Monthly Archives: August 2016

Interrogating Captives

It was a busy day at [REDACTED]. Any day that four major airports experienced coordinated attacks would be a busy day at [REDACTED], given how it handled [REDACTED] for the entire [REDACTED] in the US of A. Shuttle van mortar attacks at LAX, DFW, and Atlanta; taxi car bombs at Reagan International. It was going to be a busy day for many, many days at [REDACTED]…

Dinah White left the briefing room and glanced at her tablet. Cube FR-227C. She was going to work with whoever was in that cube on DFW intel. Full network packet captures, courtesy of [REDACTED].

OK, FR-227C… that was on this floor… a check of cube numbers… and they’re going that way, so the cube is on the left. She turned left and walked past five rows, then turned right and went all the way to the last cube on the right, just before the wall.

The nameplate said “Chandni Kapoor.” Cool, another woman. Dinah did not spend much time contemplating this victory for women in the IT workplace because she had a job to do. So she knocked on the metal on top of the cube wall. Chandni finished the last two words of her email, sent it, and swiveled in her chair to face Dinah.

Dinah smiled. “You ready for this?”

Chandni nodded. “There’s nobody in the cube behind you, so you can grab that chair.” Dinah grabbed said chair and moved it into Chandni’s cube. Chandni fired up her Wireshark and loaded the capture file from the DFW Airport shuttle van SSID. It was a beast-size file, six hours of capture, 137 MB of TCP, UDP, EAPOL, ICMP, and beacon frames. This was no teevee show dealing with h4xx0rz. This was reality, all 137 MB of it.

And Chandni knew how to deal with it. “How do you want to slice this up? Hour by hour?”

Dinah had another thought. “I’d like to filter on a MAC address of one of the vans, see if we can find suspicious traffic, and then see if it matches on other van MACs.”

Chandni inspected her screen. She highlighted frame number 20. No particular reason. It just looked like a good frame to start with. “Start with this one?”


Chandni right-clicked the destination MAC address and selected to filter on it. “OK, let’s get lunch.” They both laughed a little. This was going to take a while. Chandni didn’t like dead air. “Who do you think did this?”

Dinah shook her head. It didn’t pay to speculate at [REDACTED]. “No idea. I like to keep my mind clear. We don’t want a preconceived notion to color our results. We deal with the evidence that’s here, not the evidence we want to be here to prove our hunch right.”

Chandni looked a little beat-down. Dinah immediately regretted coming down like a hardass. “It could have been anyone, really. You know how these vans run, so you’ll tell me who did it, when you know. I’m just here to be another pair of eyes for management.”

Chandni smirked a tiny smirk. Dinah went for a closer. “And, hey, if you really want to find something in a mess, send two women, am I right?” That got Chandni to laugh and the working relationship on better footing.

Wireshark finished its work and then Chandni went to the filter field and typed in the || to add the condition to also filter on that MAC address as a source. Wireshark thrashed accordingly. Once the filters were complete, she exported the packets – about 2% of the total capture – to a new PCAP file. She closed the original file and opened up the much more manageable 3 MB capture.

There were still over 100000 packets, but that was much more preferable than what was packed into the original capture. Chandni started paging down through the packets, focused on source and destination addresses. It wasn’t three pages before she noticed something. “It’s all coming and going from that address there.” She pointed at the address in question. “What is that, the main control station or something?”

Dinah scrolled through her briefing materials on her tablet. “What are the last four letters in that address?”


Dinah found an address that ended with those letters and squinted back and forth from Chandni’s screen to her tablet to confirm that, yes, it was a wireless tower. “Go ahead and cut that from the capture. Both source and destination. See if there’s an outside source sending instructions.”

Chandni filtered and then they both went through the remaining packets, filtering further on conversations with legitimate DFW towers. They got to the last 2300 packets, and they were all to and from the tower in Terminal D, where the van’s movement had been halted by an agent with an EMP gun that had happened to be on the scene. Chandni let go of her mouse and leaned back in her chair. “All the traffic was from the towers. Nothing outside.”

Dinah didn’t like that, either. Outside source of transmissions would have made things easier. She did not relish trying to sort commands from authentication and keepalive traffic in this stream and then seeing if there was a matching pattern in the other vans’ traffic. Ugh.

“Umm… what about the grenade launchers in the vans? When did they start firing?” Chandni had a great idea.

“Load up the main capture, and let’s take a look at the moment everything started firing. Better, chop off the last 20 minutes and look there. If the things weren’t integrated in the van systems, and I’ll bet they weren’t, I’ll say you’re right in about half an hour, when we see the commands.”

Chandni never loaded a massive capture file with more enthusiasm than she did at that moment. She went to the end of the capture, scrolled up to 1200 seconds before the time of the last packet, highlighted a frame, hit SHIFT CTRL END and became crestfallen when her keyboard shortcut-fu failed to highlight the packets she wanted to export.

She left the last packet highlighted, scrolled up to the packet 1200 seconds before the last one, SHIFT-clicked and got the right packets selected. Stupid Wireshark. Deep down, she knew the program wasn’t to blame, but, like everyone in IT, felt better about things when she cursed the computer.

Dinah read off known MAC addresses of the passenger vans and Chandni filtered them out, one by one, until only a few hundred packets remained. Communications to and from the grenade launchers. Chandni exulted, “High five!”

Dinah returned the gesture, taking special care to look at Chandni’s elbow, so as to not mess up the celebrations. But, in that moment of analytical-mindedness, she had a realization. “Hang on, how did the grenade launchers get on the shuttle van SSID?”

Chandni and Dinah pored over the re-authentication traffic that happened as the weapons moved between tower coverage areas. That traffic was more fascinating to them than the commands sent over the wireless to activate them. These things were getting RADIUS-Accept packets from the wireless controller, like they were supposed to be on that network. Who set them up with that kind of access? And the command and control IP address – that was somewhere on the inside of DFW sending the commands.

Filtering on the C&C IP address, Chandni showed it was the source of all the communications, vans and weapons alike. How did that get set up?

For all the network captures at [REDACTED], Dinah figured that not one of them would answer that question or any of the others that came up after the high-five. Someone was going to have to get into DFW’s RADIUS server setup and look over its settings. Hopefully, whoever permitted the weapons on the network didn’t erase the admin logs. And then, there was the matter of the C&C server embedded in DFW’s infrastructure…

But that was for someone else to dig into. Dinah kept focus. “Get the capture of the C&C traffic off to [REDACTED] and let them see if it’s a pattern anywhere else in [REDACTED] or anywhere else we’re [REDACTED] the routers.”

“Is it usable? I mean, it’s encrypted and there’s no guarantee the guy sending it didn’t use Tor or a randomizer on the order the packets were sent. Or stuff like that.”

“Oh, it’s usable. Have you had a class in side-channel traffic analysis?”


Dinah smiled. “You should sign up for one. Amazing stuff. Everyone at [REDACTED] should take it. Be sure to get [REDACTED] as your instructor. I had him, and he’s [REDACTED].”

Chandni, thankful for the career advice nodded and said, “[REDACTED]” And then, she emailed the C&C traffic to [REDACTED] while Dinah placed a call to the lead agent on the scene at DFW.

Ranking Seinfeld

Before going to sleep, I like to watch an episode or two of Seinfeld to unwind. I like that series in general because there’s very little in it that gets me in trouble. Shows about married guys making mistakes can be way too stressful, as my wife may transfer the mistake on teevee to me. Not good. No, the guys in Seinfeld are different enough from me that I can count on them to do stuff I’d never do. Hence, it’s great to unwind to.

It’s also one of the best comedy series ever done. Nine seasons of classic comedy. Well, more or less…

See, that’s why I’m ranking them. I have seen other people’s lists and they don’t ring true. They pick episodes because of a cultural impact or because they remember some aspect vividly. I don’t see any criteria used for judging. Without criteria, any system of ranking is flawed. My system is based upon awarding up to 30 points per episode. Here’s how it breaks down:

MAJOR CHARACTERS: Jerry, George, Kramer, and Elaine can each score up to 3 points per episode, one point per third of the episode as a general rule. Truly exceptional blow-ups, outbursts, etc. can warrant a 4th point – so far, I’ve only awarded that 4th major character point in two episodes, one for Kramer dumping cement into a washing machine (exceptional physical comedy) and one for Elaine’s attempted eviction of a do-nothing boyfriend, culminating in her celebrated “Van Wyck” monologue. That’s it. Everything else can top out at three. To earn a point, the major character basically has to have a decent chunk of lines. If all the character does is play straight man, no point for that third.

In the first season, there are episodes in which a major character appears and has nothing but dud lines. That’s the low end of the scale, for sure.

OTHER CHARACTERS: When other characters make life difficult for Jerry and the gang, the show powers ahead with comedy gold. When the other characters just go on dates with Jerry and the gang, the show tanks. This isn’t a relationship comedy. It may be a show about nothing, but we need to see how even crazy, colorful, larger-than-life characters can get sucked into the nothingness. When the others show up and crack wise, the show is richer for it. Up to five points per episode can go towards what other characters do.

DIALOGUE: When we get those extra zingers, the episode scores dialogue points. This is more than just a great scene: this is a great line, that we want to repeat over and over in order to relish. Up to five points per episode go towards the “No soup for you!”-type lines.

SITUATIONS: For a show about nothing, we still need great situations for the characters to not learn from or to grow personally from. These are the situations that become cautionary fables, the plots to collect cans in New York and drive them to Michigan, the plan to buy back the Cadillac from Jack Klompus, the need to bring Mr. Steinbrenner a calzone. Each major character can score a point for a great situation that they fall into: if all the situations tie into each other, or one goes over the top, situation point number 5 can be scored.

PERVERSE ENDING: Season one tied things up by the end of the show and we were left with nothing to talk about during the closing credits. Later seasons realized the potential for having fate deal one last blow to the characters. They would not learn a moral lesson from these things, but they would potentially sharpen their animal instincts in knowing what to avoid in the future. Up to three points can go towards George showing up in the coffee shop wearing a sheet, Susan licking the envelopes, or an Ohio farmgirl pledging her love to Norman…

ENOUGH ALREADY: Penalty points, no limit on them. When I’m watching an episode and going, “Enough already with this” over a scene or a bit, I take a point off. Season one is loaded with these moments of pain as we endure Jerry or George having a normal date with a normal person that’s just going bad by a little bit. We need things going off the rails. We need explosions on the launch pad. We need avalanches and landslides, not rainy weekends in Vermont.

That’s my rubric. It is somewhat subjective, true. However, it allows me to justify my rankings for the shows and to let me see what’s needed to make a show truly epic instead of just good. I’ll write more about my rankings in the coming days, since I’ve got this spreadsheet of numbers and totals and I might as well get into the science of comedy with this data I’m collecting.

Travel Advisory

Najib Khan saw it happen with his own eyes and still didn’t completely believe that it had happened. Not one, not two, not three or even four… at least ten… autonomous passenger vans with holes in their roofs, firing off a full magazine of grenades. He’d used a Mk19 grenade launcher before, fighting the Naxalites, so he didn’t have to count how many grenades each van fired off. It was either 32 or 48, most likely 48, given where he stood.

He didn’t stand long in his room in the DFW Airport Hyatt Regency, with its view of the gritty service roads and the parkway that ran through the middle of the airport. He was already in the hallway when he heard the first screams of horror and in the elevator before anyone hit the fire alarm. Let the others take the stairs.

It was obvious, so obvious… automatic grenade launchers in passenger vans. Nobody checks the shuttle vans as they go back and forth from the terminals to the remote lots. They’re so boring, so predictable, so beneath the contempt of the CISOs and security architects. When hackers hit, they figure, they’re going to come at us right through the firewall, you can bet your boots on that. Trouble is, when physical security is compromised, those vans are the weakest link in the security chain.

The elevator opened out to the lobby where there were people milling around, wondering if it was just a drill or the real thing. Most of the staff were disoriented, not expecting alarms to go off in the middle of the day. Nobody expects alarms. They’re either showing up once in a million years or so often they’re ignored. Najib made his way to the parking lot entrance, hoping to get out before somebody noticed the Muslim from India at the scene of a terrorist attack. If he took time to flash his badge, it would possibly mean the difference between life and death for some innocent.

Najib did a little math in his head as he jogged towards his rental car. If those vans were cruising at normal speed, they would have fired all their grenades over a length of 2 kilometers – two terminals, one grenade per 40 meters or so from each van. Ten vans meant a grenade every 5 or 6 meters, spread out over the length of the airport.

Najib’s car had been backing out to meet him. It stopped near him and opened a door. Najib got in and said, “Terminal E. Arrival gates.” He took a chance that the vans would double back into the airport after their southbound grenade run. Whether they were programmed or under remote control, it didn’t matter. Job one with a rogue vehicle was shutting it down before it went into a crowd like a vengeful bull in Pamplona. Forensics would figure out the how after men like Najib put an end to the what, thereby limiting the how much…

Najib rolled down his window and then reached for the large suitcase next to him. Just his luck, he was in Dallas to show his wares in a training session for a local cadre of federal security agents. Time for the live demo. He pulled out an EMP gun and put a suction cup on the back of his phone and mounted it so it would have a good view of whatever he took a shot at.

It would have been ideal for the rental to be able to go against the flow of traffic, but rentals were always sticklers for traffic laws regarding that sort of thing. But there was one edge he’d have over the passenger vans. A single word, uttered by a human. “Emergency.”

Now the thing would drive faster than permissible. Najib was in for a rough ride if a pedestrian stepped in front of his vehicle, but at least the walker would live. If the pedestrian avoidance system was deactivated in those vans, the same person wouldn’t stand a chance, even at low speeds.

Najib’s car pulled up near one of the vans in the arrival level. It was making straight for a family entering the crosswalk. Just in time. Najib yelled out “Slow!” and as the rental slammed its brakes to match the speed of the van, side by side, Najib fired his EMP gun at pointblank range. Two seconds of rattling electric sounds, and the passenger van failed closed, slowing down to halt gently in front of the crosswalk. The family had halted, not knowing what to do, and Najib barked out “Terminal C, Arrivals. Emergency!” Off the rental sped.

As the rental lurched around a corner, it came up directly behind a passenger van, leaving E on its way up to C. Najib waited until the road joined with the main artery and his car could pass it and then – whammo! Directional EMP at its finest as a second van rolled off to the side, immobilized.

As the rental entered the curve for Terminal C, Najib heard a collision and the tt-cheh, tt-cheh! sound of antipersonnel rounds ahead of him. Smoke rose from the arrivals area. Najib knew he was too late for Terminal C, so he shouted, “Terminal D, Arrivals, Emergency!” and the rental swerved away from what Najib knew would be a grim scene of twisted metal and bodies both crushed by the van and then ripped into by the flechette of the explosives.

The rental sped across the overpass to D and Najib could see more smoke coming up, both near and far. Given the density of the ordnance, it was likely that multiple planes were on fire along with their gates, luggage, and anyone unfortunate enough to be onboard. Further off, what was most likely a storage tank fire belched particularly acrid and odious clouds of doom.

But there was no time to think – Najib’s rental was pulling alongside another roofless van and Najib nailed it from 50 meters. It was stone cold dead by the time the rental passed it. Najib had one more shot and he wanted to make it count. Terminal D hadn’t been hit, and it was the furthest along from where the vans had been. The rental parked at an available spot near a pickup area and Najib rolled down the other window and shifted to fire out of the left side of the car. No van appeared, so Najib took a chance and moved his camera to cover that back angle.

Luck was with Najib, no question. Not ten seconds after his camera was in place, another van of death came around the curve. Najib saw the mines mounted on its sides and bit the inside of his lip. It approached at normal speed… 100 meters… 90… 80… 70… 60… good enough.

TATATATATATATATATATATATATA, and it was all over for that van. Four for four for Najib. That was all he could do, so he took his phone down and left his rental for the nearest security station to report on what he had seen and what he had done.

Given the state of alarm, Najib held his federal badge up high, as that was the best way to reduce the chance that a supervisor would have to explain to the FNG why it was best to not shoot at fellow government employees…

The Seven Samurai

Once a week, we watch films together as a family. My wife and I want to share the culture we appreciated in our youth with our children. Next week, we plan to see Kurosawa’s The Seven Samurai.

If you have not seen it, I strongly recommend it. It is an awesome experience. It’s not a film to watch with distractions around you – focus on it, and be rewarded. The acting is powerful, the cinematography masterful, and the story is compelling. Yes, it’s over 3 hours long. Plan ahead! It is worth the effort. There are lessons in the story, many lessons, but they emerge organically, not from some didactic pedant at the helm. The film is honest and even brutal at times, but it is ultimately about life and, therefore, to be honest it must be the way that it is.