Category Archives: Complete Fiction

Auditing Firewalls

There’s an old Robert Frost poem, ‘Mending Wall’, that I’d like to pirate draw inspiration from and make a few adaptations to, if you don’t mind…

Auditing Firewalls

Something there is that doesn’t love firewalls,
That opens the ports, many and varied,
And spews out the code in plain text in prod;
And makes gaps even two can pass abreast.
The developers’ work’s another thing:
I have come after them and made repair
Where they have left not one single port blocked,
But they would have the code loaded straight to prod,
To please the yelping dogs. The gaps I mean,
No one has seen them made or heard them made,
But at spring audit-time we find them there.
I let my neighbor know in the next cube;
And on a day we meet to read configs
And set firewalls between us once again.
We keep firewalls between us as we go.
To each open ports that have opened to each.
And some are ranges and some are in groups
We have to use a spell to keep them all closed:
‘Stay where you are until our backs are turned!’
We wear our fingers rough with scrolling down.
Oh, just another dull video game,
I call out the new insecurities
There where it is we all need those firewalls:
Where contractors connect to prod boxes
Where file servers sit, shares all exposed
To outsiders’ eyes. And we accept risk.
He just says, ‘Good firewalls make good neighbors.’
Spring is the mischief in me, and I wonder
If I could put a notion in his head:
‘Why do they make good neighbors? Isn’t it
Where they segment traffic?’ But no segments,
No zones define our flat, inner network
Contractors here mixed with outsourcers there,
Aren’t firewalls and segments for those neighbors?
Something there is that doesn’t love firewalls,
That wants it down. I could say ‘Scrums’ to him,
But it’s not scrums exactly, and I’d rather
He said it for himself. I see him there
Auditing a rule that’s permit all all
The CISO told him to accept the risk.
He moves in darkness as it seems to me,
Not of woods only and the shade of trees.
He will not go behind his CISO’s saying,
And he likes having thought of it so well
Once again, ‘Good firewalls make good neighbors.’

Dragnetwork

The story I’m about to tell you is true. The names and incident specifics have been changed to protect me from violating my NDA agreements.

This is the network: the RFC 1918 ranges. I work here. I’m a security vendor.

It was a cold November day at the customer site when I walked in for the workshop. I met the security architect in the lobby. Nice enough guy, I guess. His name was Ram Gopal. We exchanged pleasantries and headed to the conference room. 

Once we were all plugged in and Ram fired up my product’s GUI, we got underway. I was there to do one thing, and that was to answer the question, “What is this?” for every device on the network. Network visibility, that’s my stock in trade, and it’s an endless, glamourless, thankless job that’s gotta be done.

I know Jack Webb said that about being a policeman. Well, I’m Dean Webb, so I can say that about being a security professional.

The Windows devices were easy enough to figure out. Thousands of endpoints with TCP 135, 139, and 445 open. We passed over those. We also skipped the TCP 515 and 9100 devices: printers or print servers, for the most part. Ram’s eyebrow went up when he saw switches and routers with Telnet still open, but we knew what those things were. He’d write the email to the network team later on. 

He’d write that email later because we were now at the end of the line, the Skid Row of the network. All the IoT devices plugged in by every Tom, Dick, and Harry at the company. The devices dangling off of D-link hubs. The gear left behind by long-gone consultants. The things people plug in without ever thinking. And the heartbreak that comes from not thinking. No thinking at all about security, about personal information, about known vulnerabilities, about default passwords. They’re just plugged in, given a server IP address, and then forgotten about, left for someone else to worry about. 

The first one we looked at had a normal, unassuming IP address. 10.2.44.63. Nobody ever expects trouble from 10.2.44.63. It’s the IP address next door, the all-American kid with a freckled face and a country smile. We look at that IP address and think nothing of it. Well, I’ve got a news flash for you, friend: you never trust an IP address that has port 80 open. It could turn out to be who knows what – a botnet control server, a pivot to the rest of the network, an exposed database, a key to the kingdom, your kingdom, and you won’t be king much longer with devices at 10.2.44.63 having that port 80 open, for anyone to stop by and look at.

I said to Ram, “Let’s put that IP into the browser. See what comes up.”

Ram had to ask, “Hey, I thought you were on the blue team, Dean?”

“Let me set you straight, Ram. I’m on the blue team, through and through. I’m not a penetration tester – coding was never my bag. But when it comes to devices that are serving up port 80 like a dealer offering that first, free hit of dope, that makes my blood boil. My red blood, if you catch my drift. And what kind of blue team player would I be if I didn’t know how the red team was going to come at me? What if I didn’t know about my blind spots, where some punk with a buffer overflow could give me and everyone on this site a really bad day?”

“OK, OK, we’ll see what comes up.”

A colorful page with a vendor logo is what came up, complete with a pair of boxes where a username and password go. Like a reflex action, I typed in that vendor name and “default password” into a search engine. Did I feel lucky? 13 years as an IT guy, do you think I was going to feel lucky? With search engines serving up sponsored pages ahead of the results I really wanted? No, I didn’t feel lucky. I felt smart, and went on to a page of results.

I saw the link to the quick start guide – may as well have been called the lazy hacker’s cheat sheet. And there it was on page 3, the default credentials. Admin/admin.

Ram typed those in and hit enter. The browser wheel spun, and he was in. “So, this looks like the admin page for some system.”

I pointed at the link on the left that read Badge Reader Status. “Looks like your badge reader system.” Then I pointed at the link to Employee Access Database. “And that looks like where the fun starts.”

Ram clicked the link to the database. We saw employee names, phone numbers, usernames, and their access behavior for the last 30 days. I may have said this was where the fun starts, but Ram’s face told a story of pain, disappointment, and betrayal. He said, “Hey, Dean, I need to put a pause on this for about 20 minutes.”

“You need to have a quick meeting with those badge reader people.”

“Yeah, you got that right.”

“Do what you need to do, Ram. I’ll be here.” I wasn’t going to leave his side. It may not have been his first wide-open system, but that didn’t matter. All the years I’ve been a security professional, it’s never been easy. We laugh, we act tough outside, but deep down inside, we’re all feeling that pit in our stomach open up as we wonder how badly that access has been abused in the past. Worse, we know that somebody in operations somewhere is using an app a developer threw together that uses that very vulnerability we just found in order to get his work done, work that makes money for the company. And when it comes down to shutting down a vulnerability or making money, who do you think is going to win out, a lone security architect or a whole operations department? 

That’s why I stand with my customers. That’s why I document my findings. I may only type 40 words per minute, but those are 40 more words every minute that make this world a little bit safer, a little bit more worth living in.

Ram came back from chewing out the badge reader team and I had another IP address with that HTTP port open. This one was the very important-looking 10.122.37.1. Ram put the IP into his browser and said, “That’s supposed to be a perimeter router IP address. That’s our Rancho Cucamonga location.

“I didn’t know you had port 80 open on your routers.”

“We don’t. We turned off HTTP on every one of them.”

“Do you use the same vendor for all your routers?”

“Yeah, we’re a dedicated shop.”

By this time, the web page for the device had come up. “So you guys are a wall-to-wall Netgear shop?”

Ram glared at the Netgear home router login page. I was on the search page, typing in Netgear home router. The second autofill line offered up the other two keywords I needed. The next page gave me all the info I needed without needing to go to a quick start guide. “Try admin/password, Ram.”

One admin/password later, and Ram was on the Rancho Cucamonga perimeter router.

“You need another 20 minute break, Ram?”

“Please?”

“Sure thing, pal. I’ll be here.”

“Wait, before I go, can you tell me how many more Netgear boxes I have on my network?”

“Sure thing.” I applied a filter for Netgear MAC addresses. “You got 21, all with .1 addresses.”

“Can you email me that list?”

“You betcha.” Ram got his meeting together and I sent off a spreadsheet export from my product’s GUI.

There may have been 21 home routers on that list, but Ram only needed 10 minutes to tell a very interested network team the information they needed to know to shut down a Netgear ring that had been a thorn in their side for years. Every one of those IP addresses was one they’d try to get to work in their RMM tool, but their network credentials never worked on them. Now they knew why: they weren’t going with the first or second password everyone guesses when trying to pop a box for the first time.

I was glad that the network team was on Ram’s side, but I didn’t envy the arguments ahead of them. I was betting that these routers hadn’t been a problem before, and that was going to be a problem for convincing concerned parties that they were going to be a problem right now, or an even bigger problem in the future.

Ram came back from his short meeting and said, “You know, comedy works best in threes.”

“Well, maybe the laugh we get from this one will make up for what we see on the next two.”

Ram laughed uneasily. I had already set up a view with plenty of bad news in it. He asked, “What’s that you have there?”

“Well, Ram, these are Windows devices that are members of your domain.”

“OK, that’s not a shock.”

“These have RDP open.”

“RDP?”

“Port TCP 3389 itself.”

“Oh yeah. Sorry, but RDP is also used as an acronym here. I got confused.”

“I understand. Anyway, these stood out because I needed to ask if you have any offices in China.”

“No, we’re strictly in the USA.”

“Nothing in Belarus or Russia?”

“No.”

“Republic of Vietnam? India? Turkey?”

“No, none of those. What are you getting at?”

“Those are just some of the nations with source IP addresses hitting these boxes on port TCP 3389.” I showed him the network traffic view that told the whole sordid tale. 

“I gotta shut down the firewall on that port.”

“Try also the commercial ISP connection at those sites. And then look for the /32 routing statements that send traffic bound to those other nations through the dual-homed Windows boxes with RDP open and exposed to the Internet.”

Ram left the room and I knew he had another impromptu meeting to conduct. I did a little click work in my product and found the IP cameras for this building. Every one of them was open on port 80. On the fifth one I tried, I got the live feed of what Ram was doing in the other conference room with the Windows team. I had kept the other browser windows open so Ram would see that I didn’t even need a default credential to tap into every security camera in his enterprise.

What else did I find? The usual suspects. Xboxes and Playstations. Unpatched web-connected television sets. Printers that responded to the “public” SNMP community. Every iDRAC port that answered to “Calvin”. Nearly every other customer of mine had these devices on their network, and nearly every other customer of mine had a workshop where I called these out as security risks. And even though there was plenty of gore on the network, they thanked me for what I did, because I was on their side. I was fighting the good fight, right there with them, and I was damn glad that they were fighting right alongside me.

But on every network, there’s something new, a little adventure you never wanted to be on, a dragon you haven’t seen before that you nevertheless had to slay. This time the sucker punch came from a little PC on the network with the unassuming name “BURGER_WAGON”.

“So, Ram, what can you tell me about Burger Wagon?”

“Um, that’s a food truck that comes by about 3 times a week. They set up near the cafeteria.”

“So would it be reasonable to assume that a PC named BURGER_WAGON would be theirs?”

“They left a PC plugged into our network?”

“It’s online right now.”

Ram checked his watch. “How about we go get some lunch now, Dean?”

“That’s a great idea, Ram.” We grabbed our jackets and headed out to the cafeteria. If we were lucky, we’d grab an unauthorized device before we grabbed something to eat.

We went up to the Burger Wagon table. I said, “I’m Dean Webb from $VENDOR and this is Ram Gopal, security architect here at $COMPANY. We’d like to ask you a few questions, if that would be all right.”

The Burger Wagon lady said, “Sure, I don’t mind.”

“We noticed that there was a PC named BURGER_WAGON connected to the network. Would you know anything about that?”

“Oh sure, I leave that here so it’s easier to set up when we come in.”

“Uh-huh. And this PC, what is it used for.”

The Burger Wagon lady answered like what she was saying was no big deal. “We process credit card payments on it.”

Poor Ram nearly buckled at the knees with that statement.

The Burger Wagon lady asked, “What’s wrong with Ram, there?”

“He just found out that his cafeteria network is subject to PCI-DSS regulations, that’s what’s wrong.”

“What does that mean?”

If only the cafeteria staff knew what that meant, they wouldn’t have let BURGER_WAGON connect to the LAN. Lecturing the uninformed user wasn’t going to make my job any easier, so I laid it out plain and simple, without judging. “It means that we have to treat this place like a bank processing credit cards. It’s a sensitive environment, with your PC plugged in like that.”

“Oh! I’m sorry! I didn’t know!”

“We’re not angry ma’am. We just want to get the word out so that we can get things on the straight and level around here. If there’s another way for you to connect to the Internet that doesn’t involve using this network, I’d advise you to do so. We are going to start blocking access to devices like these in the very near future. We don’t want to stop you from doing business, just to stop doing it in a way that fails to comply with corporate regulations here.”

The Burger Wagon lady understood and switched over to a guest wireless connection, then and there. She fired up a VPN and Ram got the starch back in his legs. And, you know, we went back to slogging through the unsecured devices on that network after lunch, but we had an upbeat feeling about it. There was a big mountain to climb, but at least there were good people like his network team and that Burger Wagon lady that wanted to do the right thing. That didn’t just make our job easier. It made our job doable.

The Compromise Vanishes

The CIO and CISO left the room, leaving only Sandeep the temp and Avi the digital forensics expert at the table.

Sandeep said, “You know I’m not at all authorized to say anything of effect to you.”

Avi said, “I understand that completely. You are not an employee of the client. I am not to consider you, in any way, to be authorized to direct my actions or the actions of my employees in their relationship with the client.”

Sandeep stopped recording. “That will do. You know what’s going on, and what I’m about to tell you.”

Avi nodded.

Sandeep said, “Then, I really don’t have to tell you anything.”

Avi slowly shook his head.

“All right then. Just let me know when you’ve got your final report ready so we can hand that over to the cyberinsurance people.”

Avi said, “Absolutely. We’ll work long days, nights even, but we will deliver the report and I’m sure it will be complete and accurate.” That was just in case something else was recording the conversation. Otherwise, a word to the wise was sufficient.

Avi and Sandeep arose and each went back to his respective hotel cubicles. 

The client had hired Sandeep strictly as an outside consultant that would vet and approve the digital forensics report that Avi’s team would deliver. The client and its officers did not have any care or concern what Sandeep did between now and approving Avi’s report. Sandeep knew his place in the world, which was why his laptop was not visible from the aisle and his back was to the wall, which is no mean feat in a cubicle. As long as Sandeep attended his scheduled meetings and then later approved that report, nobody cared what he was looking at on his phone or computer.

Avi, on the other hand, had work to do. The client stood exposed and plundered to the world, a victim of a massive breach. As a massive multinational in a profitable sector, it had a preliminary estimate of over $400 million in damages – on the line of what companies suffered when WannaCry and NotPetya came on the scene. 

Avi’s team worked with a strict rule – no paper, whatsoever. No writing, no jotting of notes, no paper at all. The only papers involved were those in the final printout. Otherwise, all products of his team’s work would leave when his team took their laptops out of the client site. 

Avi’s team had another strict rule – no conversations of note over landlines, cell lines, email, or chat. They were to avoid speaking above whispers, as well. So many things left a digital trail, and it was best to not leave that trail to begin with. Then, it couldn’t be followed back.

When someone on Avi’s team needed to collaborate with someone else on the team, they would whisper together. If they needed to have a third person involved or a lengthy conversation, they would go outside. It didn’t matter how cold or hot it was outside or what security they’d have to go through repeatedly to complete the journey, the rule was adamant: go outside, where only nature was likely to be listening.

If Avi had to brief his team with customer representatives attending, he had a terse, formulaic presentation. “The client has been breached. We are to determine the root cause, the extent, and the origin of the breach. We all know what is on the line here, so let’s do the best work that we can do for our client.”

Each member of Avi’s team had a specialty, so there was no need to go through who was going to do what and when. They just moved forward. Avi secured any credentials they would need to get started, but that was typically a formality. His team could get those needed credentials much faster than any corporate process could deliver them. Any discrepancy between credentials used and credentials that were supposed to be used could be attributed to fallout from the breach event. Besides, those passwords were about to be changed, anyway, so it wasn’t like anyone on Avi’s team could use those usernames with those particular passwords again. The end justified the means.

In the aftermath of a breach, procedures and processes tended to be protean, plastic, verbally-approved sorts of things. This was especially true when dealing with Avi’s team’s requirements. No client had yet said, “Give them anything they want. Literally, anything that they want.” But that seemed to be the understanding at each client site thus far. 

Nobody ever called Avi in the first place unless they intended to have that kind of understanding from the beginning. With damages in the hundreds of millions of dollars, these customers could not afford any additional risk. They’d already accepted the risk on what got them there in the first place: they had to be certain about securing the means to get out of that predicament.

And that is why they called a man who spoke very little to his team when others could overhear a conversation, who would deliver one and only one document, with zero review cycles permitted. They would call a man like Sandeep to handle the document from Avi, as an extra layer of insulation. 

Sandeep merely needed the skill of being able to handle his extended boredom. Avi’s team needed some profoundly technical digital forensics skills. This is why Sandeep lived comfortably, but Avi lived comfortably and securely.

Generations ago, one of Avi’s ancestors had worked in Moscow, back when it was the capitol of the Soviet Union. Avi’s ancestor worked in a photography lab. Avi’s ancestor had but four tools at his desk: a magnifying glass, an airbrush, a razor knife, and rubber cement. He was a redactor, one of the best.

A commissar would bring a photo to the redactor and point to a face in a crowd or a man in a line. By the end of the day, the commissar would collect a photo that did not have that face or that man. The photo would not have any stigmata where the face or man used to be. There would be no streaks, no absence of background noise, no overly-softened edges, no awkward gap. Space itself would disappear as Dzerzhinsky’s Tikhii Don played on the radio. All day long, the redactor worked quietly, creating a world of illusion as the music of Socialist Realism flowed around him. 

This was a work that needed no words. A photo, a finger, that was all that was needed to make things appear to be as they needed to be for the political demands of the moment. Sometimes, a photo would return to a redactor, with a finger pointing at another person or two, and they would be gone by the end of the day. They may have been necessary for yesterday: today, they were not what the Soviet Union needed. 

Kabalevsky’s symphony played as another face vanished. The redactor filled in the empty space with a painted-in fiction of the clothes of the man behind the one that had disappeared. Two officers left the official portrait of the general staff – they stood on the edges, so only a simple cropping did the trick. A photo with a very dangerous face had turned up – the redactor knew this was a rush job from the face alone, without needing to see the stern, almost panicked expression on the commissar’s visage.

Whose was the dangerous face? It could be one of hundreds, no, thousands, but there was no reference for the redactor to turn to. All the faces that were not to be no more forever were in the mind and memory of the redactor. Their names were not important, only their appearances. If their backs were turned to the camera and nobody could tell they were in the photo, there was no need to have the photo placed before the redactor. But if they turned up after they were supposed to have disappeared, well… Khachaturian’s Toccata was proper background music for the rush work. The commissar had not even left, but collected the finished product immediately.

Always, the work of the redactor was in taking what was unacceptable to see and making it acceptable once again.

Avi did not know the name of this ancestor, let alone his job. One day, the redactor went in to work and did not return. His wife knew well enough to not ask a question and his sons had perished in the Great Patriotic War. His daughter was too young to remember her father, and mother never spoke of him.

If there was anything of an inheritable skill in what Avi did, it was surely enhanced by the environment he maintained for himself and his workers. When not on the job, they trained and critiqued each other, each member of the team fully aware that his or her work had to survive the criticism of the others if it was to be ultimately satisfactory to future clients. They would look for a broken reference here, a missed line of code there, accepting that the others were doing the same to their own work. If they made mistakes, they were in ways too difficult to be noticed by the naked eye.

There was music as Avi worked. Not Dzerzhinsky, but George Acosta; not Kabalevsky, but Armin van Buuren; not Khachaturian, but Tiësto – these played on Avi’s earbuds as he sought out the things that were unacceptable to see for his clients. Silently, ruthlessly, they would find the malware and eliminate it utterly, even down to the bare metal on the hard drive. Not a trace would remain.

The log files – not a word was said – the patterns of the breach, its fingerprint, those vanished as well. Did the client have a tamper-proof protection on the log files? That had to be worked over, as well. The client did not need any evidence of the unacceptable things, and evidence of evidence was equally unwelcome. 

A finger pointed at an item on a screen and one of Avi’s team members would make it go away. The purge ran its course, but the task was not yet concluded. 

There had been a breach, after all. There needed to be evidence of such, so that the client might collect on its cyberinsurance policy. 

The insurance companies – and their backers in the reinsurance companies – never hesitated to write a policy or collect a premium. But paying a claim? Ah, the tortured screams of the money being pulled from the insurance company’s accounts could be heard the whole world ’round. How could one blame the insurance company for taking pity on its money and finding a way, any way, to prevent having to part with it?

The cyberinsurance policy would not pay out for an act of war or terrorism, a common exclusion in most policies. The problem was that if a nation had ever accused another nation of using a particular piece of malware, that malware would forever be associated with acts of war and terrorism, even if a mere script kiddie in a dirty apartment was using it to raise money to pay his or her rent. 

Avi’s team whispered, pointed, talked outside, and listened to electronica so that the ravages of war and terror would vanish… other ravages were needed to complete the picture, and Avi’s team provided complete pictures at the end of their engagements.

This business of digital redaction, it thrived on the unsaid and the unwritten. Better still if things unsaid and unwritten were handled by independent third party contractors, such as Sandeep. Let the third party temp worker not say anything or not write anything. That was best for all concerned.

The client also felt that government inspectors were best suited for government work. They had agendas often in conflict with the continuity of business and the unimpeded flow of commerce. Best to keep private things in private hands.

At the end of long days and long nights, Avi and Sandeep were again in the conference room. Avi handed Sandeep a report for his consideration. Sandeep read over it, asking questions as he turned pages. 

“So, Avi, no evidence whatsoever of a state-sponsored attack?”

“None at all, Sandeep. The breach was entirely the work of a criminal organization utilizing custom malware.”

Sandeep smiled. He’d have a few days where he could be idle at home instead of idle at a client site when this business concluded. “What if an auditor finds evidence of a state-sponsored attack, such as in inactive or deleted malware on a hard drive?”

“We called that out in section 9. We did see some malware that had been used in state-sponsored attacks before, but which was not part of this attack, as the forensic data will show. Attack and exploitation patterns common with that malware are simply absent in the records of this attack, which correspond closely with the ways in which this malware suite is utilized by criminal gangs. That state-sponsored stuff may have caused damages, but they would have been of limited scope and outside the events and claims associated with this breach.” It was almost as if Avi had said those things a hundred times before.

“Is it possible the criminals were working alongside or on behalf of a state or terror organization?”

“Given the financial nature of the targets in the breach, we disagree with that conclusion.”

Sandeep looked above the top of his readers. “What about damage or compromise to non-financial targets?”

“Collateral damage or compromise pursuant to the eventual financial goals of the criminals.”

Sandeep nodded and flipped through a few more pages quietly. Nice fonts and color scheme. Plenty of pie charts. Executives loved pie charts. If there were a church for executives, William Playfair would be the greatest prophet of that denomination, for it was Playfair’s Statistical Breviary that brought the pie chart down from the mountaintop. 

Playfair would also figure highly in a pantheon for those that see things as they are and then change their appearance to what their employers want them to become. Playfair’s employer, the British Empire, did not want to countenance a Revolutionary France flush with cash. Playfair came up with a way to make France overly-flush with cash and ruined that nation’s economy with one hundred millions of counterfeit assignats. Was such a thing a fraud? No, it was an outright service to Mr. Playfair’s employers! Besides, how could a man with a name like “Playfair” be capable of anything other than playing fair? Really, now.

And for all Sandeep could tell, there was not a hint of fraud or evidence tampering in Avi’s report. For all intents and purposes, it looked like exactly the sort of thing an executive would want to hand to an insurance company – and what an insurance company would want to hand to a reinsurance company. 

“Looks good, Avi. Everything seems to be in order. Dotted all the i’s, crossed all the t’s.”

Avi smiled. “And the good news is that, once they get their claim paid out, it’ll be as if this all had never happened.”

“Well, we’ll still show up as line-items for this quarter.”

“True, that can’t be helped. Someone had to clean up all that mess.”

Sandeep tapped the conference table twice and stood up. Avi followed suit. They shook hands and made the small talk of departing businessmen.

EPILOGUE

Men like Sandeep and Avi have never been long permanent in any place. They travel over the face of the earth, something like a caravan of merchants. On their arrival, every thing is found trampled down, barren, and bare. While they remain, all is bustle and remedial. When gone, all is left green and fresh.

Just see for yourself.

Insecurity Through Incompetence

“It’s blocking our production traffic! We have to shut it off!”

Dan Weber rolled his eyes. Why is it that developers always make me want to punch someone in the face? He unmuted his line and said to the conference call, “We can’t do that, we absolutely can’t. That’s the perimeter firewall. Turn that off and we might as well hand our data over to the Chinese and Russians and anyone else interested.”

“But we have to ship product! We can’t do that with the firewall in its current state. It’s blocking all our traffic.” Same developer as before.

Dan said, “It’s blocking all traffic from everywhere right now, so at least we’re safe. I’ve got a TAC case open with the vendor and we’ll have it resolved eventually.” Thank goodness this isn’t a video call. Dan made several obscene gestures at the initials of the developer that wanted to shut down the firewall.

A manager asked, “Do you have an ETA on when that firewall will be fixed?”

Dan’s head tilted up as he leaned back in his chair. “No. It’s a code problem from the upgrade. We’ve escalated it, but no ETA.”

Manager, again, “Can you roll back the code?”

Dan kept looking at the ceiling. “No. There’s no rollback from this upgrade.”

“Can you restore from backup?”

“No. because the last backup was on the previous version, so it’s not compatible with this version of the code. We just have to wait this one out.”

The manager put his foot down. “Unacceptable. Turn it off.”

Dan sat up, lightning going down his spine. “I have to have-“

Dan’s manager, Kelly Montlac, interrupted, “Hey, we need to discuss this offline with Raymond.” Raymond was the Network Services Director. A conversation with him would of course involve the director over the developers and probably also the CISO and CIO, if they could be reached at this time. It was late in the day in the USA and early in the morning over in Europe, where the C-levels lived.

The developer manager raised his voice. “We need to get back into production. Turn it off and then we can talk it over.”

Kelly dropped her voice into a growl. “Not gonna happen.” Silence, then Kelly drove the point home. “Not gonna happen.”

The Major Incident Coordinator didn’t speak right away after that, but eventually said, “OK, how about we end this call so we can get that meeting together? And then I’ll have this bridge back up in 60 minutes, after that meeting gives us direction on the perimeter firewall.”

All the managers agreed to that and Dan couldn’t leave the call fast enough. As he dashed down the hall for a badly-needed bio-break, he cursed the idiot developers that refused to bounce their own servers to see if it resolved the issue. Five nines, be damned! Wasn’t there a limit to what had to be sacrificed to get that precious uptime?

They’d already turned off or bypassed the IPS, the proxy, the NAC, the datacenter firewall, the load balancer, the WAN accelerator, the VA scanner, the data protection system, the antimalware solution, the, um… were there any other security solutions? If so, they probably also got turned off, because that’s how development rolled. If Dan hadn’t been on the TAC call with the vendor all day, he would have been on the earlier Major Incident call and the perimeter firewall would have been assailed from within at that point in time.

Dan reflected on which of those systems needed to be turned off as he washed his hands. He was pretty sure at least half those systems were configured improperly and the other half were running just good enough for production, but not optimized. Dan himself barely had a grip on the perimeter firewalls. So many vendors, so many rules that had piled up over the years, and only so much he could do with the firewall management platform before he violated change management procedures or stepped on someone’s shoes in Governance.

When Dan had asked for training, he had gotten it. It was neither the trainer’s fault nor management’s fault that Dan was, at best, a mediocre student. More often than not, he was just a warm body that could complete change requests. Not a clever man, our Dan.

In fact, if one made a school of the entire IT staff at where Dan worked, there would be no need for a Gifted and Talented class. There would be some call for a remedial reading course, but most of the imaginary student body would be average kids with average brains, wishing that the weekend would hurry up and get here. 

Dan had once applied to work at a vendor. He applied because his position at the time was being downsized and the vendor had an opening. What he did not know was that the interviewers said he couldn’t troubleshoot his way out of a paper sack with a pair of scissors that that the opening went to some guy with a home lab who only applied at that vendor because that’s where he wanted to work.

Dan got a different job, held that for a few years, and then moved on to this role when the previous one got downsized.

Even though Dan hated security and wanted to get back to routing and switching (developers never, never demanded that switches or routers be turned off!), he knew that his experience with firewalls – even if it was little better than babysitting them in between TAC calls – meant a good chance of getting a job whenever there was a downsizing… 

… or whenever his political sensibilities informed him it was time to move on before he was fired for incompetence. At most firms, that was around 2-3 years. He had two places on his resume where he managed to hang on for five years. Things were really bad at those places, both of which were lucky enough to be picked up in acquisitions after suffering major breaches.

Not that anyone knew about those breaches until after the mergers, when the purchasing company’s IT did an audit of the poorly-managed gear.

As Dan returned to his chair, he was thankful that he could work from home. He also cursed the fact that he wound up working from home during times when he could be watching sports at home, or sleeping at home. This outage looked like something that would rob him of sleep, but he was damned if he would miss the playoff game on tonight! Dan turned on the television and put it on the big game.

As the sports match got underway, Dan wondered how this thing would all pan out and if it meant it was time for him to start looking for another job somewhere. During commercials, he checked his recruiter spam to see which roles looked like they might be good lateral moves. He didn’t want to move up into management or architecture, as that meant only more meetings and increased chances of dealing with C-level heavies, who could be worse than developers in their demands.

Around the end of the first half, it was time to mute the television and get on the call. Dan dialed in and watched the game as everyone else joined the call. 

The CISO was on and said, “OK, for starters, we’re not turning off the perimeter firewall.” Dan smiled. Take that, developers! “But we need that resolved ASAP. Dan, reach out to the vendor and get an RMA started. We’ve got to have our firewalls up and running.”

Years of experience in IT had helped Dan to develop his most important skill of all: how to curse silently when he was unmuted on a call. He paused his staccato mouthing to say, “Sure, I’ll get on that.” Calling TAC wasn’t all that bad, except for the small talk the vendor engineer always engaged in as screens refreshed or boxes rebooted or whatever. And with an RMA call, there would be tons of stuff Dan would have to say that would distract him from the progress his team was making in the playoff game.

Heaven help everyone if the RMA didn’t resolve things and there was some mess of rules on the firewall that, in their combination, blocked that stupid traffic that only ran once a month. That would mean getting an order to review 30 days of changes to see which one put the rule in to block that traffic.

And if no such rule could be found? “Turn it off!” would be the developers’ battle cry!

Dan got off the conference call and opened up another TAC case online for the RMA. As he waited for the callback, he set his LinkedIn profile to “looking for opportunities” and replied to a few of the more promising recruiter spams.

Dan had no idea, of course, that his eventual replacement was going to be as clueless and hapless as he was. Dan also didn’t know the name of the nuclear reactor that guy used to work for, or the name of the GRU agent that had found the holes in that facility’s perimeter security.

Hell, he didn’t even know the names of the GRU agents that had penetrated his current company’s network, for that matter. To be fair, not many security specialists know the names of people in the GRU that have penetrated networks, but in Dan’s case, it was definitely for lack of trying.

An email popped into Dan’s inbox. It was from Kelly. She wanted to know if Dan could log in to the IPS console.

Dan fired up the GUI and tried the vendor default username and password. Hey, they worked!

Dan let Kelly know that he could. Kelly then emailed back for Dan to check the logs to see if the IPS systems were in bypass mode, or if they had been fully shut down.

Dan checked the GUI and saw that every single IPS was down. There was also a licensing error on the server and a warning about missing critical updates. Dan only mentioned the IPS devices being down in his response. He didn’t want to make the IPS guy look like an incompetent.

Kelly then asked for when the IPS devices had been switched off.

Well, hell, that meant searching the logs, and… holy crap! Those things had been turned off two years ago, and kept off! No wonder the IPS guy always gave up quickly whenever someone asked him to shut off the IPS! No troubleshooting, no request to try something different, he just said, “OK, try it now.”

Dan wondered briefly about the times in the last two years that “turning off” the IPS had provided a solution to whatever problem was going on…

But then Dan wondered happily and joyfully about how this proved that there was someone more incompetent than he was on the network. Not that it made him quit his job search. No, it made him look all the harder. He didn’t want to be the guy tasked with taking on the IPS system and turning it back on after 2 years of it being shadow shelfware. 

On the TV, Dan’s team made a terrible mistake. Dan blamed the coach and, completely unaware of the irony, said, “We need a coach that knows what the hell he’s doing! Fire the big dope!”

Heartbreaker

Dr. Borden exhaled and dabbed the sweat from her forehead before proceeding into the most critical part of the operation. She drew a deep, competitive breath and moved the precision mouse to aim the laser directly at the point of incision. With a click, the aorta would-

The screen went black, then a logon screen appeared.

“What the plokha budding spore?!?! What the spore just happened?”

Dr. Borden regained her composure and typed in her username and password – the patient was undergoing open heart surgery, there was no time to lose!

Agony of ages as the dots blinked in their circular path.

Username and/or password incorrect. Next login attempt in 00:05.

“SPORE SPORE BUDDING SPORE BUDDING EFFDISKING BUDDING K’CHORTU BUDDING SPORE!”

Dr. Borden didn’t want this to be the first patient she would lose on the table, but it was looking increasingly that way. He was somewhere in Alberta, wherever the meddrone landed, and she was in Atlanta, where the workstation ran in her Midtown apartment. She was doing everything to keep her mind down-to-earth and focused, but found that rage did all it could to take over.

Her mind raced – how long had it been since things went dark? Would the meddrone AI be able to abort the operation in time to save the patient’s life? Oh God, he is so effdisked if that AI doesn’t figure out there’s no doctor on the other end.

Because this was the third time Dr. Borden tried to log on to her workstation and the third time it kicked her back, this time with a caution she only had one shot left and that maybe she ought to call tech support before using that chance.

There was no way to call the meddrone, as those things were sealed off as far as comms went. There was only one way to talk to the meddrone directly, and for Dr. Borden, it was on the other side of a logon screen.

She called the number for her hospital’s tech support. Ringing. Well, at least it’s not down. Chortu, but that’s a lot of ringing. Well, let it ring, someone might die today if Dr. Borden shrugs her shoulders and becomes fatalistic in philosophy. She waits out the machine-induced stress.

And a machine answers. On an emergency line, it takes time to explain how the options may have changed recently and offers up a universe of choices, all a press of a digit away. Effdisk that, Dr. Borden presses zero. A human eventually speaks.

“Aetilus Medical Solutions help desk, this is Raj. May I get your employee username?”

“Eborden. E as in echo, b as in bravo, o as in oscar, r as in Romeo, d as in delta, e as in echo, n as in November.” Dr. Borden hated it whenever eborden sounded like edorgom. Spelling was usually faster than going over it twice.

“Dr. Elizabeth Borden, is this correct?”

“Yes. A man may be dying, please check if meddrone A as in alpha, 3447-”

“I’m sorry, Dr. Borden, I’m not able to contact meddrones. I’d have to escalate for that.”

“Please escalate, za’chortu.”

“There will be a, uh… oh, spore, a 30-minute wait.”

What the budding spore? 30 budding minutes? Might as well be 30 budding years! Even so… “Chortu, just get me in that queue.”

46 minutes later, a human spoke to Dr. Borden. “Hello, Dr. Borden? You there?”

“Yes. Contact meddrone A as in alpha, 3447-1369-0003.”

“A as in alpha, 3447-1369-0003. Got it. One moment… I’m sorry, I’m not getting a status, I’ll try again.”

“Do you know what’s going on?”

“Some kind of outage, that’s all I know.”

“Chortu… I desoxy-ed for this. All right, that meddrone number I gave you, it’s involved in a heart operation in Alberta. I need verification that it aborted the operation successfully and the patient status. Text me as soon as you got that info. I can’t log on to my workstation.”

“Yeah, none of the remote staff can log on. I’ve got the status query queued up for the drone and your number associated with it. Can I do anything else?”

“Nope. I’m needled. Cheers.” Dr. Borden touched her phone and the call ended.

Hopped up on the desoxy, Dr. Borden started to shake as she lost anything specific to focus on. Suddenly, she became aware of her heart rate and the blood being shoved pell-mell through her circulatory system. Don’t panic, Dr. Borden. You know how to ride out this part of the desoxy run.

The door opened and closed. Dr. Borden brought herself out of her trance state to see her boyfriend Teddy. “Hey babe.”

Teddy set stuff down on the table, even though he wasn’t supposed to. “Hey Lizzie. How’d the operation go?”

“Pffft.”

“Oh God.”

“No idea how the patient is, everything just cut out on me.”

Teddy pulled up a chair near Dr. Borden. The workstation screen was dark. A light blinked on Dr. Borden’s phone. Teddy didn’t know what to say. Someone, somewhere, connected to his girlfriend, could be dead.

Dr. Borden picked up her phone, but the light was just for a FriendFace notification. Apparently, one of her associates was a real slug and had gone fascist, from the content in his post. She unfriended him. “Budding fascist loser.” No word from Aetilus tech support.

“Budding what?”

Dr. Borden shook her head, “Nothing. Someone I went to high school with is now a fascist and dead to me. Hey, I did desoxy for this operation and I need something to focus on, or I’m gonna lose it.”

Teddy reached for the string of prayer beads Dr. Borden kept by her keyboard. She grabbed them and began to run them through her fingers like there was no tomorrow. Once you give a soxer something to do, they’ll do it. They just can’t give themselves something to do.

After a few minutes with the beads, Dr. Borden felt like she could talk and manipulate them at the same time. “What do you think caused the outage?” Teddy was a nerd. He knew answers to questions like that. He was a really cute nerd and fun to have around.

“Did it affect just you or a bigger group?”

“Guy said it took all the budding remote users out. No comms to meddrones.”

“Wow. That’s big.”

“You think it was terrorists?”

“Could be. More likely, it was someone stupid.”

Dr. Borden laughed. Teddy elaborated on the stupid. “So… it could be that someone turned off your time server. That would kill off your ability to log on remotely. Or maybe your computer cert expired. No, stupider, the root cert expired.”

Dr. Borden laughed even more. “I have no budding clue what that means! God, I love you!”

Yeah, she wasn’t doing any more operations today, system restoration or not. “Well, a root cert, that-”

“Shhhh! Explaining is boring! Just list off all the stupid stuff.”

Teddy knew better than to try and argue with a soxer. Last thing you want a soxer to focus on is a budding argument. “Um, OK, the VPN hub could be offline, uh… the directory service got swamped and went down… date field problem, oh spore! Do you know if your IT guys took care of your Y38 problem?”

Dr. Borden laughed harder, kinda maniacally now. It was time for the bell-1. She needed to come down off of this before she broke down.

*** *** *** *** *** *** *** *** ***

Dr. Borden opened her eyes and looked around. There was a little drool on her cheek, which was typical of a bell-1 cooldown. She sat up on the sofa and saw the blinking light on her phone. She reached over to the desk and picked up her phone. A swipe later, then a code, then a DNA pulsecheck, and she was in. The light was for a text.

The text was from tech support Raj. Spore, it was 7 hours ago! Must have texted Dr. Borden right after Teddy gave her the bell-1 dose.

Oh, chortu. The guy died. Dr. Borden sighed and scrolled. OK, so the meddrone did shut things down gracefully, so it was just his heart failing post-op, which was always a risk, regardless of how the operation went. Poor old dude and his now-dead carcass.

Dr. Borden texted back to Raj, what was cause of outage?

Company cert expired, sorry was Raj’s response.

Dr. Borden wondered why “cert expired” made her laugh a little.

Time to even things out with some zebra and ibuprofen. And some mango juice.

Teddy was in the kitchen. “Hey, I’m up.”

“Sleep ok?”

“Pffft. That spore’s not sleep.” She got the juice and then rummaged in the cabinet for the zebra and ibuprofen.

“How did the patient do, if I could ask?”

Dr. Borden downed the drugs and took a shot of mango juice. “Operation ended OK, but he died post-op. Not my fault, still sad. I’m taking zebra to even things out.”

“You also took something for the headaches, right?”

“I’m not an idiot, Teddy.”

“Hey, just checking. They say what caused the outage?”

“Cert expired, whatever that means.” Dr. Borden laughed again and felt weird about laughing. Was she going psychotic?

“It means nobody was checking one of the most important pieces of computer security, the thing probably being used to establish your VPNs and channels back to the drones and stuff. And the time on it ran out right in the middle of your operation.”

Dr. Borden was level enough to want to understand that. “Hold on. You mean to tell me that a company that knows precisely how long I’m functional on a dose of desoxy and how long it takes to do an operation and how long it takes to run drones over seven continents can’t keep time on the one thing that’s gonna tie them all together? Holy budding spore.”

“Well, that’s how you guys make money. Nobody makes a dime watching a calendar for a cert to expire. They know when licenses are due because someone else makes money with those. But certs?”

“Pffft.”

“Yeah, Pffft. That’s when they call me up. You remember when Charleston had that power outage last month?”

“That was an expired cert?”

“Yep. So was the Athens Supermax Riot. Cert expired, all the doors opened.”

Dr. Borden shuddered at that thought. That was too close to home. She still worked remotely, but those meddrones were trauma center models, only 60 miles away. And that was just three months ago. Images of the carnage still popped up in her mind if she wasn’t vigilant about her thoughts.

Now she had a question.

“Teddy?”

“Yeah?”

“Tell me… What is a cert and how does it expire?”

Again, Dr. Borden laughed for a reason she did not know.

The Nah’wadass Sourcebook: The Wisdom of the Binyaelim People

The Binyaelim were a minority group in many Nah’wadass cities, primarily engaged in trade ventures, particularly those in the textile industry. In the countryside along the banks of the rivers of the land, there were a number of Binyaelim villages where they were able to assert their own laws on a local level, as per tradition under most of the Law-Kings of the Nah’wadass. It is known that the Binyaelim themselves arrived within the lands of the Nah’wadass early in the years of their written history. Binyaelim records speak of their flight from a powerful empire to the far south of the Nah’wadass, most likely the Early Dynasty of the Koss Empire. As one of many minority groups within the lands of the Nah’wadass, we can learn from their writings what the Nah’wadass would – and would not – tolerate among their subject peoples.

These writings, part of the Binyaelim Thalmadh, were most likely compiled around the zenith of Nah’wadass prosperity, 500-700 years after their earliest writings. These were selected from different parts of the Thalmadh and illustrate Binyaelim attitudes regarding the Nah’wadass. It is to be understood that, in the matter of a question-answer or debate section, the final opinion is the wisdom to be followed.

Teacher Ismar, Son of Elmar, said, “We sell cloth and clothing, that we may not put weapons in the hands of our enemies.” Teacher Ofed, Son of Paman, asked, “Is it right, then, that we are made to serve in the iron trade for the Nah’wadass?” Teacher Ismar, Son of Elmar answered, “They give us protection, to procure iron for the Nah’wadass is like unto giving a meal to a brother.”

Teacher Elmar, Son of Oferan, said, “The Nah’wadass revere the green under the snows. Truly, they look to the same hope of life after life that we revere. Therefore, it is not wrong to give unto them that which they ask for their rites.”

Teacher Oferan, Son of Afermar, said, “When a man of the Nah’wadass comes unto us and asks to be numbered among us, we must bring him before the Law-Master for his judgment in the matter. When a woman or child of the Nah’wadass comes unto us and asks to be numbered among us, we must bring them before the husband or father for his judgment in the matter. When a slave of the Nah’wadass comes unto us and asks to be numbered among us, we shall first purchase him and then take him as before the Law-Master for his judgment in the matter. If he is granted leave to join with our number, he shall be set free as a captive of our people is set free. If he is not granted leave, then he shall serve our people and we shall petition each year for leave, that we might move the heart of the Law-Master with our many entreaties.”

Teacher Ofrain, Son of Elmar, asked, “And what of those who we set free as captives that stay not numbered with our people, who sin and transgress our laws?” Teacher Oferan, Son of Afermar, answered, “What do we do with our own number who sin and transgress our laws? They are as the same if they have entered into our number with our ceremonies.” Teacher Ofrain, Son of Elmar, said, “We do not set them free until they have entered into our number with our ceremonies.”

Teacher Oferan, Son of Afermar, said, “Wear not the masks and the robes, as the Nah’wadass do.” Teacher Belermar, Son of Belermar, asked, “What then if the Nah’wadass wish one of us to be a student?” Teacher Oferan, Son of Afermar replied, “We are not taught by the Nah’wadass, for we are an older people and have already been taught by tyrants in the infancy of our nation.” Teacher Ofrain, Son of Elmar, asked, “What, are we not to be esteemed in the lands of our exile? Are not to show our worthiness as servants of our rulers?” Teacher Oferan, Son of Afermar, said, “When the Nah’wadass have a matter for us, are they so foolish as to not know who our teachers are? Even among strangers, the wise man shall find his brother.”

Teacher Belermar, Son of Belermar, said, “Truly we are as blessed as the Nah’wadass. Their ancestors speak through their masks, and ours speak through our writings.”

Teacher Ismar, Son of Elmar, said, “When a Master or King asks a teacher among us to lend a shoulder to a King’s task, count it as an honor and go and serve.”

Teacher Ismar, Son of Elmar, said, “When the Priest-Master of the Nah’wadass asks for a sacrifice of earth, do not give that which has been trod upon. When the Priest-Master of the Nah’wadass asks for a sacrifice of water, do not give that which is downstream or which comes from our baths. When the Priest Master of the Nah’wadass asks for a sacrifice of fire, do not give that which comes from our altars.” Teacher Ofed, Son of Paman, said, “We show respect with what we offer, but we must respect first our own baths and altars, then we respect those of our friends.”

Teacher Oferan, Son of Afermar, said, “When we are compelled to share a meal with a Master or King, eat not the meat offered, and we sin not.”

Teacher Elmar, Son of Oferan, said, “If a woman has issue, forbid her from the baths and the altars, but forbid her not from the market or the congregation. For the law of our people rules over the baths and the altars, but the law of the friend and protector rules over the market and congregation.”

Teacher Ismar, Son of Elmar, said, “When we receive money for the purchase of slaves for to free them, let us free our own people with our own money. But when our neighbor gives unto us money and says, ‘Here, go forth and purchase the freedom of my kinsmen with this money,’ then let us go forth and purchase the freedom of his kinsmen as if they were our own.”

Teacher Ofed, Son of Paman, said, “Mock not the ways of the righteous neighbor, who does good to our people. Our neighbor has not our law, he is free to do as he pleases. Teach the First Law to all those not of our people, and let that suffice.”

The Law-King Odetamewe Edatawess said, “Behold, Teacher Ofed, Son of Paman, I protect you with my laws.” Teacher Ofed, Son of Paman, said, “I protect you, Law-King Odetamewe Edatawess, with my righteous obedience to your laws.” The Law-King Odetamewe Edatawess said, “Behold, it is as you and I have spoken.”

The Law-King Odetamewe Edatawess said, “Teacher Ismar, Son of Elmar, give unto me a sacrifice worthy of my station.” Teacher Ismar, Son of Elmar, said, “Here, O Law-King Odetamewe Edatawess, is my heart which does serve thee, my mind which doth obey thee, my hands that do work for thee in thy lands, and my mouth that does teach the law in thy lands.” The Law-King Odetamewe Edatawess said, “Surely, these four sacrifices that flow from thee unto me are worthy of my station, would that all my people were like unto Teacher Ismar, Son of Elmar.”

Blind Spot

Nick Vendor poked his head into the office, via a door left open. Nobody was in the office, but the time was 10:00, and Nick had a 10 o’clock meeting in Cecil Oh’s office, so Nick went in and got comfortable.

Getting comfortable meant sitting in the chair closest to the wall and angling it so that he could see both Cecil’s desk and the door to the office. Nick was a security pro, and was paid to be paranoid.

A few minutes after ten, Cecil Oh bustled in and smiled at Nick, “Sorry I’m late, but you know how it is.”

Nick nodded. Everyone from manager on up was always running late, everywhere he went. A CISO at big company was certainly no exception.

Just behind Cecil was Dirk Rector, the IT Director, and Cissy Tantisso, the assistant CISO. Cissy closed the door behind her and all sat in chairs around Cecil’s desk.

Cecil answered two emails and then said, “OK, sorry about that delay, but here we go. We’re here to meet with Nick Vendor here, who is going to give us his network health check assessment. He’s been scanning and probing for a few days, so we’re all eager to hear what he’s found.”

Nick smiled through that “eager to hear” part. Everyone’s eager to hear, but not everyone is so eager to have had heard. There was always at least some bad news in a network health check assessment. Today, the amount of bad news was somewhat more than just “some”.

Cecil held his hands towards Nick and said, “It’s all yours, sir.”

Nick nodded, smiled, and did his best to front-load the cushiony stuff. “Thanks very much, Cecil, and thanks of course to Cissy and Dirk for all the cooperation you and your teams have provided me in this past week. I really do appreciate all the work they’ve done to help me. They certainly helped me to have a little fun as I did my assessment and they were more than helpful in providing me with information about different device types and systems you have installed here at Amalgamated Potrzebie. They’ve been a great help.”

Cissy, Dirk, and Cecil all nodded in appreciation of Nick’s thanks.

Nick shifted in his chair. “So, let’s get to the numbers. About 70% or so of your Windows PCs are managed in SCCM and a similar percentage are up to date on their AV. Dirk’s got the action to follow up with the desktop team to close the gap with the other 30%.

“Macintosh systems, there’s only a few hundred of those, but they’re all pretty much managed centrally. There were, like, 10, that weren’t. We know where they are and Dirk’s Mac team will follow up on those. It’s just a small office, right?”

Dirk agreed. “It’s a marketing team in our Pittsburgh campus, that’s correct.”

“Thanks. Linux.”

Everyone took a deep breath for Linux. They all knew they had a problem there, but they still had to hear about it.

“Linux… well, these developers have not yet embraced the idea that they have to install a security client on their test boxes.”

Dirk objected. “Well, hold on there. That client doesn’t work on all flavors of Linux.”

Cissy said, “We need to stop using those flavors, then. We can’t have developers deciding what risks we accept.”

Cecil grinned, “Yeah, if someone else says ‘I’ll accept the risk’, what am I here for?”

As she finished chuckling, Cissy said, “I’ll take the to-do for getting dev to standardize on Linux.”

Nick said, “Good. That will go a long way towards getting Linux in line.” He took a deep breath, deeper than the one for Linux. “That brings us to embedded devices. We’ll start with embedded Windows, the badge readers at the entrances first. Those devices are active on the O-Sheet Botnet, nearly all of them. The botnet software listens on port 80, HTTP, and determines if it’s botnet communications or if it should hand off to the legit software that uses HTTP. So, if we block port 80, we block both the botnet and the device, which means nobody gets in at that location.”

Cecil sat forward. “Wait, what? A botnet?”

“Yes sir. A botnet in practically all your badge readers. It can infect other devices from those badge readers, as well. That’s basically where the local command and control software is located. Your IPS will block north-south traffic, so it won’t get to the data center, but the east-west stuff is wide open.”

Cecil sat back. “Recommendation?”

Nick grimaced. “Honestly? Rip them all out and get a new system, one that either doesn’t use port 80 or one that doesn’t use a network connection at all. These were all installed with the vendor’s default admin credentials still active, which is probably how they were able to be compromised.”

“Any way to remediate in place?”

Nick shook his head. “It’s embedded legacy Windows. No way to really get in there and make any changes unless we’ve got our own red team to write custom code to pop the devices and clean out the malware. Even then, there could be another zero-day exploit that comes to light and then you’re back to where you are now. And this is just the start.”

Cecil had a panicky tone to his voice. “Whoa, whoa, whoa, whoa, whoa – give me the big numbers, let’s start with that.”

“Amalgamated Potrzebie has a large number of industrial and security control devices that show indicators of compromise. Close to 40% of your IoT devices are showing signs of compromise.”

Dirk asked, “How many of those are on our production floors?”

Nick looked at his spreadsheet, did a quick bit of math in his head. “Maybe 20-25% of your production systems are compromised, but the compromised devices tend to be concentrated in certain facilities. You’ve got most that are still clean, but a good chunk that are shot through-” Nick corrected his language. “- showing about 80-90% compromised.” It was important to leave out hyperbolic adjectives when delivering news of this magnitude.

Dirk’s next question: “Any of those compromised lines in Council Bluffs or Little Rock?” Cecil and Cissy looked at each other with trepidation. Those were the facilities with Defense contracts.

“Yes, both.”

Dirk spoke to Cecil and Cissy. “We have got to get those cleaned out, as soon as possible. We can’t keep our contracts with that kind of threat active in the environment.”

Cissy responded, “Hold on, we don’t even know what’s compromised in those locations. Nick?”

Nick looked over the list. “Temperature gauges, badge readers, security cameras, the time clocks, well time clocks just in Council Bluffs – Little Rock clocks are fine, um… the digital signage is infected, as are the smart light bulbs in the Woodbridge building in Little Rock… ummm… oh, crap.”

Cecil didn’t like that. “Excuse me?”

“I didn’t see this earlier, and I apologize for that oversight, but all your Philly switches on the production floors are basically being run by a group outside of AP.”

“What?”

“There’s a feature on those models to allow for easier automatic upgrading, but it’s vulnerable to an attack. Basically, send a packet to the port used for auto-upgrade and you get a root prompt. We can’t access the devices, but there’s a stream of traffic running between those boxes and a TOR node.”

Cecil didn’t believe it. “No way, we block all manufacturing traffic from the Internet. It’s a segmented environment.”

Nick held up his hand. “It’s not segmented. There’s a vendor-owned Windows 2008 server that bridges traffic between those lines and the Internet. It’s basically on a DSL line and hasn’t been patched since 2010.”

“Who’s paying for the DSL line?”

Nick shrugged his shoulders. “Probably whoever paid for it in 2010 and then never did a budget review since then. At any rate, we recommend not turning off the server, since we don’t know what happens when the communication line is severed. You could wind up losing your switches and maybe other production line equipment that’s connected to them. As for the Philly switches, I do have a note here to check the rest of your sites for this issue. I just didn’t have enough time to finish that part before our meeting here.”

“OK, well, I’m going to want you to follow up our discussion here with a complete check of those Philly switches.” Cecil felt a pit opening up in his stomach.

Dirk and Cissy looked at him for guidance, with Cissy asking, “So what do we do about the compromised Defense lines?”

Cecil looked at his desk. “We need to go up the chain on this one. We have to let DoD know that the lines are compromised, but at the same time, they may accept the risk and let us keep producing parts. We’ve got a lot of pressure to fill the quotas they’ve set for us.”

Nick asked, “Should I still be in this room for that discussion?”

Cecil thought about what the lines in Council Bluffs and Little Rock were turning out. On the one hand, the independent, armed, unmanned aerial vehicles were some seriously top secret items. Nick shouldn’t be privy to that information.

On the other hand, Cecil felt like he had to know if those IAUAVs were themselves compromised… “Well, Nick, that depends. Do you have a security clearance?”

“No.”

Dirk looked a little aghast. “How was he able to do this survey, then?”

Cecil flopped back in his chair. “Apparently, we’ve got a few blind spots around here as regards security…”

Protect and Survive, 2018 Edition

Foreword

If the country were ever faced with an immediate threat of cyberattack, a copy of this booklet would be impossible to distribute to every household as part of a public information campaign. There are so many media platforms, we have no idea which one or ones to use that would, in their combination, reach all households. Moreover, even if we got the booklet out, how would we make sure that people actually read it? Let’s face it, attention spans are not what they were in the 80s, when all we were worried about were nuclear missiles and bombs.

If the country were attacked by a wide-ranging cyberattack, we do not know what targets will be chosen or how severe the assault would be. We probably couldn’t even imagine what would be attacked, so we’re rather certain that there will be critical flaws in this plan because of faulty assumptions made that a particular service would be available or that help would be on its way to those in distress.

If cyberattacks are used on a large scale, those of us living in rural areas would be potentially exposed to as much risk as those in urban areas. Supply chain disruption could deprive all areas of critical resources such as food, medical supplies, fuel, and so on. Service disruption could mean that sectors of the country would not have basic police, fire, and/or emergency protection. We like to think that the emergency response system is hardened against attack, but the truth is that that system is quite vulnerable in many areas. It is likely that some emergency systems are still managed via insecure methods and would be easily compromised by a large-scale cyberattack. This could also mean that alarm systems would be on constantly, without interruption, producing high levels of mental stress.

The dangers which you and your family will face in this situation might not be reduced if you do as this booklet describes, but at least you won’t be as surprised about what goes down as someone who hasn’t read this booklet.

READ THIS BOOKLET WITH CARE. IF YOU RECEIVE AN ELECTRONIC COPY, PRINT IT OUT AS SOON AS POSSIBLE BEFORE YOUR HOME NETWORK, POSSIBLY INCLUDING YOUR PRINTER, IS COMPROMISED BY THE ENEMY.

1. Challenge to Survival

Everything that is connected to the Internet during a cyberattack will potentially be damaged, destroyed, or weaponized.

Data Loss

Any device connected to a network that is itself connected to the Internet is at risk of complete or partial data loss. While personal data loss may be limited to items of a sentimental nature and locally-managed personal data, public and corporate data loss could potentially result in wiping of individual records. These records would potentially be those used to justify access to products and services, both public and private. Because it is cost-prohibitive to retain hard copies of these records, we recommend that you retain a hard copy of a volume of Stoic philosophy, Seneca being a good example of such, so that you can endure your losses with dignity. It is likely that restoring lost data would involve a process at least as long as used when it was first created, likely a longer process due to the need to utilize pen, paper, typewriter, and processes that we as a nation have largely abandoned due to our digitalization.

Function Loss

Any device with an Internet connection is also at risk of being rendered completely useless by way of having its software wiped or corrupted. Such devices would not be able to be updated by their vendors, either via the Internet or via hands-on methods. While loss of function for home thermostats would result in substantial discomfort, loss of function for medical devices and potentially refrigeration devices could lead to sudden or eventual loss of life. While we cannot advise that all persons immediately exchange “smart” medical devices for non-Internet connected equivalents, we do advise that persons with “smart” medical devices consult with their trusted medical specialists about the feasibility of eventually replacing such devices. As for persons who rely upon refrigeration to preserve medical supplies, we strongly recommend not using a “smart” refrigerator and that they maintain a power supply independent of the local grid, with sufficient fuel to last for 2-3 days. Maybe 4. Or 5. Or 6. 7, tops. Well, 8-12 in a severe case. 13-21 in a worst-case scenario. Could be a month or two, really, before services get restored if the attackers keep following up with additional exploits. Maybe even up to a year, when we think about it. Don’t want anyone to panic, but, yeah, we’re that vulnerable.

Function Modification/Weaponization

While it is possible that a cyberattacker would utilize connected devices to intercept domestic communications, we consider such a scenario to be low risk. We are more concerned about an attacker exploiting vulnerabilities in connected devices that would cause them to malfunction to the point where they would be potential fire and/or explosive hazards. To minimize this risk, we recommend that citizens unplug – not just turn off, but unplug – all electronic devices not in use. This includes unplugging them from the Internet. This also includes unplugging devices that do not connect to the Internet, as it is possible an attacker could weaponize the power grid to send a power surge to a residence, with the intent of creating chaos and confusion.

Under no circumstances should a citizen consider operating a motor vehicle during a major cyberattack. Even if your personal vehicle is not Internet-capable, you cannot say the same for the other vehicles on the road, nor can that be said for your municipality’s traffic control systems.

If you have a home alarm system, disconnect it as soon as you have advance warning of a cyberattack or become aware that such an attack is underway. This disconnection will need to include the battery back-up system for the home alarm system. The concern here is that the attacker will create chaos and confusion by triggering the alarm. The constant noise of the alarm would both render the home unusable as a shelter as well as lead to mental strain for one’s neighbors. Triggering home alarms across a wide area would also overload emergency response systems, if those haven’t also gone down in the original attack.

In the event of a cyberattack, remove all batteries from smartphones, tablets, and cell phones so that those devices cannot be weaponized, as described above.

We’re pretty sure we left something off this list that will result in massive injury and loss of life. In our defense, there are so many Internet-connected devices, we can’t even begin to imagine how to protect against all possible situations in which they could be compromised and/or weaponized. The guy in the cubicle next to me just mentioned something about Internet-connected cat boxes. Again, if this was 1980, we wouldn’t have to face such a scenario. But this is 2018, so we may very well have a cat box-related tragedy befall our nation in a major cyberattack.

2. Planning for Survival

Stay at Home

The title of this section is reassuring, more so than the more accurate “Stay Near Home, Possibly in a Public Shelter, Unless Those Are Also Compromised in the Attack.” If your home isn’t rendered unusable due to your domestic devices being shut down, incapacitated, or weaponized, you will have as good a place as any to ride out the attack.You may die there, cold, hungry, dehydrated, and exhausted, but wouldn’t you rather die at home than on the street or in some wilderness? It’s your call, but at least if you die at home, it’ll be easier to notify your next of kin, assuming we can get communications systems back online and are not overwhelmed by local casualties.

Anticipate complete disruption of electrical, water, natural gas, and sewage utilities and plan accordingly. “Plan accordingly” is really a cop-out. We have no idea how every family in a major urban area would be able to arrange resources to cope with such a disruption in services. Especially families in apartment complexes, and doubly so for those receiving public housing assistance. Good lord, they might riot within 72 hours as the food in the local stores is exhausted. But where will you go? It’s not like these riots will be localized. I’m looking right now at a scenario in which the national distribution network is knocked offline for two weeks, and the carnage will be awful. So, yes, do stay at home. It will help you preserve your strength for the coming armageddon.

Plan a Refuge

If you can adopt a pre-industrial lifestyle where you raise your own food without the aid of mechanization, chemical fertilizers, or modern distribution networks, the sooner the better. Of course, that also means exposing yourself to diseases that pretty much exist only in developing nations and history books, so there’s a bit of a trade-off there. You could go with getting a year’s supply of food and a local water gathering system, but there may actually be laws in your area that make water gathering illegal. As for the food, that’s a major expense, so you can’t ramp it up all at once. Basically, if you don’t have a refuge now, you may be too late. Don’t panic, however. There is still plenty of time to print off the public-domain works of a Stoic philosopher so that you can endure these hardships with dignity.

If you live in a tiny house with a chemical toilet, you may be better off than most at first. Nobody here envies you for the task of replenishing that toilet, should the distribution network still be down when the time comes.

Plan Your Survival Kit

Stock enough food and water for 14 days. Why 14 days? We have no idea, but if it was good enough for the people who wrote the pamphlet on how to survive nuclear war, it’s good enough for us. Each person should drink two pints a day, so that means 3.5 gallons per person. I can’t do metric, so you’re on your own there. This water is for drinking. You’ll need twice as much per person for washing, and we’re not talking about showers or baths, either. You’re going to get rather grimy in the event of a major cyberattack.

Choose foods that can be eaten cold and that will also keep fresh, such as cans of soup or beans. You will likely want to practice eating soup straight out of the can now so that you can discover which flavors you prefer best and so that you learn to suppress your gag reflexes, should they be evident while consuming such a meal. The cold soup you eat today may mean cyberattack survival tomorrow!

Heaven help you if you have a baby or special dietary requirements. You are going to suffer grievously.

In the past, a radio would be one’s only link with the outside world, but even emergency and commercial radio systems can be disrupted in a major cyberattack. You might as well get a hand-cranked radio and try it out from time to time, in case we get lucky and manage to restore radio services.

Make sure you have plenty of warm clothing, first aid supplies, cutlery, dishes, and a can opener. Nobody wants to be the chump that stocked up on canned goods, only to forget a can opener. Better get several, just in case one breaks.

You will also find sleeping bags, flashlights, camp stoves (be sure to have the proper fuel and ventilation for these), spare batteries, toilet articles, and buckets to be very useful. You will also want a shovel and a location at least 20 feet away from your home where you can bury your solid biological waste. You would want this to be in an area that is not exposed to rain runoff or the local water table, as it will be a source of disease.

Also have tissues, notebooks, pencils, brushes, cleaning materials, plastic or rubber gloves, toys, reading material (including the Stoic philosophy that will help you cope), a mechanical wind-up clock, and a calendar.

Finally, in advance of a cyberattack or as one is underway, it may be advisable to shut off gas, electricity, and water services at the utility shut-off point so that damage to those systems will not compromise your shelter.

3. Protect and Survive

In the 1980s, we could discuss the methods of warning about an imminent nuclear attack. Such warning would be available in the case of a bomber attack or ICBM launch. We did not talk much about a submarine-launched missile attack, as those would have far less time between missile launch, missile detection, and missile target impact. We would basically know about the attack right before it took place.

In the event of a wide-ranging cyberattack, we may not know about the attack until some time has passed after the initial phases of the attack have been completed and the secondary phases of the attack commence. It is also possible that the cyberattack targets the warning systems themselves, so that they emit one or more false warnings to crate chaos and confusion and mental stress – or so that the warning systems do not function at all, as a prelude to a nuclear weapons attack by way of bombers, ICBMs, and/or submarine-launched missiles.

That last one would be the worst possible scenario. No warning, all major cities and quite a few minor ones all hit at the same time. The enemy wouldn’t dream of doing that, however, unless it also had managed to deprive us of our ability to use our nuclear weapons in that cyberattack. Since the enemy has been very persistent in attempting to penetrate our cyberdefenses, we can’t rule out that they might gain that upper hand and then launch the attack that effectively destroys our nation at little or no risk to their nation and/or allies.

It’s also possible that the enemy nation merely launch the cyberattack to deprive us of our nuclear weapons, with the intent of capturing and controlling our industrial base and natural resources. It is possible that the enemy nation would change the function of industrial security systems to keep loyal workers locked out, so as to prevent acts of sabotage to prevent industry from falling into their hands.

The same enemy nation may also be interested in disrupting the supply chain so as to induce mass panic, protest, and rioting. In the resultant die-off, our population would be too weakened by civil unrest and famine to mount an effective, coordinated resistance.

If, for some reason, our national leaders miscalculate on a massive scale and have to resort to a launch of nuclear weapons as a last-ditch measure, it is quite likely that the enemy nation will launch a wide-ranging cyberattack in conjunction with a discharge of its nuclear weapons, so as to take us down to hell with them. I know I said that a situation described above would be the worst case, now I’m not so sure.

We’ve so far attributed wide-ranging cyberattacks to enemy nations, but we also have to consider the possibility of the attacks originating from a non-nation-state actor, an internal threat, or as a result of pure accident. In such cases, we estimate that the impact of the attack would not be as comprehensive as described above, but could still incapacitate one or more major utilities and/or public services.

Holy crap, I haven’t even thought about air traffic control systems or airports until just now. If there’s a major cyberattack, pray that you’re not in the skies, should those systems be compromised.

Same goes for commuter rail and metro systems. I’m getting sick, just thinking about those.

My boss just looked over my shoulder and read what I’m typing. He didn’t say one word about changing my cynical tone. He just sighed and went into his office and shut his door. I think I can hear him crying in there.

If that part about the crying is in the final pamphlet that goes out, it must be because this threat is way worse than I’m letting on here and that this document, cynical and depressing as it is, is actually somehow better than leveling with you and telling the full story.

May God have mercy on our Internet-connected souls.

How Musicians Speak to the Press

I’m wondering how much stuff any person in a band says is due to contractual obligations to promote current work. How much of slagging previous work is considered necessary and appropriate to build up one’s current product?

ORIGINAL BAND: “Everything we’re doing now is bold and imaginative, we’re really like nothing else.”

PROMINENT TALENT GOES SOLO: “It was all rehashing of old blues numbers in Original Band, I got tired of going nowhere musically. I’m so glad that I can truly express myself on my solo albums.”

THE REUNION: “What I did as a solo artist, I had to do, had to get it out of my system. Just a flight of fancy. It’s so great to be making magic again with Original Band, the stuff we’re making now is as great as the old stuff.”

AFTER A DISPUTE OVER PERCENTAGES: “I have left Original Band, effective immediately. Please consult the legal firm of Dewey, Cheatham, and Howe for further comment.”

JOINS ANOTHER BAND: “The Original Band reunion was a disaster. Of course, you read about my departure in the press, and I’ll give you the REAL story after I mention how awesome and liberating it is to be with Another Band. These guys are amazing, this is the best work I’ve done.”

SECOND REUNION OF ORIGINAL BAND: “It’s like I never left home. This is the only real music I’ve ever done, my work with Original Band. Our new album will not disappoint!”

NEW ALBUM DISAPPOINTS, DOES ANOTHER SOLO ALBUM: “Most of the reason behind the second reunion was money. I wanted to make music, they just wanted the money. Such a pity. But I’m glad I can fly free again.”

GETS BACK WITH ANOTHER BAND: “We’re not doing the songs recorded by the guy I replaced. They’re not my music and, frankly, I don’t consider them to be truly Another Band. When I’m with Another Band, then, yes, you can be sure it’s really Another Band.”

PARTIAL REUNION OF ORIGINAL BAND: “Me and the guitar player, we were always the core of Original Band. We don’t need the other guys to play amazing stuff.”

FULL REUNION OF ORIGINAL BAND: “If it’s not all four of us together, it’s simply just not Original Band, full stop. Don’t let anyone say otherwise.”

DRUMMER OF ORIGINAL BAND DIES IN FREAK GARDENING ACCIDENT: “We will miss him dearly, but we will also carry on. Original Band will rise from the ashes and continue forth to newer, better triumphs.”

SLIGHT ISSUE REGARDING DISTRIBUTION OF MERCHANDISING PROFITS: “I’m glad to be done with those money-grubbers and, frankly, they can all go to hell, where they can join up with their ex-drummer.”

ISSUE IS RESOLVED, WORLD TOUR RESUMES: “Me and my mates are inseperable! God bless them all, and I wish our ex-drummer were here instead of ‘up there’, where I know he’s drumming with Hendrix.”

OFFERED MORE MONEY TO TOUR WITH ANOTHER BAND: “My heart has always been with Another Band. Original Band, sure I had some laughs with them. But Another Band is where I’ve always felt like I was freest to explore, where we could play like no other band in the world.”

And so on, and so on, and so on…

History as a Game Review

As I played a World War Two grand strategy game, I was wondering what if the men who led nations through that conflict were actually playing a game of that conflict that gave them the outcome they historically experienced. How would they praise or complain about the “game” they played? So I decided to write…

NORWAY: I thought this was a fun little nation-building sim and then WTF??? I get invaded by Germany??? I didn’t do anything, and then, suddenly, no warning, I got totally pwned. I got to keep one unit with my new British allies, yay. And why my nation? Sweden’s the one that had all the iron ore! Obviously, the AI in this game is broken, it makes no sense at all.

SWEDEN: Fun little nation-building sim, but kind of boring. I was pretty much just clicking through events and news reports and selling iron to Germany until they surrendered, then I just started selling it to England, lol. I’d recommend waiting for this title to be on sale, with a deep discount before you buy it.
Continue reading