Monthly Archives: November 2017

Quick Start Guide

Welcome to your installation of Secure All the Things (SATT). We thank you for your purchase of our product and hope your installation process goes smoothly. We believe that SATT is the most secure network security solution on the market today. Your commitment to security has brought you here, and we are ready to walk that journey alongside you.

Wow, that was pretty over the top for marketing-speak. Franz Zimmerman saw boxes and arrows further down on the page. Boxes and arrows promised more comforting tech-speak, so he persisted in reading the SATT quick start guide.

In order for SATT to be secure, it requires a high degree of secrecy. This is why you are reading this quick start guide at a SATT safe house.

Yeah, that was a weird requirement. Franz had to take a cab to the airport, where a black SUV picked him up to take him to the safe house to read the guide. These SATT guys were serious about security, from the looks of things.

Your first step in your SATT installation will be to utilize shell companies in the purchase of a property that will house the SATT management servers. Below is a checklist of the requirements for each shell company.

Huh? What? Shell companies? Franz looked over the rest of the quick start guide, which was a single, laminated card, standard page size, printed on the front only. The boxes and arrows were a flow chart, about setting up shell companies, from the looks of things. Where was the listing of how much RAM or CPU cores the servers would need?
Continue reading

Writing InfoSec Fiction

When I first started serious creative writing efforts back in 1997, I had no idea that, 20 years later, I’d be writing about how to write InfoSec fiction. Not only did I not even know how to write fiction, period, InfoSec was pretty much a matter of having an antivirus program and locking the doors to the server rooms. And firewalls, I remember we had just started to have firewalls back then.

Well, enough reminiscing and pondering about how I found myself to be where I am now. I have a purpose, best I get to it.

First off, let’s cover how to write well. It’s not all that difficult. Here are the rules of good writing, as they were taught to me by good writers.

1. Show, don’t tell.

2. Nouns and verbs always beat adjectives and adverbs.

3. Some things are better left to the reader’s imagination.

4. Dialogue should sound like dialogue.

5. Get rid of as many “to be” verbs as you can.

1. Show, don’t tell… that’s the toughest one of all, because we want to explain our thoughts in great detail. Well, that’s technical writing, not fiction writing. How many stories, especially science fiction stories, have gotten bogged down because the characters start explaining all. the. things. The readers will figure out how stuff works as it gets used, don’t worry. Saying “The zapotron ray carved a massive opening into the reactor core, yet none of the radioactivity leaked out” is preferable to the characters spending multiple paragraphs about zapotron technology and why it would be preferable in this situation as compared to, say, an unobtanium battering ram.

In that above example, did I myself go into those technologies? I did not. And yet, each reader now has an idea about them. Show, don’t tell. If I do any more here, I’m telling, not showing, and I’m not about to slide into hypocrisy like that.

2. Nouns and verbs… Rushing beats running quickly. The giant beats the really tall and really big guy. If you have to use an adjective or adverb, make sure it’s not with a plain noun or verb. The exception to this would be in dialogue, where if a person is likely to violate good rules of writing in his or her speech, then it’s good writing to have the character talk that way.

3. Leaving things to the imagination… what’s more scary, the huge hairy spider looming over your right shoulder or… that… THING! AAAAAHH! IT’S COMING FOR YOU! RUN! RUN TOWARDS THE SPIDER!

See what I did there? Consider this an extension of “show, don’t tell.” As I tried to make something scarier than the gigantic spider, I conjured up a notion of something so awful and immediately threatening that your best hope was to run towards the very thing I suggested was fearsome at the beginning of the comparison. And now, by telling all about how I did that trick, I took all the fun out of it. Show, don’t tell, that’s the moral, here. That, and run towards the spider if you’re in that situation, for God’s sake.

Imagination is best when you want to create feeling and mood in your reader. Sometimes, it means ending a story before they want it to end, but, hey, that’s life and good writing.

4. Dialogue… there’s external dialogue. Like my English teacher once said, “When other characters speak, they can reveal so much more with carefully-chosen words, which you want on your side when you fight against Godless Commies.”

Then there’s internal dialogue. One option is to just explain things, but in a dialogue-y way, where you bend words and stuff like that. Stuff that drove my ultra-right English teacher up the wall. Or you can italicize. How do I reconcile my relationship to my English teacher? I mean, she was brilliant, taught me all I needed to know about grammar and writing… but that shrine dedicated to Mussolini in the back of the room? Really? Mrs. Paganini was a complicated person, that was for certain…

Above all, dialogue needs to sound like people talking. Stylistically, if a new character speaks, start a new paragraph. Try to not have a character say too much in one go, it can lose readers.

“You think those ideas work all the time?” a reader asked.

“They’ve served me well,” I said.

“How do I know this isn’t more of Mrs. Paganini’s neo-fascist propaganda?”

I thought a moment. “I guess you can tell it’s not that because one, I’m not wearing a paramilitary uniform, and, two, not once have I spoken about the need to invade either Ethiopia or Albania.”

My reader nodded, satisfied in my answer.

5. Getting rid of “to be” verbs. Remember up in 2, where I talked about nouns and adjectives, how I said “beats” instead of “is better than”? Getting rid of is, are, will be, was, all those “to be” verbs will force you to use actual action words, and that moves the story forward in an interesting way.

***

OK, so those are the rules of good writing. I’d also recommend reading Socrates’ “Poetics” for some tips. It’s a short piece and well worth your time. It’ll also explain why that huge race sequence in “The Phantom Menace” was such a beat-down… put effects ahead of plot and character…

I’d also recommend reading things that help the InfoSec mindset. Look to Eastern Europe for fiction authors and look to trade journals for jumping-off points for stories.

My reading list will include films, but since I use subtitles, I’m still reading them, aren’t I?

Arkady and Boris Strugatsky – Roadside Picnic; Stanislav Lem – Everything he wrote, go for Cyberiad, Solaris, and Memoirs Found in a Bathtub; P.D. Ouspensky – The Strange Life of Ivan Osokin; Vladimir Savchenko – Self-discovery

For the films, go to the Mosfilm YouTube channel and watch Solaris, Stalker, Kin Dza Dza – those are the intro to Soviet sci-fi, which is much more cerebral and psychological than US sci-fi, which tends to resolve issues through violence and/or application of brute physics.

While you’re on Mosfilm, consider also Ivan the Terrible (Ivan Grozny), Ivan Vasilievich Changes Careers, and White Tiger (Belyy Tigr). The first is a pair of films that was Game of Thrones stuff decades before HBO, the second is a wild time-travel romp, the third is about a man who can speak with tanks in WW2.

Also consider the Czech film, “Tomorrow I’ll Wake Up and Scald Myself with Tea”. Why? It’s about things going wrong, and that’s what security is all about.

Once you’re paranoid and twisted in your thinking, you’ll read trade journals and start to get ideas about how things go wrong. You’ll read marketing materials from vendors that promise the moon and see holes in their logic that may deliver a shattered earth instead of a new world. You’ll see reports on outages and mentally explore what’s not reported, how much worse it could be.

Then, you’ll want to write that story.

***

We’ve gone from fiction writing to science fiction writing (briefly) and now we’re ready to deal specifically with InfoSec fiction writing. There are no rules for it yet, because as far as I know, there’s only a handful of people trying to write it, and I’m one of them. So I’ll go into my philosophy, and I’ll try to show instead of tell as much as possible.

The short story is ideal for InfoSec fiction. The short story in sci-fi takes a small concept, a gimmick, and toys around with it. The gimmick is the center of the story, so it won’t last very long at all. It’s not a character, so it shouldn’t be pushed all that far. There will be people and things reacting to, planning to use, and being affected by the gimmick, but the gimmick is the center of attention.

Consider a story about a guy using Internet-enabled footwear that’s also equipped with a flash drive and a toner-like device that can pick up signals from network cables. Fun will be had in the story, but it’s over as soon as he visits the coffee shop and uploads his stolen data to the highest bidder. Maybe it’s over now, but that’s how it goes with the gimmick. It’s a short story, but a merry one.

Writing a longer story runs the risk of getting preachy. If your characters are starting to launch into long dialogues explaining best practices, you are writing an editorial at best and a user manual at worst. If your tale has legs and it’s going to travel into the land of 10-40K words, you’re into novella country, and that demands a different focus for your writing.

Novellas have to be character-centered. This means the focus is not on the technology, but on a person using/affected by the technology. The exposition is about the character in relation to that technology, and the temptation to get preachy will try to overpower you. Resist. Stay with that character and his or her moral journey, as he or she struggles with A Big Decision. For it to be InfoSec related, the Big Decision needs to be related to that technology. A plot in which a jilted lover considers killing his former love becomes an InfoSec plot when he ponders the killing by way of a drone strike, homed in on the former love’s cell phone location… and then, to his horror, he realizes the drone strike took out an innocent because the former lover dropped the phone in the parking lot and the innocent picked it up to go return it to the nearby store’s lost and found. The actual strike and realization would be the climax of the story, unless we want this to be a psychological tale about the killer being caught and being sentenced to work out his problems with an AI counselor… that may have a few flaws in its code…

Novels are big things. If you’ve got the nerve to write an InfoSec novel, good luck with that. If you can keep from preaching and make it all about a group of characters dealing with a world changed by a technology, you’ve got a sci-fi novel. To make it InfoSec, those characters deal with a world changed by the *flaws* in a technology.

That’s the biggest part of InfoSec writing, in my view. We confront the promise of better living through technology and poke at the weaknesses in that premise. We ask what can possibly go wrong and then unleash that vulnerability on our characters. Sometimes, our characters are resilient and deal with the problem. In such cases, I’d recommend no neat and tidy happy ending. The characters dealt with the problem, but now they live in a patched world, and they have to be on their guard just in case the patch introduced a new vulnerability.

An InfoSec writer also has to face a decision whether or not the story will be hard science or more Hollywood in its portrayal of technology. My style leans mostly towards hard science. I want things to be highly accurate. My characters will never ping 10.800.1.1. My characters will never have a program with a GUI that looks like it was designed by a special effects company. My characters plow through huge logfiles, they run Wireshark and pore over the captures, and they get mandatory reboots of their OS at the worst possible times.

But, there are times where I want to go Hollywood. In these stories, I create a fantasyland where all is well, all is good, there is better living through technology for all… except, hey, what’s this little red button do? Ah, it reveals that the makers of this heaven were really humans and there are devils from our own day and age in those futuristic details! Here we are in the year 2877, but the world comes crashing down because the code is backward-compatible to run a DOS 5.0 program… in so doing, I’m able to point out the folly of assuming backward-compatible code is secure, but *without getting preachy*.

I just realized I was getting preachy about not getting preachy, so maybe I should leave the rest to your imaginations and end my essay here.

Or should I say “show, don’t tell” one more time? Where is Clippy to help me finish writing a story when I need him the most?

Matryoshka

Tommy Mothersbaugh caught an anomaly. For the first time in over a year of scouring security logs, he found something that shouldn’t have been there. He took the report to his boss, Mary Jordan. He knocked on her open door.

“What’s up, Tommy?”

“I think I got something here, Mary. It’s not much, but it’s something.”

“Whatcha got?”

Tommy held out the report and pointed at a traffic flow. “That’s a printer in our Panguitch office. Trying to reach a TOR exit node.”

Mary lifted up her glasses to squint at the tiny print. “Huh. You sure about that? Double checked it and all?”

“Yes. Something’s up with that.”

Mary set the report on her keyboard. “OK if I keep this for my report?”

Tommy nodded. “Anything else you want me to do for follow-up?”

“No, no, that’s OK, we just file our reports and then things move upstairs… By the way, I wanted to ask you something and I’ve got a few minutes before my next meeting. You want to get the door and have a seat?”

Tommy shut the door and sat down.

Mary propped her glasses up, over her forehead. “How would you like to do a field assignment? You’ve been doing good work here in Analysis, so it’s only natural that you eventually sample other types of work… if you’d like to.”

“Sure, yeah. I mean, yes, that would really be cool.” Tommy’s surprise turned to excitement. “Where would I be going?”

“Well, wherever they send you. You’ll go through an orientation and then the officer in charge will let you know your assignment. But we can get you there as soon as you like. Tomorrow, even.”

“Tomorrow?”

“Tomorrow.”

“Dude. That would be awesome.” If Tommy was a puppy, his tail would be wagging wildly.

“Well, pack up your desk and make room for your successor.” Mary’s smile got Tommy to jump up, shake her hand, and then zip over to his desk with his good news.

A short, waited interval after Tommy left, Mary opened up SightsAndScenes.com and clicked the “helpful” button by Barry7711’s review of The Dinner Bell restaurant in Muleshoe, Texas.

Instantly, a minor official in another nation received an alert on his phone. The text on Gleb Ivanovich’s phone read, “Text ACCEPT to 495 697 03 49 to receive information on your prize!”

Any English-language text with the phone number for the Kremlin was serious news. Gleb brought up his browser and checked which review for The Dinner Bell got an additional like. Following the liked review back to that user’s home town indicated where operational cover had been blown. And that cover had been blown in… Panguitch, Utah? What and where is a Panguitch? Even after looking up information on the tiny town, Gleb couldn’t believe it existed. Why they had bothered to put a system there that we had bothered to compromise, Gleb did not know. He shook his head and sent a PDF brochure of Bryce Canyon National Park to another minor official.

Sofiya Olegovna glanced over the brochure in Gleb’s email and checked the traffic records for that system. After a few clicks and a few presses of Page Down, she had the data she needed to review. Hmmm… we haven’t done anything with that system in a long time, a long long time… and neither have they. Was this something some other guys were doing? Sofiya thought some more and became certain. This was definitely the doing of some other guys. Sofiya moved to make her report to those who needed to know.

Mere moments later, a spam campaign sent out 3.2 million messages proclaiming the virtues of all-natural Xenon Hexafluoride capsules. Most of the spams were either eliminated by filters or deleted by the fools still suffering without antispam measures. There were, however, 2 people who did not delete the spams, but, rather, accorded them the most urgent of responses. One of those people was in a very quiet office in a very quiet building in a very quiet part of Northern Virginia.

The TINCAN monitoring project was one of the most demanding of analytical jobs, but one that had also produced much valuable intel. Cracking the Spam Code was possible only because of the incredible attention to detail by the steganographers working for TINCAN, searching for meaning in the grainy background images of the spams sent by agents of the rival power. Of course, the meaning in the images was always encrypted, but the one-way pad in the hands of TINCAN’s director provided the key, every time. And now, the urgent response from the person in the very quiet office brought a collection of letters and numbers to the TINCAN director for his one-way pad to work its magic.

Director Andy Garfield ran the decryption protocol. He nodded and dismissed the urgent responder, then contacted his counterpart in Systems Monitoring via a scrambled line. Even if a rival power or those other guys had access to the phone system, they wouldn’t be able to break the encryption on the line. And, besides, what was so unusual about two intel directors talking with each other?

As it turned out, the rival power *did* have access to the phone lines. And, while it was true that the rival power could not decrypt the phone conversation, the rival power nevertheless deduced that this particular conversation fit a pattern that had gone along with its recent spam campaigns. Agents and administrators within the bowels of the rival power’s intelligence community put the wheels in motion to bring the spam campaigns to a close. One or two more actual messages would be leaked, and then disinformation until they didn’t believe us anymore. After that, the spam would have served its purpose.

Director Claus Niklaus of Systems Monitoring answered Director Andy Garfield’s call. “This is Niklaus.”

“Hello Niklaus. Garfield here. How ya doin’?”

“Doin’ fine, Andy, yourself?”

“Got my health. Can’t complain. This a good time?”

“Sure is. What’s eatin’ ya, succotash?”

“Well, Claus, it’s like this. You got a system in Panguitch that came up in analysis earlier today?”

“Yeah, just a while ago.”

“Well, I know all about it.”

“Ya don’t say… Huh. Thanks for the info, Andy.”

“Always a pleasure to help out, Claus. Hang in there, buddy.”

“Sure thing. Thanks a heap. See ya.”

“See ya.”

They both hung up and Claus leaned back in his chair. Only way Andy would have known that is if he’d intercepted and decoded a message from the rival power regarding the Panguitch system. Only way the rival power would know about that would be if they had a mole in his organization or a tap on his lines or a hack on his systems. Time to hire a rat-catcher, Claus figured.

The next problem Claus faced was that this wasn’t a direct operation of the rival power’s. Had it been, they wouldn’t have used the Spam Code that Andy’s TINCAN people were taking apart. That meant that the other guys were mixed up in this. The rat looked to the rival power for money and benefits, but the compromise on the Panguitch system could be laid at the doorstep of the other guys. Claus put in a call to Lauren Bishop, Director of Internal Investigations.

“Joyful Snow Pea Restaurant, can I help you?”

“Sorry, wrong number. I misdialed the third number.”

“OK, no problem, goodbye.”

Claus redialed, properly, and got Lauren on the phone and let her know about the mole, and how he may or may not be working for us or them, but definitely the other guys.

Meanwhile, the cashier at Joyful Snow Pea Restaurant knew exactly what to do, based upon Claus’ message. She placed an order for 2 dozen cans of Hunan-style water chestnuts to the trade attache at the Chinese consulate in San Francisco. The trade attache, in turn, sent an email to Shandong Huaye Tungsten & Iridium Tech Co., Ltd., requesting a quote for 600kg of pure tungsten rods, 100mm diameter. That email kicked off an alert that went straight to the head of Bureau Nine of the Ministry of State Security.

He wasted no time in getting up and moving as fast as he could without running to his boss, hoping to get there before the head of Bureau 8. The head of Bureau 8 had an unfair advantage, as his office was 10 meters closer than his own.

The head of Bureau 9 sped past the door of Bureau 8. He smiled. Those speed-walking classes had paid off a great dividend. He entered his director’s office and did his heel-toe, heel-toe walk right past the secretary, into the director’s antechamber. He pressed a button and waited.

Still no sign of Bureau 8. The head of Bureau 9 smiled as he heard the buzzer indicating the director was ready to receive a visitor. He walked in, normally this time, and said only, “Panguitch cover blown.”

The director nodded and dismissed the head of Bureau 9. The head of Bureau 9 nodded and exited. In the antechamber, he saw the head of Bureau 8 cooling his heels. “No need to see the boss now, I got here first.”

“Damn. Just my luck, I was in the water closet when I got the info.”

“You know it is Bureau 9’s job to protect this ministry from infiltration by foreign agents. Why do you always meddle in our matters?”

“You know damn well it’s Bureau 8’s job to handle counterintelligence. We have to keep tabs on you guys in Bureau 9 when you step into our territory.”

“Is that what you will tell the senior director? That we are in your territory?”

“No, this is a small thing, not worth a fight… but what might be worth a fight is your bureau removing our microphones. Your department is not above suspicion of counterintelligence.”

“Well if you want your microphones back, give us back our cameras! We have to be certain that our counterintelligence team hasn’t been infiltrated by foreign agents!”

The head of Bureau 8 thought a bit. “Two microphones for one camera?”

The head of Bureau 9 nodded in agreement. “Send the draft proposal to me today, I’ll sign off on it.”

Both men returned to their respective departments. The head of Bureau 8 then reviewed the budget for next year’s office supplies. He circled the amount proposed for printer toner and noted it should be reduced.

Three days later, Tommy Mothersbaugh was just outside Panguitch Middle School in Panguitch, Utah, wearing a brown shirt with a printer vendor’s logo prominently embroidered above the left pocket. His instructions were to remove a printer from the faculty workroom and replace it with a similar model. He was then to deliver the removed printer to the e-waste center in Hurricane, but was to get there by way of Orderville and Zion National Park.

Tommy also had instructions to park at Zion National Park and to go see the sights for ten minutes, leaving his vehicle unlocked.

Tommy arrived at Zion and parked his car near a bunch of tour buses loaded with Chinese tourists. They all debouched from the buses around the same time he left his van. Tommy walked away, glancing back at the mob of Chinese tourists. He went to the main office, figuring he’d use the bathroom while he was there. After using the bathroom, he walked around in the gift shop and accidentally bumped into one of the tour bus drivers.

“Oh, sorry! Please excuse me.”

“Not a problem, no worrying.” Tommy was struck at the thickness of the driver’s Russian accent. Then again, lots of immigrants got jobs as drivers, such was the nature of things. Tommy never was sure about what things he should ask questions about and what things he should just let pass without comment, so he guessed this was no big deal and forgot about it.

Tommy returned to his van and checked the insides. Nothing was stolen, and the printer looked like it hadn’t been touched. Tommy shook his head at the instruction that made no sense and drove on to the e-waste disposal center. This field work was just as boring as analysis work, but at least he got to see some beautiful countryside on this mission.

Meanwhile, back on one of the tour buses, the Chinese tourists were talking animatedly about a small piece of electronic gear they had removed from the printer as the bus driver nonchalantly checked to make sure the bus security cameras were running properly.