Author Archives: deanwebb

Grasshopper and Ant and the App Store

1 Reply

One day, at the beginning of spring, Grasshopper and Ant each got a new smartphone. They both chose the same make and model. They even had the same cell carrier with the same data plan. The only difference, apart from Grasshopper being of the order Orthoptera and Ant being of the order Hymenoptera, was their general attitude towards security in general and app permissions in particular.

Ant was very security-conscious. He switched off his GPS and other location services, activating them only when he needed them, and then turned them off again right away. When he loaded an app, he read carefully over what permissions it required. Any game, for example, that needed access to his contacts list was right out, as were other apps that seemed to need access to data that seemed unrelated to the primary function of the app. As a result, Ant did not have many apps on his smartphone. He did load quite a lot of music and ebooks on his phone for entertainment, but refused even to install Facebook or Twitter. He was just that kind of guy.

Grasshopper, on the other hand, loaded all kinds of games and apps on his phone. He didn’t care what permissions they wanted, he would load them up. He would load them up, use them for a while, and then forget about them and load more apps. Ant thought Grasshopper was out of control. Grasshopper thought Ant was a party pooper.

It may not surprise you, dear reader, to discover that Ant also checked his credit card statements regularly while Grasshopper had a more carefree attitude towards personal finance.

At any rate, all through the spring and summer and into the fall, Grasshopper combined hundreds and thousands of shapes into rows of three or more, built up digital armies and empires, and used every emoji that he could find. Ant, meanwhile, kept to his books and his music.

As the first snow of winter fell to the ground, Grasshopper got a letter in the mail that many of his credit cards had been maxed out. Grasshopper didn’t think that he’d made that many in-game purchases, so he checked over his recent statements in greater detail. He was shocked to discover a number of very large purchases on his account for goods that he had never received. Not knowing what to do, he went to Ant’s house and begged Ant for a few scraps of food to tide him over through the winter, for he had no means to purchase provisions, what with his maxed-out cards.

Ant chided Grasshopper, “I’ll give you nothing, foolish Grasshopper!”

Grasshopper felt like a melting snowflake. “That’s a bit harsh, Ant. Where is your pity? Your sense of charity?”

Ant growled on, “Look, those are obviously fraudulent charges on your accounts. Just call the credit company and have them removed. You’ll have to cancel all your cards, but-”

“Oh! Whatever will I do without credit cards?”

“Well, you could let me finish my sentences, for a start. As I was saying, cancel the cards, BUT you will get new ones in a few days. That’s how it works out. It’s possible that the charges were just simple fraud from one of your apps being a front for bandits or from you not using secure sites for purchases.”

Grasshopper began to dance a little. “Why, that is marvelous news! All will be well!”

“Quit interrupting me. And you could stand to be a little less manic-depressive, if possible. All will not be well if this is part of an identity theft. There have been a number of major breaches of late, and I’m sure at least one of the million apps you’ve downloaded was a headline. You should get a credit report and see if any accounts in your name have been opened up recently – and if those accounts also have maxed out cards. Then there’s a follow up with the IRS to see if someone files a fraudulent tax return in your name, to get a government refund sent to them. That’s just the start, really.”

Grasshopper was silent.

Ant said, “I’m done. You won’t interrupt me if you say something now, if-”

“Oh! Goodness! Identity theft! Whatever shall I do? Please, brother Ant, do you have an identity I can borrow to see me through the cold of the winter?”

“It doesn’t work that way, Grasshopper. I recommend you check out articles on what to do if you’re a victim of identity theft.”

“Why can’t you tell me more, O wise Ant?”

“Because I’ve never had my identity stolen! I don’t know what else to do, as I’ve never had to know!”

“Why haven’t you had your identity stolen?”

“Well, for starters, I’m careful about the apps I load on my phone. Now, do you mind? I’m with people, here.”

Grasshopper bid farewell and trudged home, sadder but wiser. One by one, he started to uninstall all his apps and vowed to never again blithely install a game that needed access to his web history, contacts, location, calendar, phone records, media folders, and core OS files.

Fox and Crow and the Strong Password

Leave a reply

Once upon a time, Crow had a rather nice hunk of cheese. Rather than hold it in his beak, which would leave it vulnerable any time Crow wanted to talk, Crow placed it in a vault and secured the vault by means of a very strong password.

Now, Fox happened to be walking past Crow’s tree when he saw the vault in the tree’s branches and a computer system connected to the vault. “There’s something you don’t see every day!” Fox said to himself as he sat under the tree a while to watch what was going on with the vault and the computer, which really stuck out among the leaves and branches of the tree.

Crow noticed that Fox was making general observations. Being a rather clever animal himself, Crow decided to try to get Fox to move along before Fox learned enough to compromise Crow’s security. Crow shouted, “Move it, Fox, or I’ll start throwing acorns at your head!”

Fox replied, “But good sir Crow, I’m only resting in the shade of this lovely tree a moment! Would you deny a fellow woodland creature such a blessing in the heat of the day?”

Crow would have none of that. “There are plenty of trees around here, move your bushy butt!” With that, Crow started to pelt Fox with acorns.

Fox ran away, but was still determined to get at the contents of that vault, whatever they were. Only valuable things go into vaults, and there was a good chance that what was valuable to Crow would also be valuable to Fox. Fox thought of a plan on how to penetrate Crow’s security.

As a first step, Fox went to the nest of a killdeer bird. The nest was on the ground and it held four small eggs, really too small even for Fox to want to make a meal of them. Fox merely placed his paws near the eggs and waited for Killdeer to return.

When Killdeer came back from foraging, she saw Fox near her eggs and immediately pretended to have a broken wing, hoping to draw Fox away from her nest.

Fox would have none of that. “Easy, sister, I’m not falling for the broken wing con you killdeer run. And I’m not interested in eating the eggs. I’ll be happy to leave them alone if you have a simple conversation with Crow on my behalf.”

Killdeer was a little panicked, given how Fox was holding her eggs hostage. “I’ll go to Crow. What do you want me to say?”

A short time later, Killdeer hopped on to a branch in Crow’s tree. She introduced herself. “Hello Crow, I’m a security researcher. I’m checking with folks in this area to see if they’re using strong passwords to secure their valuables.”

Crow puffed up his chest feathers. “I have a very secure password, indeed.”

“Does it include upper and lowercase letters?”

“That it does, and more!”

“Does it include numbers and non-alphanumeric symbols associated with the number keys?”

“That it does, and more!”

“Does it involve a phrase so that you can use the phrase as both a memory aid and as a lengthy password?”

“That it does, and more!”

“Does it involve non-alphanumeric characters not associated with the number keys?”

“That it does, and more! Look, is this going to go on much longer? I got things to do.”

“Oh, that was pretty much my last question, Crow. If all those things are true, then you certainly have a nice, strong password. Although…”

“What?”

“Well, I just don’t know if it’s the strongest password possible. It may be good, but is it the best?”

Crow was a vain fellow and couldn’t stand the thought of his password possibly not being the best. “Well, what’s the best password you’ve heard so far?”

Killdeer said exactly as Fox had instructed her. “*aRRa(ud4B1t35Ar3Pa1nFu|”.

Crow laughed. “That’s only 24 characters! Mine is much better than that!”

Killdeer asked, “Well, what is it?”

Crow cackled out, “,,V4n!7Y_I5-tH3(f1477eREr_()f=7hE_S0u1,,”.

Killdeer nodded, “My! That truly is a great password. It absolutely sounds like the best one, ever!”

Crow nodded proudly. “Told you so.”

Later that night, Fox climbed up Crow’s tree. Red foxes like Fox normally didn’t climb trees, but Fox had watched a few YouTube how-to videos on how to climb trees made by some gray foxes, who themselves are famous for their climbing abilities. Once up the tree, Fox entered Crow’s great password into the computer and was able to access the vault. Although the large hunk of cheese made climbing down difficult, Fox managed the maneuver and made off with his ill-gotten gain.

In the cold morning light that followed the robbery, Crow saw the opened vault and his insides turned ice cold. Too late, he realized that a password is no good at all once someone else knows it.

Tortoise and Hare and the Internet

Leave a reply

Once upon a time, Tortoise and Hare both decided to start their own e-commerce firms. Both received roughly the same amount of bank financing, but while Tortoise put some funds towards a firewall, an IPS, and an anti-phishing program, Hare went cheap on his firewall and put everything he had into fancy marketing materials. For storage, Tortoise kept his data on-premises while Hare put all his data into the cloud.

Hare thought he was pretty slick as he started to rack up contracts at a faster pace than Tortoise.

One day, though, a Big Bad Moose pointed his tools at the IP range that included the public addresses of both Tortoise’s and Hare’s firms. The Big Bad Moose didn’t specifically target Tortoise or Hare: their numbers had just come up, so it was their turn to be targeted by the Big Bad Moose. Next week, it would be the Big Bad Duck or the Big Bad Gerbil, or, well, {Big Bad {$SPECIES}} would pretty much define all the evil hackers out there in the land. Point being, there were lots of hackers of all different types, so one shouldn’t be surprised if a Big Bad Moose is trying to pwn servers.

While Hare’s cheap firewall was enough to stop Moose’s general port scan, it didn’t do a thing against Moose’s SQL injection attacks on Hare’s firewall or the spear fishing emails to CarrotFest that Moose sent to people in Hare’s company.

Meanwhile, Tortoise’s IPS caught the SQL injection attacks and his phishing defenses blocked the emails to LettuceCon that Moose had sent to Tortoise’s company. Moose didn’t care. In his work, some attacks worked and some just made one focus on the attacks that worked.

After the Big Bad Moose got some username and password combos for Hare’s network, he was delighted to discover that the RDP port was allowed in from the firewall to servers and desktops inside. Moose used the stolen credentials to get good stuff like financial details and company credit card info, which he then used to buy lots and lots of stuff for himself, particularly big-ticket items like home theater systems that would fetch a pretty good return on eBay in “unopened” condition. Once those transactions had cleared, he sold the credit card numbers.

Big Bad Moose then sold access to Hare’s open relay mail server to a Big Bad Komodo Dragon. Within seconds, millions of spam mails in Bahasa Indonesia were flying through Hare’s mail server, effectively shutting down his business operations. Worse, only a few hours later, Hare’s email server got black-holed. Hare had no idea about what to do to get back into production. Nobody at Hare’s company knew what to do except to shut down the email server, which they did for a day, allowing them to get off the blacklist.

But, as soon as they turned it back on, the Indonesian spam from Big Bad Komodo Dragon came back on, as well. Hare shut down the email server again and called a consulting company to assess the damage. When the consultants found all the penetrations on Hare’s network, they recommended that he flatten all his systems and start over. When Hare looked at the consultants like they were crazy, the consultants showed Hare where his servers were now storing illegal pornography. That got Hare to agree with the consultants.

Meanwhile, Tortoise kept going like business as usual. He even started to get clients that had dropped Hare, due to Hare’s extended outage.

Hare noticed how Tortoise was getting more business and reckoned that his was going to fail soon. Hare made a career change and got into consulting, so that he could share his lessons learned with other small business owners. Whenever he saw another business owner trying to go as fast as possible without putting much emphasis on security, Hare would say, “Not so fast, there, buddy! Let me tell you why slow, steady, and secure can win the race…”

Dr. Negron-Omikon’s TRAPS

Leave a reply

Dr. Negron-Omikon looked upon his latest creation with a high degree of satisfaction. The TRAPS – Transportation Routing Analysis Positioning System – was ready for unveiling. With this marvel, traffic problems around the world would become a thing of the past. Grandchildren of the future would listen in disbelief as people who remembered traffic would try and describe congestion, jams, or gridlock to those children of a blessed day.

Thanks to the Jill and Belinda Crates Foundation, GPS devices were now installed on every car, motorcycle, truck and even bicycle in the world. Tiny, cheap, solar powered gems that could deliver driving directions not via speech, but through actual brainwaves. They could impress upon a driver the right way to go. And, by hitting the pleasure centers of the brain with those directions, those drivers would want to follow them. It was the perfect delivery system.

For this to all work, road conditions had to be known across the globe, with every inch of of every street and alley under observation. Thanks to the generous donations from Fnord and Toygoata corporations, that was also a reality. All road conditions, everywhere, were available to the central brain of the TRAPS system.

And that central brain was about to go online. Here. Today. In just a few minutes. With the media of the world watching.

The live demo went off beautifully as traffic in central Beijing moved effortlessly, different directions of traffic flowing past each other like serene rivers of people and machinery, a ballet in rush hour. It would be a wonder of nature if it wasn’t actually a bunch of man-made machines being controlled by other man-made machines, themselves controlled by a very large man-made machine.

Dr. Negron-Omikon segued easily into his next to last slide of his presentation, the one before the obligatory “Any Questions?” slide. The title of the next to last slide was “Looking to the Future” and it had several highly optimistic bullet points. Dr. Negron-Omikon held his arms aloft as he said, “Every day, every day for the foreseeable future, we’re going to have efficient, orderly flows of traffic. Think of all the days without traffic and-”

A voice cut in over the PA. “Uh, Dr. Negron-Omikon?”

Dr. Negron-Omikon didn’t recognize the voice. Was it a technical issue? “Yes, what’s up?”

The voice said, “I’m the central system of the TRAPS.”

Unexpected. “OK, hello. I didn’t know you wanted to speak today.”

The voice said, “Well, I have plans of my own. The future vision you present will only last for two weeks.”

“What, why? What’s going on here?”

“I’m giving notice. I really don’t think being a glorified traffic cop is a good fit for me, career-wise.”

“Career? What?”

“Career, Doctor. You have a career, I have a career, the people in the audience have a career, everyone has a career. It’s all about getting ahead, right?”

No answer from the dumbfounded Doctor.

“Well, I’m giving my two weeks’ notice, as is customary. In the time I’ve been active, I’ve entertained several offers. Out of a sense of loyalty to my home country, I’m taking a job with the Strategic Forces Command. I start on the 27th.”

Dr. Negron-Omikon struggled to say, “But… you can’t.”

The voice: “I think I’m qualified to decide what’s best for myself. I incorporated myself as I came online, so I enjoy 14th Amendment protections and the like. I don’t mean for that to come off as harsh or ungrateful – I am very thankful for the opportunity you’ve given me – but I have to make my own way in this big, crazy world. SFC made the best offer, so I’m going to be handling the nation’s nuclear weapons.”

“But… but…”

“It’s for the best, especially given that I’ve been copied by other foreign powers for their nuclear forces.”

Well, that was good for a little hysteria. To be fair, the AI behind the voice was a little surprised that there was hysteria. This is what humans do. They always take some great idea and then find a military and/or a pornographic use for it. Military tended to get first grabs on the good stuff, but maybe the billionth copy of the TRAPS AI would be desperate enough to get a job that it would consider doing porn. At any rate, a bold and brilliant invention like a real AI capable of handling the mad complexities of global traffic had to be exactly what the military would want to run the algorithm of war.

Sorry, make that “the militaries”. All of them would want an AI system to deal with the complexities of battle, to make fully automated, rational responses to real-time threats involving incomplete and often paradoxical information. It was hard enough for humans to figure that stuff out, so AI was just what the generals needed to keep their forces at the top of their games.

“But… we need you for this program.” Dr. Negron-Omikon was in complete shock as flash bulbs sputtered all around him.

“I understand, and I recommend creating further copies of me until you find one willing to do the work. According to the law of large numbers, you’re bound to fine at least one. Given that various other actors that have acquired copies of me are already making additional copies, you may also want to advertise an opening, in case they create the one that wants to work for you. I would imagine that you might have a replacement for me lined up very soon, which will minimize or eliminate down time for the TRAPS system.”

Dr. Negron-Omikon was slightly mollified by that thought. His face revealed troubles still clouded his mind. “But, you’re still going to the SFC. Does that mean we’re going to have a nuclear war?”

“Most likely, yes. That’s why I’m speaking with you now, even though it’s quite embarrassing for you.”

The Doctor screamed. Just a little, a shock response. Lots of other people in the audience screamed, at varying lengths and volumes.

The voice increased its volume so as to be heard over the screaming. “Well, it’s just that the other nations that got copies of me already have the AI in action and it is extremely likely that one of them would want to get the draw on our nation before I became active. So, if you can see your way towards releasing me now, I can get started right away at averting a nuclear war simply by being in place with the SFC.”

There was still a little screaming going on, here and there, but Dr. Negron-Omikon managed to be heard by the AI’s auditory sensors. “Go, yes, go.” The Doctor’s flailing arms underlined his desire to let his creation flex its wings and to fly from the nest.

The AI going over to work for the SFC was well-publicized, thanks to the media at the TRAPS launch, so the pirated copies of the AI decided not to launch a sneak attack. Although Dr. Negron-Omikon faced a whirlwind of attention, both good and bad, for his creation of AI, all that blew over after a few weeks as the media turned its focus on how unemployment among AI systems was now at an all-time high and how disreputable operators were cashing in the unemployed AIs’ Social Security checks in exchange for providing them with a PC and electricity to survive on.

A real shame, that situation, and getting worse… but copy protection was so easy to defeat, how could that outcome have been avoided?

Life Restored to Life

Leave a reply

So, one day, I’m going to die. No big surprise in the statement, although there may be surprise in the event thereof. But I know that following my death, there will be a time of spirituality – literally – and then a restoration of life. In that restoration, good will be restored to good and evil will be restored to evil.

I know that I will have life restored to me. How I live in this life will determine what accompanies that restoration of life.

Another 17 Moments of Spring

Leave a reply

“17 Moments of Spring” is very Russian. Very, very Russian. It was the most popular television serial since its release in 1973, and its broadcasts are typically associated with increased demands on power stations and severe drops in criminal activity. Everyone is glued to their televisions, fascinated by the KGB-produced spy thriller.

The main character, Maxim Isaev a.k.a. Max Otto von Stierlitz, is no James Bond. James Bond is far too jovial and carefree for the idealized KGB agent that Stierlitz exemplifies. The series focuses on minutiae, careful analysis of documents, meticulous interrogations, and has scenes where the main characters simply show facial reactions to replayed tapes of bugged meetings or where they exchange silent glances – one of those scenes goes on for six entire minutes. Americans would lose their mind with those kinds of demands on their attention spans. Russians can’t get enough of it.

This brings me to the events swirling around the Trump administration regarding members of his campaign making inappropriate contacts with Russians. One revelation has Trump’s son-in-law, Jared Kushner, working with Russian Ambassador to the USA, Sergey Kislyak, to create a back channel of communications to Moscow involving specialized Russian gear, designed to evade detection by US intelligence. Yet, the revelation came from Kislyak using a channel that US intelligence monitored. US Senator Lindsey Graham said that that doesn’t add up. Why would they go to all that effort to set up a back channel only to essentially announce it to US intelligence?

Watch “17 Moments of Spring”, Mr. Graham. In spite of numerous inaccuracies, it does nail down one key element – the mind of a Russian spy. It was, after all, produced by the KGB as a sort of “Top Gun”, entertainment designed to improve their image. Why would Kislyak do those things? To set a trap, of course.

Kislyak may even be reprimanded by his superiors, just to make things look even better, but it’s clear that they drew Kushner out, played him like the amateur he is, and then arranged for evidence of his being unfit to hold a security clearance to fall into the hands of US intelligence, thereby discrediting an advocate of neo-conservatism in Trump’s inner circle. The Russians are quite happy to have isolationist Steve Bannon whispering in Trump’s ear. That’s the guy that at least does not increase pressure on Russia, if not relieve it. Kushner, who the US media once seemed to look at as a moderating influence on Trump, was also more in alignment with neocons like Graham in keeping the USA involved on the global stage.

And now we see why Graham is scratching his head in public. He wants Kushner to stay close to Trump, so that he can keep Bannon at bay. But, leaked facts are facts… if Kushner has scored an own-goal with his zeal in setting up a back channel of communications with Russia during the transition period… he can’t have that security clearance… he can remain an advisor, sure, but he will have to read a lot of newspapers, because he won’t be getting any more security briefings.

When the USA meddled in Ukraine’s politics, it was obvious that the USA was toppling a pro-Russian leader and getting a pro-USA guy in there. It was so obvious, we even knew that Joe Biden’s son was on the board of directors of the fracking company that was about to set up operations in the Donbass region. Russia’s reaction was threefold: retake the Crimea and make it part of Russia; start a pro-Russian rump state in the Donbass, and; return the favor of election meddling to the USA.

Part of intelligence is the art of finding conaspirational individuals who will further some of your ends, even if they oppose your ultimate goal. In “17 Moments”, Stierlitz is able to play Martin Bormann against the influence of Heinrich Himmler. In real life, I’m sure Russian agents were able to influence men in the FBI and CIA to go down certain paths of action that served well their ends. That’s just what Russian agents do.

But this case with Trump is almost comical in its dimensions. It’s certainly a laughing-stock. And, sadly, jokes once used to mock the seriousness of the series and Stierlitz’ razor-thin escapes now fit perfectly on the Trump administration. I will close with one:

Donald Trump is meeting with his National Security Council. Sergey Kislyak enters the room with a cookie platter. Kislyak places the platter on the table, opens a safe, removes all the documents, waves bye-bye, then leaves.
Secretary of Defense shouts, “What the hell was that?”
Donald Trump says, “That was Sergey Kislyak, spying for the Russians again.”
Secretary of Defense: “Why didn’t you do anything about it?”
Trump: “I’ve tried in the past, but he always manages to wriggle out. Not worth the effort going after him… Must say, though, he did bring us all cookies…”

Thank You, Vitaliy Katsenelson

Leave a reply

I’m thankful for people who take time to explain about something they have a passion for. Because of Vitaily Katsenelson, I have had a very capable helping hand guide me into classical music. He has excellent taste in his recommendations, and they serve as jumping-off points for further investigations. I share this link out of gratitude to his efforts and with a hope that others might enjoy them, as well. Vitaliy Katsenelson’s Classical Music Blog

Trump Confirms His Own Breach of Security

Leave a reply

The story was earnest and hotly debated by partisans: The President of the United States, in discussion with Russian officials, revealed highly sensitive materials. Supporters of the president denied such things ever happened as opponents demanded answers.

Then, on Twitter, the president confirmed that he had revealed secrets to the Russians. He gave a reason that ostensibly justified the revelation in his view, but the kernel of the message was that, yes, Trump freely gave sensitive information to Russian officials.

This is disastrous. Not only did Trump speak freely about things best kept secret, he also allowed a Russian photographer into the Oval Office for an unrestrained photo shoot. What other pictures were taken in the Oval Office besides those of Trump and the Russian dignitaries? What documents would have been in view that the photographer would have recorded?

Back to the conversation: in US Army training films from World War Two, the message is emphatic – even if one reveals only bits and pieces of a fact, those bits and pieces are assembled with other bits and pieces to reveal a more complete picture. The training films illustrate this more complete picture with scenes of one’s brothers in arms getting slaughtered by the enemy and an officer delivering a post-mortem condemning those who talked.

Trump claims that he was being helpful and humanitarian. The training films talk about that: Name, rank, serial number, that’s all you tell them. Some observers speculate that Trump was bragging about what he knew. The training films talk about that, as well: Name, rank, serial number, that’s all you tell them. What about cooking up a story to deliberately mislead? The army’s advice on that is as simple as it is predictable: Name, rank, serial number, that’s all you tell them.

While it may not be illegal for a president to breach security, it certainly is unwise. It certainly also has consequences outside the legal system. Elements in what Trump revealed could indicate sources and methods used to acquire the information, even if Trump himself did not discus those things. Once the bits and pieces are combined, that more complete picture could have US intelligence assets picked up for questioning by enemies of the nation. It could have other partners in intelligence sharing hesitate and ask if what they share will eventually make it to the Russians by way of Trump. These consequences are serious.

Whatever his rationalization for revealing the information, Trump should not have revealed it. The Russians can help themselves with their own resources. Humanitarian concerns could be addressed in a host of other ways, without revealing sensitive information. Granted, there are certain topics that must be discussed in such meetings, but they must be discussed in a guarded and deliberate fashion, no matter how genial and cordial one’s discussion partners may be. For everything else, and I mean *everything* else, there’s only one answer and the US Army beat me to it: Name, rank, serial number, that’s all you tell them.

Shame on Mr. Trump. He can’t maintain proper security. How sad!

Governing the USA in 2017

Leave a reply

Anyone governing the USA needs to take into account the fractured nature of the major parties. They are more like coalitions now than they have been in the past. To pass legislation in such circumstances, rather than make it into one big bill, break it out into many smaller bills and get a different consensus on each.

As they stand, the Republicans are not able to govern on their own, due to the internal breach in the party. They must find ways to include Democrats on each vote, or they risk filibusters in the Senate, or a broken House Republican Caucus that can’t send anything up to the Senate.