hiring multiple agents. These accounts generate interest and activity on social media, so they drive up ad rates – the firms that would be policing them in an authoritarian regime are protecting them in a capitalist system.

Even better for the FSB, the ability of extremist groups – particularly the far right – to sequester themselves from other news sources means that, once a message is injected into their media echo chambers, it will be repeated often enough so that, in the observation of Josef Goebbels, it will be held up as a truth. What shows up on RT.com will be tweeted and retweeted by FSB accounts active in far-right forums and will soon be heralded as non-fake news in outlets such as Fox, ZeroHedge, and Breitbart.

Back when ZeroHedge was more focused on the financial misdeeds of large banks in the wake of the Panic of 2008, I was an avid reader of stories posted there. But something changed over time, particularly in the run-up to the 2016 election in the USA. It went from examining financial issues as its primary focus and slid deep, really deep into pro-Trump positions with lots of posters on its boards echoing comments that could be classified as pro-Russian, anti-Semitic, racist, neo-fascist, and/or a combination of the previous.

The slide in bias was obvious to me. I’ve been a follower of non-corporate media since the 1980s, and I know the difference between an investigative journalism piece and a partisan propaganda paper. ZeroHedge had definitely lost a lot of the former and had gained a lot of the latter. As the onslaught of Russophilism, antisemitism, racism, and neofascism increased, I felt a need to get out of that news source and seek out alternatives. In so doing, I did a lot of searching. In those searches, I was stunned to see how many other outlets were parroting the sludge from ZeroHedge, like they were sheep from Animal Farm bleating out “four legs good, two legs better!”

From all this agitation in stirring up the far right, Russia knows it is destabilizing America. The heads of the FSB know that the American far right will prove Pushkin right at every turn: it will reject ten thousand truths in order to cling to the lie that justifies itself. This is how I know Judge Moore is highly likely to win the Senate election in Alabama. The Russian Twitter choir is singing his praises and millions of far-right users of social media are echoing those sentiments, actively and belligerently.

Judge Moore, of course, is a hand grenade being lobbed directly at the US Senate. The man has shown a pattern of serial sexual predation against minors. If he wasn’t running as a Republican for the Senate, he’d be the focus of a true crime show right now. Russian tweets and far right echoes claim falsely that his accusers have either forged evidence against him or recanted their claims. Those lies allow his supporters to push hard for his election. If Moore is elected, it will roil the Senate as many senators will demand that he not be seated and that Alabama send a different favorite son to the Capitol. Each house of Congress can do just that, accept or reject the people sent to it – and Moore is ripe for rejection.

If Moore is rejected, it will split the Republican party even deeper. The Republicans are already incapable of putting together a coherent legislative agenda. With a Moore rejection, it will be practically open war between the different halves of the Republican party.

If Moore is not rejected, it will split the Republican party even deeper, but in a different way. Instead of Moore’s supporters repeating Russian propaganda that they were robbed, it will be outraged moderates, unable to stomach being in the same political caucus as a sexual predator. Bear in mind that the stalking of multiple daughters of single women, all around the same age, all in roughly similar ways, is an actual pattern of sexual predation. We have documentation of this. We have multiple testimonies to this effect. This is a sexual predator that the Russians, through insecure social media, are helping to force down the GOP’s throat.

When we look back to what happened in Georgia and Estonia in the decade prior to 2016, we see exactly the same thing. We see the social media misinformation. We see the political manipulation of extremists. When we look at Ukraine after the USA toppled a pro-Russian government there, we see even Russia providing armed assistance to extremists there. That fact chills me, especially in light of how many on the far right hinted at taking up arms if Trump wasn’t elected in 2016.

I doubt if they actually would have taken up arms on their own, but if they were whipped up by their social media echo chamber and shipped a few thousand AK-15s, maybe they would cross over that tipping point. If that were to happen, I have no doubt that a US Army would crush that insurrection… and then spend decades dealing with low-level guerrilla warfare, all fueled by continued echoing of Russian lies in social media echo chambers.

While there is increasing agitation on the left in the form of the antifa movement, there just isn’t as much militancy in the American left, especially after the legacy of peaceful, antiwar protests. These are not minds that will have much fertile soil for violent rhetoric. They’re also more likely to turn out one of their own if he or she is found to have feet of clay. Witness their abandonment of big donors found to be serial sexual harassers. Witness their pressure on their own political caucus to resign from office, rather than persist in running for it or remaining in place.

No, the fertile ground is in the neofascist mind. The Russians make those pushes in Greece, in Germany, and in the USA. And while I find Steve Bannon to be more of an Austrofascist than a Nazi (the strong affinity for Catholicism is a dead giveaway for Austrofascists), I don’t think such fine details matter either to the Russians or to the minds the Russians poison every day with their lies.

So how do we solve this problem? The market won’t solve it. In fact, the free market will fan these flames because the business model of Twitter and other outlets is to spread misinformation if that means more ad revenue. But in a world of multiple email addresses, how do we limit a person to just one Twitter account? In a world of VPNs and TOR exit nodes, how do we keep too many FSB-driven accounts from affecting social media? When these fake accounts actually started out years ago with softer agendas, and have loads of historical content, how do we build an algorithm that can identify a friend from a foe? Or a friend from a foe yet to reveal itself?

Hamilton 68 http://dashboard.securingdemocracy.org/ is a project that, instead of looking for the artillery shells of propaganda, seeks out the guns. While it does not claim to have discovered all sources of Russian disinformation on social media, it has found some significant signals amidst the noise. There’s some hope yet in the intel they are able to derive from extensive signals analysis. This is what any good intel agency does: read all the news to see where stories originated and how they are disseminated.

Right now, the Russian social media barrage is striving to elect Roy Moore to the US Senate. But, merely by getting the Republicans to cling to him like a piece of driftwood in a shipwreck, they’ve already demonstrated their control over that political faction. In the days and weeks to come, be certain that the Russians will continue to tug on that leash and the far right will follow every jerk and tug.

Insecure Social Media, Russians, and US Elections: Agitprop as a Service.

History as a Game Review

As I played a World War Two grand strategy game, I was wondering what if the men who led nations through that conflict were actually playing a game of that conflict that gave them the outcome they historically experienced. How would they praise or complain about the “game” they played? So I decided to write…

NORWAY: I thought this was a fun little nation-building sim and then WTF??? I get invaded by Germany??? I didn’t do anything, and then, suddenly, no warning, I got totally pwned. I got to keep one unit with my new British allies, yay. And why my nation? Sweden’s the one that had all the iron ore! Obviously, the AI in this game is broken, it makes no sense at all.

SWEDEN: Fun little nation-building sim, but kind of boring. I was pretty much just clicking through events and news reports and selling iron to Germany until they surrendered, then I just started selling it to England, lol. I’d recommend waiting for this title to be on sale, with a deep discount before you buy it.
Continue reading

Quick Start Guide

Welcome to your installation of Secure All the Things (SATT). We thank you for your purchase of our product and hope your installation process goes smoothly. We believe that SATT is the most secure network security solution on the market today. Your commitment to security has brought you here, and we are ready to walk that journey alongside you.

Wow, that was pretty over the top for marketing-speak. Franz Zimmerman saw boxes and arrows further down on the page. Boxes and arrows promised more comforting tech-speak, so he persisted in reading the SATT quick start guide.

In order for SATT to be secure, it requires a high degree of secrecy. This is why you are reading this quick start guide at a SATT safe house.

Yeah, that was a weird requirement. Franz had to take a cab to the airport, where a black SUV picked him up to take him to the safe house to read the guide. These SATT guys were serious about security, from the looks of things.

Your first step in your SATT installation will be to utilize shell companies in the purchase of a property that will house the SATT management servers. Below is a checklist of the requirements for each shell company.

Huh? What? Shell companies? Franz looked over the rest of the quick start guide, which was a single, laminated card, standard page size, printed on the front only. The boxes and arrows were a flow chart, about setting up shell companies, from the looks of things. Where was the listing of how much RAM or CPU cores the servers would need?
Continue reading

Writing InfoSec Fiction

When I first started serious creative writing efforts back in 1997, I had no idea that, 20 years later, I’d be writing about how to write InfoSec fiction. Not only did I not even know how to write fiction, period, InfoSec was pretty much a matter of having an antivirus program and locking the doors to the server rooms. And firewalls, I remember we had just started to have firewalls back then.

Well, enough reminiscing and pondering about how I found myself to be where I am now. I have a purpose, best I get to it.

First off, let’s cover how to write well. It’s not all that difficult. Here are the rules of good writing, as they were taught to me by good writers.

1. Show, don’t tell.

2. Nouns and verbs always beat adjectives and adverbs.

3. Some things are better left to the reader’s imagination.

4. Dialogue should sound like dialogue.

5. Get rid of as many “to be” verbs as you can.

1. Show, don’t tell… that’s the toughest one of all, because we want to explain our thoughts in great detail. Well, that’s technical writing, not fiction writing. How many stories, especially science fiction stories, have gotten bogged down because the characters start explaining all. the. things. The readers will figure out how stuff works as it gets used, don’t worry. Saying “The zapotron ray carved a massive opening into the reactor core, yet none of the radioactivity leaked out” is preferable to the characters spending multiple paragraphs about zapotron technology and why it would be preferable in this situation as compared to, say, an unobtanium battering ram.

In that above example, did I myself go into those technologies? I did not. And yet, each reader now has an idea about them. Show, don’t tell. If I do any more here, I’m telling, not showing, and I’m not about to slide into hypocrisy like that.

2. Nouns and verbs… Rushing beats running quickly. The giant beats the really tall and really big guy. If you have to use an adjective or adverb, make sure it’s not with a plain noun or verb. The exception to this would be in dialogue, where if a person is likely to violate good rules of writing in his or her speech, then it’s good writing to have the character talk that way.

3. Leaving things to the imagination… what’s more scary, the huge hairy spider looming over your right shoulder or… that… THING! AAAAAHH! IT’S COMING FOR YOU! RUN! RUN TOWARDS THE SPIDER!

See what I did there? Consider this an extension of “show, don’t tell.” As I tried to make something scarier than the gigantic spider, I conjured up a notion of something so awful and immediately threatening that your best hope was to run towards the very thing I suggested was fearsome at the beginning of the comparison. And now, by telling all about how I did that trick, I took all the fun out of it. Show, don’t tell, that’s the moral, here. That, and run towards the spider if you’re in that situation, for God’s sake.

Imagination is best when you want to create feeling and mood in your reader. Sometimes, it means ending a story before they want it to end, but, hey, that’s life and good writing.

4. Dialogue… there’s external dialogue. Like my English teacher once said, “When other characters speak, they can reveal so much more with carefully-chosen words, which you want on your side when you fight against Godless Commies.”

Then there’s internal dialogue. One option is to just explain things, but in a dialogue-y way, where you bend words and stuff like that. Stuff that drove my ultra-right English teacher up the wall. Or you can italicize. How do I reconcile my relationship to my English teacher? I mean, she was brilliant, taught me all I needed to know about grammar and writing… but that shrine dedicated to Mussolini in the back of the room? Really? Mrs. Paganini was a complicated person, that was for certain…

Above all, dialogue needs to sound like people talking. Stylistically, if a new character speaks, start a new paragraph. Try to not have a character say too much in one go, it can lose readers.

“You think those ideas work all the time?” a reader asked.

“They’ve served me well,” I said.

“How do I know this isn’t more of Mrs. Paganini’s neo-fascist propaganda?”

I thought a moment. “I guess you can tell it’s not that because one, I’m not wearing a paramilitary uniform, and, two, not once have I spoken about the need to invade either Ethiopia or Albania.”

My reader nodded, satisfied in my answer.

5. Getting rid of “to be” verbs. Remember up in 2, where I talked about nouns and adjectives, how I said “beats” instead of “is better than”? Getting rid of is, are, will be, was, all those “to be” verbs will force you to use actual action words, and that moves the story forward in an interesting way.

***

OK, so those are the rules of good writing. I’d also recommend reading Socrates’ “Poetics” for some tips. It’s a short piece and well worth your time. It’ll also explain why that huge race sequence in “The Phantom Menace” was such a beat-down… put effects ahead of plot and character…

I’d also recommend reading things that help the InfoSec mindset. Look to Eastern Europe for fiction authors and look to trade journals for jumping-off points for stories.

My reading list will include films, but since I use subtitles, I’m still reading them, aren’t I?

Arkady and Boris Strugatsky – Roadside Picnic; Stanislav Lem – Everything he wrote, go for Cyberiad, Solaris, and Memoirs Found in a Bathtub; P.D. Ouspensky – The Strange Life of Ivan Osokin; Vladimir Savchenko – Self-discovery

For the films, go to the Mosfilm YouTube channel and watch Solaris, Stalker, Kin Dza Dza – those are the intro to Soviet sci-fi, which is much more cerebral and psychological than US sci-fi, which tends to resolve issues through violence and/or application of brute physics.

While you’re on Mosfilm, consider also Ivan the Terrible (Ivan Grozny), Ivan Vasilievich Changes Careers, and White Tiger (Belyy Tigr). The first is a pair of films that was Game of Thrones stuff decades before HBO, the second is a wild time-travel romp, the third is about a man who can speak with tanks in WW2.

Also consider the Czech film, “Tomorrow I’ll Wake Up and Scald Myself with Tea”. Why? It’s about things going wrong, and that’s what security is all about.

Once you’re paranoid and twisted in your thinking, you’ll read trade journals and start to get ideas about how things go wrong. You’ll read marketing materials from vendors that promise the moon and see holes in their logic that may deliver a shattered earth instead of a new world. You’ll see reports on outages and mentally explore what’s not reported, how much worse it could be.

Then, you’ll want to write that story.

***

We’ve gone from fiction writing to science fiction writing (briefly) and now we’re ready to deal specifically with InfoSec fiction writing. There are no rules for it yet, because as far as I know, there’s only a handful of people trying to write it, and I’m one of them. So I’ll go into my philosophy, and I’ll try to show instead of tell as much as possible.

The short story is ideal for InfoSec fiction. The short story in sci-fi takes a small concept, a gimmick, and toys around with it. The gimmick is the center of the story, so it won’t last very long at all. It’s not a character, so it shouldn’t be pushed all that far. There will be people and things reacting to, planning to use, and being affected by the gimmick, but the gimmick is the center of attention.

Consider a story about a guy using Internet-enabled footwear that’s also equipped with a flash drive and a toner-like device that can pick up signals from network cables. Fun will be had in the story, but it’s over as soon as he visits the coffee shop and uploads his stolen data to the highest bidder. Maybe it’s over now, but that’s how it goes with the gimmick. It’s a short story, but a merry one.

Writing a longer story runs the risk of getting preachy. If your characters are starting to launch into long dialogues explaining best practices, you are writing an editorial at best and a user manual at worst. If your tale has legs and it’s going to travel into the land of 10-40K words, you’re into novella country, and that demands a different focus for your writing.

Novellas have to be character-centered. This means the focus is not on the technology, but on a person using/affected by the technology. The exposition is about the character in relation to that technology, and the temptation to get preachy will try to overpower you. Resist. Stay with that character and his or her moral journey, as he or she struggles with A Big Decision. For it to be InfoSec related, the Big Decision needs to be related to that technology. A plot in which a jilted lover considers killing his former love becomes an InfoSec plot when he ponders the killing by way of a drone strike, homed in on the former love’s cell phone location… and then, to his horror, he realizes the drone strike took out an innocent because the former lover dropped the phone in the parking lot and the innocent picked it up to go return it to the nearby store’s lost and found. The actual strike and realization would be the climax of the story, unless we want this to be a psychological tale about the killer being caught and being sentenced to work out his problems with an AI counselor… that may have a few flaws in its code…

Novels are big things. If you’ve got the nerve to write an InfoSec novel, good luck with that. If you can keep from preaching and make it all about a group of characters dealing with a world changed by a technology, you’ve got a sci-fi novel. To make it InfoSec, those characters deal with a world changed by the *flaws* in a technology.

That’s the biggest part of InfoSec writing, in my view. We confront the promise of better living through technology and poke at the weaknesses in that premise. We ask what can possibly go wrong and then unleash that vulnerability on our characters. Sometimes, our characters are resilient and deal with the problem. In such cases, I’d recommend no neat and tidy happy ending. The characters dealt with the problem, but now they live in a patched world, and they have to be on their guard just in case the patch introduced a new vulnerability.

An InfoSec writer also has to face a decision whether or not the story will be hard science or more Hollywood in its portrayal of technology. My style leans mostly towards hard science. I want things to be highly accurate. My characters will never ping 10.800.1.1. My characters will never have a program with a GUI that looks like it was designed by a special effects company. My characters plow through huge logfiles, they run Wireshark and pore over the captures, and they get mandatory reboots of their OS at the worst possible times.

But, there are times where I want to go Hollywood. In these stories, I create a fantasyland where all is well, all is good, there is better living through technology for all… except, hey, what’s this little red button do? Ah, it reveals that the makers of this heaven were really humans and there are devils from our own day and age in those futuristic details! Here we are in the year 2877, but the world comes crashing down because the code is backward-compatible to run a DOS 5.0 program… in so doing, I’m able to point out the folly of assuming backward-compatible code is secure, but *without getting preachy*.

I just realized I was getting preachy about not getting preachy, so maybe I should leave the rest to your imaginations and end my essay here.

Or should I say “show, don’t tell” one more time? Where is Clippy to help me finish writing a story when I need him the most?