Category Archives: Security

Protect and Survive, 2018 Edition

Foreword

If the country were ever faced with an immediate threat of cyberattack, a copy of this booklet would be impossible to distribute to every household as part of a public information campaign. There are so many media platforms, we have no idea which one or ones to use that would, in their combination, reach all households. Moreover, even if we got the booklet out, how would we make sure that people actually read it? Let’s face it, attention spans are not what they were in the 80s, when all we were worried about were nuclear missiles and bombs.

If the country were attacked by a wide-ranging cyberattack, we do not know what targets will be chosen or how severe the assault would be. We probably couldn’t even imagine what would be attacked, so we’re rather certain that there will be critical flaws in this plan because of faulty assumptions made that a particular service would be available or that help would be on its way to those in distress.

If cyberattacks are used on a large scale, those of us living in rural areas would be potentially exposed to as much risk as those in urban areas. Supply chain disruption could deprive all areas of critical resources such as food, medical supplies, fuel, and so on. Service disruption could mean that sectors of the country would not have basic police, fire, and/or emergency protection. We like to think that the emergency response system is hardened against attack, but the truth is that that system is quite vulnerable in many areas. It is likely that some emergency systems are still managed via insecure methods and would be easily compromised by a large-scale cyberattack. This could also mean that alarm systems would be on constantly, without interruption, producing high levels of mental stress.

The dangers which you and your family will face in this situation might not be reduced if you do as this booklet describes, but at least you won’t be as surprised about what goes down as someone who hasn’t read this booklet.

READ THIS BOOKLET WITH CARE. IF YOU RECEIVE AN ELECTRONIC COPY, PRINT IT OUT AS SOON AS POSSIBLE BEFORE YOUR HOME NETWORK, POSSIBLY INCLUDING YOUR PRINTER, IS COMPROMISED BY THE ENEMY.

1. Challenge to Survival

Everything that is connected to the Internet during a cyberattack will potentially be damaged, destroyed, or weaponized.

Data Loss

Any device connected to a network that is itself connected to the Internet is at risk of complete or partial data loss. While personal data loss may be limited to items of a sentimental nature and locally-managed personal data, public and corporate data loss could potentially result in wiping of individual records. These records would potentially be those used to justify access to products and services, both public and private. Because it is cost-prohibitive to retain hard copies of these records, we recommend that you retain a hard copy of a volume of Stoic philosophy, Seneca being a good example of such, so that you can endure your losses with dignity. It is likely that restoring lost data would involve a process at least as long as used when it was first created, likely a longer process due to the need to utilize pen, paper, typewriter, and processes that we as a nation have largely abandoned due to our digitalization.

Function Loss

Any device with an Internet connection is also at risk of being rendered completely useless by way of having its software wiped or corrupted. Such devices would not be able to be updated by their vendors, either via the Internet or via hands-on methods. While loss of function for home thermostats would result in substantial discomfort, loss of function for medical devices and potentially refrigeration devices could lead to sudden or eventual loss of life. While we cannot advise that all persons immediately exchange “smart” medical devices for non-Internet connected equivalents, we do advise that persons with “smart” medical devices consult with their trusted medical specialists about the feasibility of eventually replacing such devices. As for persons who rely upon refrigeration to preserve medical supplies, we strongly recommend not using a “smart” refrigerator and that they maintain a power supply independent of the local grid, with sufficient fuel to last for 2-3 days. Maybe 4. Or 5. Or 6. 7, tops. Well, 8-12 in a severe case. 13-21 in a worst-case scenario. Could be a month or two, really, before services get restored if the attackers keep following up with additional exploits. Maybe even up to a year, when we think about it. Don’t want anyone to panic, but, yeah, we’re that vulnerable.

Function Modification/Weaponization

While it is possible that a cyberattacker would utilize connected devices to intercept domestic communications, we consider such a scenario to be low risk. We are more concerned about an attacker exploiting vulnerabilities in connected devices that would cause them to malfunction to the point where they would be potential fire and/or explosive hazards. To minimize this risk, we recommend that citizens unplug – not just turn off, but unplug – all electronic devices not in use. This includes unplugging them from the Internet. This also includes unplugging devices that do not connect to the Internet, as it is possible an attacker could weaponize the power grid to send a power surge to a residence, with the intent of creating chaos and confusion.

Under no circumstances should a citizen consider operating a motor vehicle during a major cyberattack. Even if your personal vehicle is not Internet-capable, you cannot say the same for the other vehicles on the road, nor can that be said for your municipality’s traffic control systems.

If you have a home alarm system, disconnect it as soon as you have advance warning of a cyberattack or become aware that such an attack is underway. This disconnection will need to include the battery back-up system for the home alarm system. The concern here is that the attacker will create chaos and confusion by triggering the alarm. The constant noise of the alarm would both render the home unusable as a shelter as well as lead to mental strain for one’s neighbors. Triggering home alarms across a wide area would also overload emergency response systems, if those haven’t also gone down in the original attack.

In the event of a cyberattack, remove all batteries from smartphones, tablets, and cell phones so that those devices cannot be weaponized, as described above.

We’re pretty sure we left something off this list that will result in massive injury and loss of life. In our defense, there are so many Internet-connected devices, we can’t even begin to imagine how to protect against all possible situations in which they could be compromised and/or weaponized. The guy in the cubicle next to me just mentioned something about Internet-connected cat boxes. Again, if this was 1980, we wouldn’t have to face such a scenario. But this is 2018, so we may very well have a cat box-related tragedy befall our nation in a major cyberattack.

2. Planning for Survival

Stay at Home

The title of this section is reassuring, more so than the more accurate “Stay Near Home, Possibly in a Public Shelter, Unless Those Are Also Compromised in the Attack.” If your home isn’t rendered unusable due to your domestic devices being shut down, incapacitated, or weaponized, you will have as good a place as any to ride out the attack.You may die there, cold, hungry, dehydrated, and exhausted, but wouldn’t you rather die at home than on the street or in some wilderness? It’s your call, but at least if you die at home, it’ll be easier to notify your next of kin, assuming we can get communications systems back online and are not overwhelmed by local casualties.

Anticipate complete disruption of electrical, water, natural gas, and sewage utilities and plan accordingly. “Plan accordingly” is really a cop-out. We have no idea how every family in a major urban area would be able to arrange resources to cope with such a disruption in services. Especially families in apartment complexes, and doubly so for those receiving public housing assistance. Good lord, they might riot within 72 hours as the food in the local stores is exhausted. But where will you go? It’s not like these riots will be localized. I’m looking right now at a scenario in which the national distribution network is knocked offline for two weeks, and the carnage will be awful. So, yes, do stay at home. It will help you preserve your strength for the coming armageddon.

Plan a Refuge

If you can adopt a pre-industrial lifestyle where you raise your own food without the aid of mechanization, chemical fertilizers, or modern distribution networks, the sooner the better. Of course, that also means exposing yourself to diseases that pretty much exist only in developing nations and history books, so there’s a bit of a trade-off there. You could go with getting a year’s supply of food and a local water gathering system, but there may actually be laws in your area that make water gathering illegal. As for the food, that’s a major expense, so you can’t ramp it up all at once. Basically, if you don’t have a refuge now, you may be too late. Don’t panic, however. There is still plenty of time to print off the public-domain works of a Stoic philosopher so that you can endure these hardships with dignity.

If you live in a tiny house with a chemical toilet, you may be better off than most at first. Nobody here envies you for the task of replenishing that toilet, should the distribution network still be down when the time comes.

Plan Your Survival Kit

Stock enough food and water for 14 days. Why 14 days? We have no idea, but if it was good enough for the people who wrote the pamphlet on how to survive nuclear war, it’s good enough for us. Each person should drink two pints a day, so that means 3.5 gallons per person. I can’t do metric, so you’re on your own there. This water is for drinking. You’ll need twice as much per person for washing, and we’re not talking about showers or baths, either. You’re going to get rather grimy in the event of a major cyberattack.

Choose foods that can be eaten cold and that will also keep fresh, such as cans of soup or beans. You will likely want to practice eating soup straight out of the can now so that you can discover which flavors you prefer best and so that you learn to suppress your gag reflexes, should they be evident while consuming such a meal. The cold soup you eat today may mean cyberattack survival tomorrow!

Heaven help you if you have a baby or special dietary requirements. You are going to suffer grievously.

In the past, a radio would be one’s only link with the outside world, but even emergency and commercial radio systems can be disrupted in a major cyberattack. You might as well get a hand-cranked radio and try it out from time to time, in case we get lucky and manage to restore radio services.

Make sure you have plenty of warm clothing, first aid supplies, cutlery, dishes, and a can opener. Nobody wants to be the chump that stocked up on canned goods, only to forget a can opener. Better get several, just in case one breaks.

You will also find sleeping bags, flashlights, camp stoves (be sure to have the proper fuel and ventilation for these), spare batteries, toilet articles, and buckets to be very useful. You will also want a shovel and a location at least 20 feet away from your home where you can bury your solid biological waste. You would want this to be in an area that is not exposed to rain runoff or the local water table, as it will be a source of disease.

Also have tissues, notebooks, pencils, brushes, cleaning materials, plastic or rubber gloves, toys, reading material (including the Stoic philosophy that will help you cope), a mechanical wind-up clock, and a calendar.

Finally, in advance of a cyberattack or as one is underway, it may be advisable to shut off gas, electricity, and water services at the utility shut-off point so that damage to those systems will not compromise your shelter.

3. Protect and Survive

In the 1980s, we could discuss the methods of warning about an imminent nuclear attack. Such warning would be available in the case of a bomber attack or ICBM launch. We did not talk much about a submarine-launched missile attack, as those would have far less time between missile launch, missile detection, and missile target impact. We would basically know about the attack right before it took place.

In the event of a wide-ranging cyberattack, we may not know about the attack until some time has passed after the initial phases of the attack have been completed and the secondary phases of the attack commence. It is also possible that the cyberattack targets the warning systems themselves, so that they emit one or more false warnings to crate chaos and confusion and mental stress – or so that the warning systems do not function at all, as a prelude to a nuclear weapons attack by way of bombers, ICBMs, and/or submarine-launched missiles.

That last one would be the worst possible scenario. No warning, all major cities and quite a few minor ones all hit at the same time. The enemy wouldn’t dream of doing that, however, unless it also had managed to deprive us of our ability to use our nuclear weapons in that cyberattack. Since the enemy has been very persistent in attempting to penetrate our cyberdefenses, we can’t rule out that they might gain that upper hand and then launch the attack that effectively destroys our nation at little or no risk to their nation and/or allies.

It’s also possible that the enemy nation merely launch the cyberattack to deprive us of our nuclear weapons, with the intent of capturing and controlling our industrial base and natural resources. It is possible that the enemy nation would change the function of industrial security systems to keep loyal workers locked out, so as to prevent acts of sabotage to prevent industry from falling into their hands.

The same enemy nation may also be interested in disrupting the supply chain so as to induce mass panic, protest, and rioting. In the resultant die-off, our population would be too weakened by civil unrest and famine to mount an effective, coordinated resistance.

If, for some reason, our national leaders miscalculate on a massive scale and have to resort to a launch of nuclear weapons as a last-ditch measure, it is quite likely that the enemy nation will launch a wide-ranging cyberattack in conjunction with a discharge of its nuclear weapons, so as to take us down to hell with them. I know I said that a situation described above would be the worst case, now I’m not so sure.

We’ve so far attributed wide-ranging cyberattacks to enemy nations, but we also have to consider the possibility of the attacks originating from a non-nation-state actor, an internal threat, or as a result of pure accident. In such cases, we estimate that the impact of the attack would not be as comprehensive as described above, but could still incapacitate one or more major utilities and/or public services.

Holy crap, I haven’t even thought about air traffic control systems or airports until just now. If there’s a major cyberattack, pray that you’re not in the skies, should those systems be compromised.

Same goes for commuter rail and metro systems. I’m getting sick, just thinking about those.

My boss just looked over my shoulder and read what I’m typing. He didn’t say one word about changing my cynical tone. He just sighed and went into his office and shut his door. I think I can hear him crying in there.

If that part about the crying is in the final pamphlet that goes out, it must be because this threat is way worse than I’m letting on here and that this document, cynical and depressing as it is, is actually somehow better than leveling with you and telling the full story.

May God have mercy on our Internet-connected souls.

What Grover Can Teach Us About Breaching Perimeter Defenses

When a firm has a known point of ingress from the Internet, it will secure that connection. It will use firewalls, IPS devices, proxy servers, all kinds of good stuff. Those defenses will pass audits, no problem. But what about ways to get into the corporate network that aren’t known to central IT staff? What are the consequences of those unmanaged points of ingress?

We turn to Grover the Muppet for that lesson. In the video I linked, it is ostensibly about bringing a bowl of soup to a sick friend. However, on another level, it is teaching penetration testing techniques to five-year-olds.

Shalom Sesame: Mitzvah Impossible

Grover first encounters a wall. Call it a firewall, if you want. Rather than give up, Grover finds one way around it – going over. His friend finds another way – going around. In both cases, the wall did not cover all possible ingress paths, so it did not provide sufficient security. Later, when Grover encounters a cow blocking his path much like an IPS does, he need only pass a weak test – basically a declaration that his traffic is business critical – to continue forward with his payload.

Grover’s activity would be analogous to an attacker entering a network via an insecure ingress path and then using traffic defined as legitimate to continue with his operation. He uses methods so simple, a five-year-old could grasp them. Maybe those over five would do well to review the security video I linked to…

At any rate, the wall is very nice and blocks traffic that does not route around it. Had the wall been fitted over a cave mouth, it would have been much more difficult to route around, and that would be possible only if there was another unsecured path of entrance into the cave system. As it is, it needs to be taller and wider to cover those available paths of ingress.

How many firms have frustrated employees? I suspect it’s all of them. That’s bad news, because frustrated employees are also those that are most likely to call up a local ISP for a DSL line out of their local budget so that they can have Internet access for some purpose. Nobody higher up or in the central office approved the line: they just put it together themselves. And if central IT refused to allow that connection to hook up with the corporate network, that’s not a problem. They can buy some inexpensive small business switches and hubs and allow their PCs to connect to the corporate network and the shadow IT network at the same time.

How many firms have web developers on a tight schedule? Oh my, that’s a very high percentage… That’s bad news because those developers might set up VPN servers – only for emergency purposes, of course – so that they can connect from home to the test environment more effectively than they can if they use the corporate VPN. Or maybe they have a fileshare server opened up so it can offer its files on the Internet, making things much easier. Or maybe they use an insecure coding shortcut that gets the site up that much faster, even if it means it now allows quite a lot of malicious activity over HTTP and HTTPS.

How many firms have employees that click on links in emails? How many firms have contractors whose contracts have ended, but their workstations stayed logged in… and unpatched… and maintaining a dual-homed Internet connection on the guest network? How many firms have subsidiary or ancillary organizations that manage their own Internet connections… badly… and that have full trust relationships with the parent organization?

Well, that’s bad news, because… well, I’m sure you see the pattern here. None of these paths of ingress are properly managed, let alone secured. Malicious Grovers are carrying bowls of malware-infested chicken soup to servers and workstations that lap the stuff up without questioning.

So now the problem is finding the unmanaged ingress points. The solution is simple: look at your traffic. See if there is traffic on your network that has an outside IP as its source. Next, take a look to see what ports the traffic is using. If those ports are blocked on your firewalls, and I mean *all* your firewalls, see if there are routing paths to that outside IP that take odd twists and turns in your network. Perhaps they lead to that unauthorized ISP connection or that rogue VPN server.

Once you find those things and have them shut down, check your traffic again. You may very well see those IPs again on your network, now with new routes back out. Those will lead to other paths you want to close off.

You have to check constantly, because you will never know when someone creates a new path of ingress that endangers your network. You can also check for dual-homed devices and abandoned devices and try to police links in email messages. All those measures will help to keep five-year-old kids who saw the above video and got the wrong idea from hacking up your network.

Now, the disclaimer… I work for a vendor that not only makes a product that covers most of the detection methods and remediation items mentioned above, I’ve also used it in an environment that thought it had closed off all those other ways into its network. When I told them about the IP addresses in China that were scanning for the Cisco Smart Install port, they soon discovered that there yet remained more ways in that they would have to deal with.

This is not FUD. This is a realistic assessment of stuff that happens, most likely under everyone’s noses. Not everyone knows to look for this stuff, let alone knows how to look for this stuff, which is how it can go on and on. If auditors only know to check the managed gear, then a firm could conceivably pass audits and still have these issues happening.

So, take a tip from Grover and start looking for ways people break into your network that go over, around, or right on through your perimeter defenses.

Prioritizing Security Spending

I’ll put on my manager/owner hat, since I have one laying about the house, and will look at the receiving side of my constant cries to emphasize security spending. There, it’s on, although it seems to restrict blood flow to the part of my brain that handles technological details… never mind, let’s get to budgeting!

First off, security is very important. It’s so important, I’ll use a few more “verys” to emphasize that importance. It’s very very very very very important. But, before I can pay for security, I have to pay for a few other things.

Out of my revenue, first to go through are my loan payments. If I don’t keep current on my merchant loan companies and business loans, I close my doors. That’s a certainty. Ditto for payroll, rent, and utilities. I have to pay those, on time, every month, or I *will* close my doors.

Next up, I have to pay for my materials that I use in my business, whether those materials be solid manufacturing inputs or intangible information, it’s what I use to make my stuff. Without those inputs, my business is no more.

Then there’s advertising. I have to have that, right? I also need money for fees, which I pay to local, regional, and national government authorities in order to stay in business. If I don’t pay those, my business will certainly not be able to operate.

Now, I’ve got some money left over. Part of me wants to have a little more for myself, to compensate for all those days I lived out of my office, getting this business off the ground. That’s why I went into business, right, to make a little something for myself, over and above what The Man would pay me in a regular gig? I’ve got a business partner, as well, and we’ve been through everything together, all these years. I’ve got to give him his cut, fair’s fair.

What’s left is my IT budget. Before anyone panics, let me assure you that there’s still quite a lot of money in that pot.

But, before I pay for any security, I need to pay for my existing licenses. If my PCs don’t have an operating system, they don’t run, and I don’t have a business anymore. Then I pay for my productivity software because what’s the point of having PCs if they don’t do anything useful? No, I must have word processors, spreadsheets, and email! No compromise on that!

If I have specialized software for my line of business, you better believe there are some big-time license fees to run that stuff. But, without it, I can’t produce what my customers want. Honestly, security is important to me, you saw how many “verys” I used up there, but I have to first allocate money for what’s core to my business.

But I’m almost to security in my line-items. Let me first cover printing costs, VoIP services, Internet connections, and a new box fan for my server closet. As long as we keep the fans on and the door open, the servers won’t overheat. That’s a good feeling to have, the feeling you get when you know the servers won’t overheat.

Now that I’m ready to buy some security, please don’t bring up the issue of locks on the doors. I can lock the outside doors, but if I lock the door to the server closet, we’re finished as a going concern.

Looking at the budget, there’s not a lot, so maybe I should get the most important piece of security gear and hope it does most of the work I need it to do. I’ll get a firewall and pay for that annual license/maintenance.

Then there’s an antivirus program that’s only $21.95 per workstation when I buy in bulk, I’ll get that. I don’t know if it’s any good, but it’s at least something.

I need to buy a backup and recovery solution, so that’s going to set me back a bit.

I also have to pay for spam filtering and DDoS protection through my ISP, or I get shut down by spammers and/or DDoSers. This expenditure, in fact, should have come before the backup and recovery.

When I ask the guy that comes in twice a week after lunch to do my IT about what else I should get, he’s got a long list of cool stuff. But when I look at the prices he quotes for them, I have to shake my head. I really can’t afford to spend thousands on a big piece of hardware like a proxy server or an IPS. Maybe if I saved up, I could, but I can’t spend that kind of money right now. And don’t even talk to me about IP protection or UEBA or other big systems like that, there’s no way I can buy one of those solutions.

The thing is, security is a matter of maybe I’ll lose my business if I don’t have it. The other things are a matter of I *WILL* lose my business if I don’t have them. Will beats maybe, every time. That good feeling I have about the servers not overheating is countered by the worry I have that one day, maybe tomorrow, I’m the next small business that gets hit with something that the firewall, antivirus, and/or antispam-antiDDoS can’t deal with. But that’s a maybe, a roll of the dice.

Eventually, I learn to live with “maybe” and I just focus on running my business, the best I can.

And if all my PCs, unbeknownst to me, are secretly mining bitcoins for North Korea or participating in Mafia-run botnets, it’s no concern to me as long as I keep in business. What I don’t know doesn’t impact my bottom line.

I’m not being callow or flippant about wanting to emphasize security but simply not having the budget for it. That’s a reality. And if I get to where the “maybe” doesn’t nag at me anymore, then I can live with myself and my decisions.

I just took off my manager/owner hat and read that over. It does make sense to me. As a security person, I see all the breaches and crashes and outbreaks. But I don’t see that, for most people, these are only rumors, things that happen to someone else. Daily bashing away at firewalls, constant spam and DDoS, legacy malware trying to infect your PC like it’s 1999, those are the constants that happen to everyone. Businesses must protect against them. The other stuff, though, that’s in the realm of “maybe” and that’s not a strong enough case to justify a major expenditure, particularly one that could cut deep into the profitability of a firm.

Quick Start Guide

Welcome to your installation of Secure All the Things (SATT). We thank you for your purchase of our product and hope your installation process goes smoothly. We believe that SATT is the most secure network security solution on the market today. Your commitment to security has brought you here, and we are ready to walk that journey alongside you.

Wow, that was pretty over the top for marketing-speak. Franz Zimmerman saw boxes and arrows further down on the page. Boxes and arrows promised more comforting tech-speak, so he persisted in reading the SATT quick start guide.

In order for SATT to be secure, it requires a high degree of secrecy. This is why you are reading this quick start guide at a SATT safe house.

Yeah, that was a weird requirement. Franz had to take a cab to the airport, where a black SUV picked him up to take him to the safe house to read the guide. These SATT guys were serious about security, from the looks of things.

Your first step in your SATT installation will be to utilize shell companies in the purchase of a property that will house the SATT management servers. Below is a checklist of the requirements for each shell company.

Huh? What? Shell companies? Franz looked over the rest of the quick start guide, which was a single, laminated card, standard page size, printed on the front only. The boxes and arrows were a flow chart, about setting up shell companies, from the looks of things. Where was the listing of how much RAM or CPU cores the servers would need?
Continue reading

Writing InfoSec Fiction

When I first started serious creative writing efforts back in 1997, I had no idea that, 20 years later, I’d be writing about how to write InfoSec fiction. Not only did I not even know how to write fiction, period, InfoSec was pretty much a matter of having an antivirus program and locking the doors to the server rooms. And firewalls, I remember we had just started to have firewalls back then.

Well, enough reminiscing and pondering about how I found myself to be where I am now. I have a purpose, best I get to it.

First off, let’s cover how to write well. It’s not all that difficult. Here are the rules of good writing, as they were taught to me by good writers.

1. Show, don’t tell.

2. Nouns and verbs always beat adjectives and adverbs.

3. Some things are better left to the reader’s imagination.

4. Dialogue should sound like dialogue.

5. Get rid of as many “to be” verbs as you can.

1. Show, don’t tell… that’s the toughest one of all, because we want to explain our thoughts in great detail. Well, that’s technical writing, not fiction writing. How many stories, especially science fiction stories, have gotten bogged down because the characters start explaining all. the. things. The readers will figure out how stuff works as it gets used, don’t worry. Saying “The zapotron ray carved a massive opening into the reactor core, yet none of the radioactivity leaked out” is preferable to the characters spending multiple paragraphs about zapotron technology and why it would be preferable in this situation as compared to, say, an unobtanium battering ram.

In that above example, did I myself go into those technologies? I did not. And yet, each reader now has an idea about them. Show, don’t tell. If I do any more here, I’m telling, not showing, and I’m not about to slide into hypocrisy like that.

2. Nouns and verbs… Rushing beats running quickly. The giant beats the really tall and really big guy. If you have to use an adjective or adverb, make sure it’s not with a plain noun or verb. The exception to this would be in dialogue, where if a person is likely to violate good rules of writing in his or her speech, then it’s good writing to have the character talk that way.

3. Leaving things to the imagination… what’s more scary, the huge hairy spider looming over your right shoulder or… that… THING! AAAAAHH! IT’S COMING FOR YOU! RUN! RUN TOWARDS THE SPIDER!

See what I did there? Consider this an extension of “show, don’t tell.” As I tried to make something scarier than the gigantic spider, I conjured up a notion of something so awful and immediately threatening that your best hope was to run towards the very thing I suggested was fearsome at the beginning of the comparison. And now, by telling all about how I did that trick, I took all the fun out of it. Show, don’t tell, that’s the moral, here. That, and run towards the spider if you’re in that situation, for God’s sake.

Imagination is best when you want to create feeling and mood in your reader. Sometimes, it means ending a story before they want it to end, but, hey, that’s life and good writing.

4. Dialogue… there’s external dialogue. Like my English teacher once said, “When other characters speak, they can reveal so much more with carefully-chosen words, which you want on your side when you fight against Godless Commies.”

Then there’s internal dialogue. One option is to just explain things, but in a dialogue-y way, where you bend words and stuff like that. Stuff that drove my ultra-right English teacher up the wall. Or you can italicize. How do I reconcile my relationship to my English teacher? I mean, she was brilliant, taught me all I needed to know about grammar and writing… but that shrine dedicated to Mussolini in the back of the room? Really? Mrs. Paganini was a complicated person, that was for certain…

Above all, dialogue needs to sound like people talking. Stylistically, if a new character speaks, start a new paragraph. Try to not have a character say too much in one go, it can lose readers.

“You think those ideas work all the time?” a reader asked.

“They’ve served me well,” I said.

“How do I know this isn’t more of Mrs. Paganini’s neo-fascist propaganda?”

I thought a moment. “I guess you can tell it’s not that because one, I’m not wearing a paramilitary uniform, and, two, not once have I spoken about the need to invade either Ethiopia or Albania.”

My reader nodded, satisfied in my answer.

5. Getting rid of “to be” verbs. Remember up in 2, where I talked about nouns and adjectives, how I said “beats” instead of “is better than”? Getting rid of is, are, will be, was, all those “to be” verbs will force you to use actual action words, and that moves the story forward in an interesting way.

***

OK, so those are the rules of good writing. I’d also recommend reading Socrates’ “Poetics” for some tips. It’s a short piece and well worth your time. It’ll also explain why that huge race sequence in “The Phantom Menace” was such a beat-down… put effects ahead of plot and character…

I’d also recommend reading things that help the InfoSec mindset. Look to Eastern Europe for fiction authors and look to trade journals for jumping-off points for stories.

My reading list will include films, but since I use subtitles, I’m still reading them, aren’t I?

Arkady and Boris Strugatsky – Roadside Picnic; Stanislav Lem – Everything he wrote, go for Cyberiad, Solaris, and Memoirs Found in a Bathtub; P.D. Ouspensky – The Strange Life of Ivan Osokin; Vladimir Savchenko – Self-discovery

For the films, go to the Mosfilm YouTube channel and watch Solaris, Stalker, Kin Dza Dza – those are the intro to Soviet sci-fi, which is much more cerebral and psychological than US sci-fi, which tends to resolve issues through violence and/or application of brute physics.

While you’re on Mosfilm, consider also Ivan the Terrible (Ivan Grozny), Ivan Vasilievich Changes Careers, and White Tiger (Belyy Tigr). The first is a pair of films that was Game of Thrones stuff decades before HBO, the second is a wild time-travel romp, the third is about a man who can speak with tanks in WW2.

Also consider the Czech film, “Tomorrow I’ll Wake Up and Scald Myself with Tea”. Why? It’s about things going wrong, and that’s what security is all about.

Once you’re paranoid and twisted in your thinking, you’ll read trade journals and start to get ideas about how things go wrong. You’ll read marketing materials from vendors that promise the moon and see holes in their logic that may deliver a shattered earth instead of a new world. You’ll see reports on outages and mentally explore what’s not reported, how much worse it could be.

Then, you’ll want to write that story.

***

We’ve gone from fiction writing to science fiction writing (briefly) and now we’re ready to deal specifically with InfoSec fiction writing. There are no rules for it yet, because as far as I know, there’s only a handful of people trying to write it, and I’m one of them. So I’ll go into my philosophy, and I’ll try to show instead of tell as much as possible.

The short story is ideal for InfoSec fiction. The short story in sci-fi takes a small concept, a gimmick, and toys around with it. The gimmick is the center of the story, so it won’t last very long at all. It’s not a character, so it shouldn’t be pushed all that far. There will be people and things reacting to, planning to use, and being affected by the gimmick, but the gimmick is the center of attention.

Consider a story about a guy using Internet-enabled footwear that’s also equipped with a flash drive and a toner-like device that can pick up signals from network cables. Fun will be had in the story, but it’s over as soon as he visits the coffee shop and uploads his stolen data to the highest bidder. Maybe it’s over now, but that’s how it goes with the gimmick. It’s a short story, but a merry one.

Writing a longer story runs the risk of getting preachy. If your characters are starting to launch into long dialogues explaining best practices, you are writing an editorial at best and a user manual at worst. If your tale has legs and it’s going to travel into the land of 10-40K words, you’re into novella country, and that demands a different focus for your writing.

Novellas have to be character-centered. This means the focus is not on the technology, but on a person using/affected by the technology. The exposition is about the character in relation to that technology, and the temptation to get preachy will try to overpower you. Resist. Stay with that character and his or her moral journey, as he or she struggles with A Big Decision. For it to be InfoSec related, the Big Decision needs to be related to that technology. A plot in which a jilted lover considers killing his former love becomes an InfoSec plot when he ponders the killing by way of a drone strike, homed in on the former love’s cell phone location… and then, to his horror, he realizes the drone strike took out an innocent because the former lover dropped the phone in the parking lot and the innocent picked it up to go return it to the nearby store’s lost and found. The actual strike and realization would be the climax of the story, unless we want this to be a psychological tale about the killer being caught and being sentenced to work out his problems with an AI counselor… that may have a few flaws in its code…

Novels are big things. If you’ve got the nerve to write an InfoSec novel, good luck with that. If you can keep from preaching and make it all about a group of characters dealing with a world changed by a technology, you’ve got a sci-fi novel. To make it InfoSec, those characters deal with a world changed by the *flaws* in a technology.

That’s the biggest part of InfoSec writing, in my view. We confront the promise of better living through technology and poke at the weaknesses in that premise. We ask what can possibly go wrong and then unleash that vulnerability on our characters. Sometimes, our characters are resilient and deal with the problem. In such cases, I’d recommend no neat and tidy happy ending. The characters dealt with the problem, but now they live in a patched world, and they have to be on their guard just in case the patch introduced a new vulnerability.

An InfoSec writer also has to face a decision whether or not the story will be hard science or more Hollywood in its portrayal of technology. My style leans mostly towards hard science. I want things to be highly accurate. My characters will never ping 10.800.1.1. My characters will never have a program with a GUI that looks like it was designed by a special effects company. My characters plow through huge logfiles, they run Wireshark and pore over the captures, and they get mandatory reboots of their OS at the worst possible times.

But, there are times where I want to go Hollywood. In these stories, I create a fantasyland where all is well, all is good, there is better living through technology for all… except, hey, what’s this little red button do? Ah, it reveals that the makers of this heaven were really humans and there are devils from our own day and age in those futuristic details! Here we are in the year 2877, but the world comes crashing down because the code is backward-compatible to run a DOS 5.0 program… in so doing, I’m able to point out the folly of assuming backward-compatible code is secure, but *without getting preachy*.

I just realized I was getting preachy about not getting preachy, so maybe I should leave the rest to your imaginations and end my essay here.

Or should I say “show, don’t tell” one more time? Where is Clippy to help me finish writing a story when I need him the most?

Matryoshka

Tommy Mothersbaugh caught an anomaly. For the first time in over a year of scouring security logs, he found something that shouldn’t have been there. He took the report to his boss, Mary Jordan. He knocked on her open door.

“What’s up, Tommy?”

“I think I got something here, Mary. It’s not much, but it’s something.”

“Whatcha got?”

Tommy held out the report and pointed at a traffic flow. “That’s a printer in our Panguitch office. Trying to reach a TOR exit node.”

Mary lifted up her glasses to squint at the tiny print. “Huh. You sure about that? Double checked it and all?”

“Yes. Something’s up with that.”

Mary set the report on her keyboard. “OK if I keep this for my report?”

Tommy nodded. “Anything else you want me to do for follow-up?”

“No, no, that’s OK, we just file our reports and then things move upstairs… By the way, I wanted to ask you something and I’ve got a few minutes before my next meeting. You want to get the door and have a seat?”

Tommy shut the door and sat down.

Mary propped her glasses up, over her forehead. “How would you like to do a field assignment? You’ve been doing good work here in Analysis, so it’s only natural that you eventually sample other types of work… if you’d like to.”

“Sure, yeah. I mean, yes, that would really be cool.” Tommy’s surprise turned to excitement. “Where would I be going?”

“Well, wherever they send you. You’ll go through an orientation and then the officer in charge will let you know your assignment. But we can get you there as soon as you like. Tomorrow, even.”

“Tomorrow?”

“Tomorrow.”

“Dude. That would be awesome.” If Tommy was a puppy, his tail would be wagging wildly.

“Well, pack up your desk and make room for your successor.” Mary’s smile got Tommy to jump up, shake her hand, and then zip over to his desk with his good news.

A short, waited interval after Tommy left, Mary opened up SightsAndScenes.com and clicked the “helpful” button by Barry7711’s review of The Dinner Bell restaurant in Muleshoe, Texas.

Instantly, a minor official in another nation received an alert on his phone. The text on Gleb Ivanovich’s phone read, “Text ACCEPT to 495 697 03 49 to receive information on your prize!”

Any English-language text with the phone number for the Kremlin was serious news. Gleb brought up his browser and checked which review for The Dinner Bell got an additional like. Following the liked review back to that user’s home town indicated where operational cover had been blown. And that cover had been blown in… Panguitch, Utah? What and where is a Panguitch? Even after looking up information on the tiny town, Gleb couldn’t believe it existed. Why they had bothered to put a system there that we had bothered to compromise, Gleb did not know. He shook his head and sent a PDF brochure of Bryce Canyon National Park to another minor official.

Sofiya Olegovna glanced over the brochure in Gleb’s email and checked the traffic records for that system. After a few clicks and a few presses of Page Down, she had the data she needed to review. Hmmm… we haven’t done anything with that system in a long time, a long long time… and neither have they. Was this something some other guys were doing? Sofiya thought some more and became certain. This was definitely the doing of some other guys. Sofiya moved to make her report to those who needed to know.

Mere moments later, a spam campaign sent out 3.2 million messages proclaiming the virtues of all-natural Xenon Hexafluoride capsules. Most of the spams were either eliminated by filters or deleted by the fools still suffering without antispam measures. There were, however, 2 people who did not delete the spams, but, rather, accorded them the most urgent of responses. One of those people was in a very quiet office in a very quiet building in a very quiet part of Northern Virginia.

The TINCAN monitoring project was one of the most demanding of analytical jobs, but one that had also produced much valuable intel. Cracking the Spam Code was possible only because of the incredible attention to detail by the steganographers working for TINCAN, searching for meaning in the grainy background images of the spams sent by agents of the rival power. Of course, the meaning in the images was always encrypted, but the one-way pad in the hands of TINCAN’s director provided the key, every time. And now, the urgent response from the person in the very quiet office brought a collection of letters and numbers to the TINCAN director for his one-way pad to work its magic.

Director Andy Garfield ran the decryption protocol. He nodded and dismissed the urgent responder, then contacted his counterpart in Systems Monitoring via a scrambled line. Even if a rival power or those other guys had access to the phone system, they wouldn’t be able to break the encryption on the line. And, besides, what was so unusual about two intel directors talking with each other?

As it turned out, the rival power *did* have access to the phone lines. And, while it was true that the rival power could not decrypt the phone conversation, the rival power nevertheless deduced that this particular conversation fit a pattern that had gone along with its recent spam campaigns. Agents and administrators within the bowels of the rival power’s intelligence community put the wheels in motion to bring the spam campaigns to a close. One or two more actual messages would be leaked, and then disinformation until they didn’t believe us anymore. After that, the spam would have served its purpose.

Director Claus Niklaus of Systems Monitoring answered Director Andy Garfield’s call. “This is Niklaus.”

“Hello Niklaus. Garfield here. How ya doin’?”

“Doin’ fine, Andy, yourself?”

“Got my health. Can’t complain. This a good time?”

“Sure is. What’s eatin’ ya, succotash?”

“Well, Claus, it’s like this. You got a system in Panguitch that came up in analysis earlier today?”

“Yeah, just a while ago.”

“Well, I know all about it.”

“Ya don’t say… Huh. Thanks for the info, Andy.”

“Always a pleasure to help out, Claus. Hang in there, buddy.”

“Sure thing. Thanks a heap. See ya.”

“See ya.”

They both hung up and Claus leaned back in his chair. Only way Andy would have known that is if he’d intercepted and decoded a message from the rival power regarding the Panguitch system. Only way the rival power would know about that would be if they had a mole in his organization or a tap on his lines or a hack on his systems. Time to hire a rat-catcher, Claus figured.

The next problem Claus faced was that this wasn’t a direct operation of the rival power’s. Had it been, they wouldn’t have used the Spam Code that Andy’s TINCAN people were taking apart. That meant that the other guys were mixed up in this. The rat looked to the rival power for money and benefits, but the compromise on the Panguitch system could be laid at the doorstep of the other guys. Claus put in a call to Lauren Bishop, Director of Internal Investigations.

“Joyful Snow Pea Restaurant, can I help you?”

“Sorry, wrong number. I misdialed the third number.”

“OK, no problem, goodbye.”

Claus redialed, properly, and got Lauren on the phone and let her know about the mole, and how he may or may not be working for us or them, but definitely the other guys.

Meanwhile, the cashier at Joyful Snow Pea Restaurant knew exactly what to do, based upon Claus’ message. She placed an order for 2 dozen cans of Hunan-style water chestnuts to the trade attache at the Chinese consulate in San Francisco. The trade attache, in turn, sent an email to Shandong Huaye Tungsten & Iridium Tech Co., Ltd., requesting a quote for 600kg of pure tungsten rods, 100mm diameter. That email kicked off an alert that went straight to the head of Bureau Nine of the Ministry of State Security.

He wasted no time in getting up and moving as fast as he could without running to his boss, hoping to get there before the head of Bureau 8. The head of Bureau 8 had an unfair advantage, as his office was 10 meters closer than his own.

The head of Bureau 9 sped past the door of Bureau 8. He smiled. Those speed-walking classes had paid off a great dividend. He entered his director’s office and did his heel-toe, heel-toe walk right past the secretary, into the director’s antechamber. He pressed a button and waited.

Still no sign of Bureau 8. The head of Bureau 9 smiled as he heard the buzzer indicating the director was ready to receive a visitor. He walked in, normally this time, and said only, “Panguitch cover blown.”

The director nodded and dismissed the head of Bureau 9. The head of Bureau 9 nodded and exited. In the antechamber, he saw the head of Bureau 8 cooling his heels. “No need to see the boss now, I got here first.”

“Damn. Just my luck, I was in the water closet when I got the info.”

“You know it is Bureau 9’s job to protect this ministry from infiltration by foreign agents. Why do you always meddle in our matters?”

“You know damn well it’s Bureau 8’s job to handle counterintelligence. We have to keep tabs on you guys in Bureau 9 when you step into our territory.”

“Is that what you will tell the senior director? That we are in your territory?”

“No, this is a small thing, not worth a fight… but what might be worth a fight is your bureau removing our microphones. Your department is not above suspicion of counterintelligence.”

“Well if you want your microphones back, give us back our cameras! We have to be certain that our counterintelligence team hasn’t been infiltrated by foreign agents!”

The head of Bureau 8 thought a bit. “Two microphones for one camera?”

The head of Bureau 9 nodded in agreement. “Send the draft proposal to me today, I’ll sign off on it.”

Both men returned to their respective departments. The head of Bureau 8 then reviewed the budget for next year’s office supplies. He circled the amount proposed for printer toner and noted it should be reduced.

Three days later, Tommy Mothersbaugh was just outside Panguitch Middle School in Panguitch, Utah, wearing a brown shirt with a printer vendor’s logo prominently embroidered above the left pocket. His instructions were to remove a printer from the faculty workroom and replace it with a similar model. He was then to deliver the removed printer to the e-waste center in Hurricane, but was to get there by way of Orderville and Zion National Park.

Tommy also had instructions to park at Zion National Park and to go see the sights for ten minutes, leaving his vehicle unlocked.

Tommy arrived at Zion and parked his car near a bunch of tour buses loaded with Chinese tourists. They all debouched from the buses around the same time he left his van. Tommy walked away, glancing back at the mob of Chinese tourists. He went to the main office, figuring he’d use the bathroom while he was there. After using the bathroom, he walked around in the gift shop and accidentally bumped into one of the tour bus drivers.

“Oh, sorry! Please excuse me.”

“Not a problem, no worrying.” Tommy was struck at the thickness of the driver’s Russian accent. Then again, lots of immigrants got jobs as drivers, such was the nature of things. Tommy never was sure about what things he should ask questions about and what things he should just let pass without comment, so he guessed this was no big deal and forgot about it.

Tommy returned to his van and checked the insides. Nothing was stolen, and the printer looked like it hadn’t been touched. Tommy shook his head at the instruction that made no sense and drove on to the e-waste disposal center. This field work was just as boring as analysis work, but at least he got to see some beautiful countryside on this mission.

Meanwhile, back on one of the tour buses, the Chinese tourists were talking animatedly about a small piece of electronic gear they had removed from the printer as the bus driver nonchalantly checked to make sure the bus security cameras were running properly.

Shock and Awe

Colonel Guaripolo was screaming into the field telephone in order to be heard. Bombs were landing all around and above his command bunker, even as Presidente General Trompeta was asking for a status report from the front. “So, Colonel Guaripolo, how are things going?”

Damn civilian in a general’s uniform! “Bad! Very very bad!”

“What do you mean, bad? How can things be bad? We have the finest weapons from the Estados Unidos! These are the best in the world! Those losers from San Teodoros have no idea how mighty our forces are!”

“With respect, sir, it is our own army of Nuevo Rico that are discovering the might of our forces!”

“What do you mean? Explain yourself, Colonel! At once!”

Colonel Guaripolo was tempted to stick his head outside so he could die a war hero instead of having to explain military matters to this buffoon. “Our air force uses GPS-guided munitions, correct?”

“Yes. Deadly accurate.”

“Only when GPS is working properly. We spent millions on the GPS bombs, San Teodoros spent hundreds on GPS hacking tools. Their facilities are all giving off false signals, so our weapons correct for that false signal.”

“That’s a shame. I knew some of those gringo arms salesmen were cheating us. Don’t worry, I’ll get our money back. Don’t you worry. We’re not getting ripped off on this deal.”

“Presidente General, with respect, those corrections made the bombs fall on our positions! We are bombing ourselves! The GPS hacking means we are bombing ourselves!”

The Presidente General’s voice condescended. “Stay calm, Colonel. No need to lose your composure. Be brave… wait a moment, can you please hold the line? Thanks.”

Colonel Guaripolo held the receiver in slack-jawed disbelief as the barrage began to abate.

Presidente General Trompeta clicked back over onto Colonel Guaripolo’s line. “Good news, Colonel. The aerial bombardment problem is taking care of itself. I just heard from Colonel Bodoque, at the Air Force. San Teodoros shot down our aerial tankers, so the planes have to return to base before they can deliver their full load.”

“Will we then go back to non-GPS guided bombs?”

“No, because all we have are the latest and greatest weapons. Looks like your securing of the Gran Poco region will have to be done without an air force.”

“Wait? No air force? But can’t they at least fly missions with what’s in their tanks without refueling?”

“Ha ha, you’re going to laugh when you hear this, but those clever little bastardos from San Teodoros have been in our military logistics network for some time. We thought those fuel tanks at the airbase were full up, but they’re actually close to empty. Can’t always trust the data being fed to your software, can you? Ha ha haaaaa…”

Colonel Guaripolo had no laughter for the moment. And then, suddenly, the unbombed Nuevo Rican tanks started to roll… backward. “Presidente General, sir, the tanks… are they fitted with autonomous operation software?”

“But of course! Finest tanks for us from the Estados Unidos! Even if all the people in them are dead, they can fight on!”

“Well, they have no people in them and they are in full reverse.” Loud crashes. “Some have collided with our artillery pieces.” Distant mechanic whines, dropping in pitch. “Others are on the main highway back to Ciudad Trompeta.”

“Really? That’s not what I ordered. The ones on the highway… log into every tenth one and delete its driving software! Morale only improves with a demonstration like that!”

Colonel Guaripolo’s head spun as he pondered for a moment how Presidente General Trompeta was trying to fight a cyberwar like a World War One field marshal. “Presidente General, we cannot even do such a thing – we’re still trying to set up our battle communication network!”

“The gringos said it could be done in minutes.”

“The gringos that dropped off the boxes of gear laughed at me when I asked how many minutes it would take. This stuff is worse than Swedish do-it-yourself furniture!”

Trompeta shifted into philosophy. “Ah, yes, Swedish do-it-yourself furniture… I lost, something like, 2 of my wives and 5 mistresses or so because of Swedish do-it-yourself furniture. Once, I lost a wife and a mistress on the same item! It was a chest of drawers, and you think those would be easy. Not so! There’s a step at the beginning where the drawing is very unclear and-”

The line cut out.

Trompeta became a tiny bit angry and felt a need to focus it on something. He pointed at an aide in the room. “Colonel Trivino!”

Colonel Trivino snapped to attention. “Sir!”

“Find out why the phones went dead. If it was because of hackers in San Teodoros, have Colonel Guaripolo court-martialed for incompetence in protecting our networks. If it was because Guaripolo hung up, have him court-martialed for insubordination!”

“Yes sir!” Colonel Trivino ran from the room, a barely-concealed sigh of relief punctuating the sound of the door closing behind him.

31 minutes later, Trompeta watched as a column of Nuevo Rican tanks rolled past the presidential palace… in reverse… A jeep drove up in the opposite direction and got in the left turn lane to enter the palace grounds. It had to wait a while for the tanks to finish their retreat to points as far away from San Teodoros as their hackers could drive them. Then the jeep turned up the palace drive and a uniformed man leaped from it before it even came to a stop, stumbling then rushing to the palace door.

A minute later, Colonel Bodoque was in Trompeta’s office. “Presidente General! The situation is grave! We have no air defenses! Communications are down, and with them, our ability to operate our weapons! We are wide open to a San Teodoros air attack!”

Trompeta pounded his desk. “Operate them manually!”

Colonel Bodoque dared to pound the desk back. “We can’t! We outsourced that task to an outfit in Taiwan!”

“What? I gave no such command!”

“Yes you did! When you ordered that private contractors would handle certain security aspects, just as in the Estados Unidos! A Taiwanese company put in the lowest bid and they’re in charge of our air defenses, except our connection to the Internet is down and they can’t reach our systems.”

Trompeta frowned.

Colonel Bodoque continued with his impertinent line. “It may be just as well. I heard that all those contractors were just kids that played a lot of video games. Nobody was checking quality or anything like that.”

Trompeta’s face began to darken with rage.

Bodoque did not fear Trompeta’s anger. “I would advise you at this point to get into your presidential jet and flee the country, but all our air traffic control systems are offline. Again, the privatization of government functions, as per your order.”

Trompeta slowly rose from his chair to regard Bodoque eye-to-eye.

He reached for the gold-plated pearl-handled revolver at his side.

Bodoque made no move. He only glared back at Trompeta.

Trompeta pointed his revolver at Bodoque. A quiet growl from the Presidente General: “Colonel Bodoque, I am relieving you of your command and then I am going to personally execute you for treason.”

Colonel Bodoque spoke just as quietly and forcefully as Trompeta. “You don’t have any ammunition in your pistol.”

Trompeta pulled the trigger. Click.

Bodoque continued. “My guess is that for the last few months San Teodoros has been intercepting our ammunition shipments. We keep saying we never got our bullets or bombs and our suppliers keep insisting that they’ve got the tracking information to prove that they arrived and were claimed. Probably more San Teodoros GPS hacking at work. But, as for me…” Bodoque pulled out his own automatic pistol. “… I ordered my ammunition on eBay.”

Trumped, Presidente General Trompeta dropped his pistol and raised his hands.

“Señor Trompeta, you are now under arrest, for crimes against the people of San Teodoros, and so on and so on. I, Colonel Bodoque, am taking charge in a coup d’etat.”

Bodoque had planned his coup well: his loyal soldiers had quietly acquired all the Nuevo Rican surplus military vehicles that lacked auto-driving functions as well as some powerful radio transmitters. As he rounded up the remaining Trompeta henchmen, a lone Nuevo Rican truck drove towards the San Teodoros lines, a white flag signaling the end of yet another brief Latin American border skirmish.

Bodoque was soon making a radio announcement, blaring from loudspeakers on the trucks in case the people were too busy trying to get to Instagram instead of patriotically listening to their radios. Bodoque followed the standard script for a successful coup, which one does after taking control of radio, television, and other telecommunications:
1. Say who is in charge
2. Say who is to be arrested
3. Order that everyone who is not to be arrested must report for work tomorrow
4. Announce the curfew

Bodoque didn’t want a mess like what happened when the Americans took over Iraq and forgot to make those announcements. While his mind was on the thought of American messes, Bodoque began to flip through a glossy arms catalog. He stayed away from the so-called “smart” systems at the back and focused his attention on the weapons that didn’t have anything to do with the Internet. The army of Nuevo Rico needed to re-arm itself, this time with weapons that couldn’t be hacked.

A Realistic Process for Dealing with Cloud Breaches

Given how cloud breaches are becoming more and more common, I would like to present a realistic process for dealing with them. I say realistic because this is probably already what is going on, but is not documented. So, here goes:

It starts with a proper management reaction when the vendor informs the firm regarding the breach:

Then your management will then need to do this privately:

But this should be their public reaction to the vendor’s notification:

Your developers will do this as they inspect the code:

Your security team will do this as they look at how the breach was done:

And then do this after they’re told they have to help clean up the mess:

Next, your developers will work hard on a new solution:

The security team will look over the developers’ solution and offer constructive feedback:

So the developers will take that feedback and refine their solution:

The network team may have some concerns on what the developers are hoping they can do in the datacenter:

Management may also have to deal with increased budget requests to implement the more secure solution:

And all the former employees are doing this as they hear the rumors and read the headlines:

And that, my friends, is how we can realistically deal with a cloud breach! I thank you for your time in reading this and hope it helps. 🙂

The Internet of No Fun

Little Bobby rushed in with the speed and joy that told the world he was five and a half years old and loving it. “Dad! A drone fell into our backyard! Can we keep it?”

Dad leaned out to the right to look at Bobby around his monitor. “Hold on there, sonny… have you done a VA scan on it?”

Bobby looked at the ground the way only a five and a half year old whose dreams were being confronted with harsh reality could do. “No…”

“What is our rule about bringing devices on to our wireless network?”

“No devices on the network until we’ve done a VA scan.”

“And?”

“And we’ve either patched or otherwise mitigated the vulnerabilities.”

“And?”

“And we’ve filed the change request documentation.”

“… And?”

“And we’ve got the change window scheduled, gosh, dad, you make all this no fun!” Bobby looked like he was ready to cry. Or update his resume and start looking for a new dad.

Dad knew that it was pretty much the same everywhere. Not wanting to see any turnover in the kid department, he worked on a consoling angle. “You think this is no fun? Then maybe it’s time I had you sit with me doing all the qualification testing so you’ll see just how much no fun this is for me, too!”

The shared experience reminded Bobby that he was in this together with everyone else. It’s not uncommon for five and a half year olds to express contrition and Bobby did just that. “Sorry, dad… I’ll go fire up the Kali Linux box…”

“There’s a good boy. Daddy has to go to a meeting now with Uncle Frank about next year’s family IT budget.”

“Are we gonna get a new firewall?” That exuberance again. Kids sure do bounce back, don’t they?

“Well, we’re still paying for Grandpa’s unexpectedly high syslog generation, but I think we might get a new firewall in Q2 next year.”

Bobby ran laughing down the hallway. “Yaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay!!!”

The meeting with Uncle Frank went well and Dad was happy that there were a few more goodies in the budget besides the firewall that he’d be able to announce at the family Q4 wrap-up meeting on 25 December. Dad had just enough time to type a few lines of code and then Sara stomped in the way only a 13 year old expecting to be disappointed could do. “Dad, can I go to a friend’s house now?”

“Did you finish ringfencing all your old wearables?”

Exasperation permeated the room. “Yes. Dad.”

“OK, did you also wipe the config on our old perimeter router like I’ve been telling you to do for the last three days?”

“Yes. Dad. I did it. It’s all wiped. Are you happy?”

“Sara, don’t take an attitude with me or you’re not going out.”

“Sorry.” Not very sincere, but a dad couldn’t expect much better from 13 years old.

“All right, that’s better. Which friend did you want to go see?”

“Veronica.”

Dad was concerned. He really didn’t want Sara hanging out with Veronica. Veronica’s family didn’t have very good change management processes and it was common knowledge around town that they weren’t necessarily up to date on their patch management. “I would be happier if she came over here.”

“Oh God, not this again.”

“Well, Sara, you tell me. If I try to RDP to Veronica’s family’s domain controller, am I going to get blocked, or am I going to get a login screen?”

“Dad, they have a really secure password on it!”

“That’s not my point, Sara. You know as well as I do that I shouldn’t even be able to reach that server, let alone via RDP. Now am I able to reach that server or not?”

“Fine. You win. I’ll just rot away here.”

“Sara, that’s not a win for me. I just want you to be safe, that’s all. Even if you left your cell phone home, your shoes are still exposed. As are your pants, your shirt, those earrings, am I right?”

Sara rolled her eyes with the wild, limbic-system fueled thinking so prevalent amongst the 13 year old set.

Dad tried to persuade. “And what happens to the rest of your clothes if the ones you’re wearing now are compromised?”

“Dad! That happened ONE TIME when I was eleven! Why do you have to keep bringing it up?”

“Well, you seem to be on track to have it happen again, when you’re 13. I’d rather not have to deal with another breach.”

“What. Ever.” Sara exhaled hard, but then had an idea. “What if I put all my clothes on airplane mode, will that be OK?”

Dad considered. That was reasonable. “OK. You put them all on airplane mode and you can go to Veronica’s. Get mom to take you, though.”

“She can’t dad. She’s on a sev one TAC call with the refrigerator vendor. There was a problem with our proxy and now the licensing on the fridge is all messed up.”

“OK, let me just wrap up this IPS signature modification and I’ll take you, just as soon as I get it into production.”

Dad was ready to get out and drive around for a while, anyway. Drive wasn’t really the right word, since the car did it all itself, but it was best to have a parent go with a kid, just in case. Gary Rasmussen’s daughter knew how to hack past parental controls on cars and could go pretty much anywhere unsupervised. Then there was that fight that Linda Hartford’s son got into where he and that other kid, Jerry something or other, kept hacking the speed governors on each other’s cars so they’d barely crawl. Having a parent ride along tended to keep those kinds of teenage shenanigans from happening.

Grasshopper and Ant and the App Store

One day, at the beginning of spring, Grasshopper and Ant each got a new smartphone. They both chose the same make and model. They even had the same cell carrier with the same data plan. The only difference, apart from Grasshopper being of the order Orthoptera and Ant being of the order Hymenoptera, was their general attitude towards security in general and app permissions in particular.

Ant was very security-conscious. He switched off his GPS and other location services, activating them only when he needed them, and then turned them off again right away. When he loaded an app, he read carefully over what permissions it required. Any game, for example, that needed access to his contacts list was right out, as were other apps that seemed to need access to data that seemed unrelated to the primary function of the app. As a result, Ant did not have many apps on his smartphone. He did load quite a lot of music and ebooks on his phone for entertainment, but refused even to install Facebook or Twitter. He was just that kind of guy.

Grasshopper, on the other hand, loaded all kinds of games and apps on his phone. He didn’t care what permissions they wanted, he would load them up. He would load them up, use them for a while, and then forget about them and load more apps. Ant thought Grasshopper was out of control. Grasshopper thought Ant was a party pooper.

It may not surprise you, dear reader, to discover that Ant also checked his credit card statements regularly while Grasshopper had a more carefree attitude towards personal finance.

At any rate, all through the spring and summer and into the fall, Grasshopper combined hundreds and thousands of shapes into rows of three or more, built up digital armies and empires, and used every emoji that he could find. Ant, meanwhile, kept to his books and his music.

As the first snow of winter fell to the ground, Grasshopper got a letter in the mail that many of his credit cards had been maxed out. Grasshopper didn’t think that he’d made that many in-game purchases, so he checked over his recent statements in greater detail. He was shocked to discover a number of very large purchases on his account for goods that he had never received. Not knowing what to do, he went to Ant’s house and begged Ant for a few scraps of food to tide him over through the winter, for he had no means to purchase provisions, what with his maxed-out cards.

Ant chided Grasshopper, “I’ll give you nothing, foolish Grasshopper!”

Grasshopper felt like a melting snowflake. “That’s a bit harsh, Ant. Where is your pity? Your sense of charity?”

Ant growled on, “Look, those are obviously fraudulent charges on your accounts. Just call the credit company and have them removed. You’ll have to cancel all your cards, but-”

“Oh! Whatever will I do without credit cards?”

“Well, you could let me finish my sentences, for a start. As I was saying, cancel the cards, BUT you will get new ones in a few days. That’s how it works out. It’s possible that the charges were just simple fraud from one of your apps being a front for bandits or from you not using secure sites for purchases.”

Grasshopper began to dance a little. “Why, that is marvelous news! All will be well!”

“Quit interrupting me. And you could stand to be a little less manic-depressive, if possible. All will not be well if this is part of an identity theft. There have been a number of major breaches of late, and I’m sure at least one of the million apps you’ve downloaded was a headline. You should get a credit report and see if any accounts in your name have been opened up recently – and if those accounts also have maxed out cards. Then there’s a follow up with the IRS to see if someone files a fraudulent tax return in your name, to get a government refund sent to them. That’s just the start, really.”

Grasshopper was silent.

Ant said, “I’m done. You won’t interrupt me if you say something now, if-”

“Oh! Goodness! Identity theft! Whatever shall I do? Please, brother Ant, do you have an identity I can borrow to see me through the cold of the winter?”

“It doesn’t work that way, Grasshopper. I recommend you check out articles on what to do if you’re a victim of identity theft.”

“Why can’t you tell me more, O wise Ant?”

“Because I’ve never had my identity stolen! I don’t know what else to do, as I’ve never had to know!”

“Why haven’t you had your identity stolen?”

“Well, for starters, I’m careful about the apps I load on my phone. Now, do you mind? I’m with people, here.”

Grasshopper bid farewell and trudged home, sadder but wiser. One by one, he started to uninstall all his apps and vowed to never again blithely install a game that needed access to his web history, contacts, location, calendar, phone records, media folders, and core OS files.