Welcome to your installation of Secure All the Things (SATT). We thank you for your purchase of our product and hope your installation process goes smoothly. We believe that SATT is the most secure network security solution on the market today. Your commitment to security has brought you here, and we are ready to walk that journey alongside you.
Wow, that was pretty over the top for marketing-speak. Franz Zimmerman saw boxes and arrows further down on the page. Boxes and arrows promised more comforting tech-speak, so he persisted in reading the SATT quick start guide.
In order for SATT to be secure, it requires a high degree of secrecy. This is why you are reading this quick start guide at a SATT safe house.
Yeah, that was a weird requirement. Franz had to take a cab to the airport, where a black SUV picked him up to take him to the safe house to read the guide. These SATT guys were serious about security, from the looks of things.
Your first step in your SATT installation will be to utilize shell companies in the purchase of a property that will house the SATT management servers. Below is a checklist of the requirements for each shell company.
Huh? What? Shell companies? Franz looked over the rest of the quick start guide, which was a single, laminated card, standard page size, printed on the front only. The boxes and arrows were a flow chart, about setting up shell companies, from the looks of things. Where was the listing of how much RAM or CPU cores the servers would need?
Franz looked down at the coffee table where he had picked up the quick start guide. A piece of paper with some scribbles on it was next to a land-line phone. The phone had thicker cables than normal. A closer look at the paper revealed it had two charts, one with cells full of phone numbers, the other with words that looked like surnames randomly picked out of the phone book.
Using the chart with words, select one from column A and one from column B, with a corporate type from column C. Arrange these in any order for the name of your first corporation. Using one of the number sets from a cell in the chart with numbers, dial the phone. When the other party answers the phone, speak the name of your first corporation and hang up. Using different words and numbers each time, repeat this process for companies 2, 3, and 4.
Well, Franz had to give SATT points for clarity of instructions. His first company was “Hartford Canterbury, Inc.” He dialed the first randomly-chosen number and heard an odd ring tone. Must not be American. When he heard the other line pick up, he said the name of the first company. He heard nothing on the other end, so he shrugged and hung up.
The second firm was “Anderson Harriman, LLC.” Another number dialed, a different ring tone, and more speaking into the silence. The same for “Cleveland Young Partners” and “Kerrigan Blackwell GmbH.” So what was the next step?
Once the shell companies have been created, wait 20-30 minutes for an envelope to be slid under the door into your room. If the envelope does not appear within that timeframe, abort the procedure and arrange for another quick start session, at no additional cost, with your SATT sales representative.
Franz looked at his cell phone to see what time it was now. His cell phone was black and blank. Oh wait, the driver said to turn off his cell phone when he got into the car… and to not turn it on again until after he finished the process and was back at the airport. Franz even had to remove his phone battery, to make sure it was good and off. A trusty old electric clock on the wall said it was 9:37am.
At 9:59am, the envelope slid under the door. Good. Franz didn’t want to have to go through all this again, especially since there was nothing to do, at all, while waiting for that envelope. In the envelope were details of each company’s incorporation – addresses, contacts, phone numbers, tax ID numbers, the works. Hartford Canterbury was a Delaware company, Anderson Harriman registered in Panama, Cleveland Young in Kenya… Kenya? Really? Huh… and good old Kerrigan Blackwell was running out of Las Vegas, Nevada. OK, so back to the quick install guide…
Now the boxes and arrows made sense, since Franz had companies to go with them. Each company information page had a large, circled number in the top left corner, which corresponded to a corporate entity mentioned on the flow chart. Using some new phone numbers, Franz set about having company 1 transfer funds to company 3, which then secured a loan from company 2 so that company 3 could purchase an office park in suburban Omaha that it would then transfer as an asset to company 4, which would then use it as collateral for buying a building in Franz’ home town.
The transactions went forward without any problems and Franz had to hand it to SATT for an installation process that, up to now, was truly medialess. Only Franz and whoever put the address of the building on a piece of paper in the envelope knew where the final building was located. Franz assumed that that would be where he’d find the server racks for the SATT gear. For now, the quick start guide instructions were exhausted but for the last:
Exit the room and exit the building with the door on your left. A vehicle will return you to the airport and provide you with further instructions. Take the envelope and all its contents with you. Any materials from the envelope left behind will necessitate restarting the quick start procedure. Leave this quick start guide and the paper used for creating the companies in this room. If they are removed, that will also necessitate restarting the quick start procedure. Removal of this guide and/or the accompanying paper will also incur penalties and may invalidate your SATT installation.
Yeah, this was a pretty big-ticket deal, so Franz made sure to leave what should be left and to take what should be taken.
A different driver, most likely with a different black SUV, picked up Franz. The driver asked, “Everything go OK, Mr. Zimmerman?”
“Yeah, it all went well. No complaints.”
“Excellent. Your cell phone still off?”
“Yes. Battery in my other pocket, like the other driver told me to do.”
“Perfect. We’ll be back at the airport in about 20 minutes. Traffic is pretty light.”
And that was all they said for the rest of the way. Once they got to the airport, the driver reached into his door well and produced a manila envelope. Franz presumed this was further installation instructions. The driver smiled and handed the envelope to Franz. “I hope the rest of the install goes well, Mr. Zimmerman. Thank you again for choosing SATT as your security solution.”
“Sure thing, thanks.” Franz left the SUV and put his battery back into his phone so he could call a cab. Franz didn’t touch the new envelope, that was for tomorrow, when he went to the building owned by company 4. He would have to say that he was a representative of company 3, there to inspect the purchase of its wholly-owned subsidiary.
When a third black SUV – how many did these SATT guys have running in the area? – dropped him off at 1604 Chestnut St., Franz stood a moment in front of the boxy, 3-story typical American office block. He entered and looked at the list of tenants in the lobby. Number 207 was listed as “Building Management”. That meant he’d use the keycard to gain entry to suite 209, which wasn’t listed anywhere on the tenant list, presumably a secure annex for building management.
The lobby security guard called an elevator for Franz. Franz said “thanks” and got into the elevator, then punched 2.
On the second floor, Franz walked past a pair of restrooms on his way to 209. He hoped that he wouldn’t have to key out and key in every time he needed to use the bathroom. He hoped against hope that there would be a private facility inside 209. Also at least a mini-fridge and a microwave for his lunch.
Franz inserted his keycard into the door mechanism and got the green beep. He opened the door to see a nice workspace, with one of those desks that could adjust for standing or sitting, as needed. There was even a treadmill. Full-size fridge, microwave… and an oven with a range top? This wasn’t an office, this was an efficiency apartment, practically! A door in the right wall promised a bathroom. Gentle light poured in from the picture window with a northern exposure. Great view of the skyline from here. Pity Franz couldn’t actually move in, but sometimes a great work environment is best when it’s only used for work.
The other door in the right wall was the server closet, judging from the sound of whirring fans coming from within. A PC on the workspace had a network cable that went through a small hole in the wall, into the server closet.
Franz took his microwave cuisine out of the plastic grocery bag and put it into the freezer. There were ice cube trays in the freezer, which he took out and filled up. Never can have too much ice. Franz put his cola into the fridge and thought about what he could do to stock it up.
Franz sat down at the workspace and picked up a new laminated card.
Log in to your workstation, using your company-provided directory username and password. You will be immediately prompted to create a new username and password for your access to the SATT system. Your username must be at least 16 characters long, contain at least 3 special characters, and may not begin with an alphanumeric character. For your reference, a chart with ALT and Unicode combinations for various special characters has been provided.
Hold on, this was for the *username*? What were the password rules?
Your password needs to be at least 32 characters long, contain at least 10 special characters, and may not have an alphanumeric character for at least the first three characters. Once you submit your password, it will be subjected to both a dictionary and brute force attack. If it is not cracked after 30 minutes of such an attack, you will be permitted to use that password. If not, you will be prompted to create a new password and repeat this procedure.
Wow. Why 30 minutes? Oh wait, that’s right. The sales engineer had explained that if anyone tries to compromise the system, SATT would determine the location of the attacks. It would shut down intermediary access points if it did not locate the source of the attack. SATT would “appropriately deal with” any person or device found to be responsible for the attack. So that 30 minutes may be the time SATT would allow the attack to continue so that it could do its part to track down the attacker.
Franz wondered what “appropriately deal with” actually meant. In the pre-sales meetings, he just chalked it up to vague sales-speak. Given all the activities involved in just setting things up, Franz speculated that maybe the vague language was so that his company could claim plausible deniability, if things got messy and somehow traced back to the company.
Do you know how hard it is to make a 32-character password with loads of special characters that you can actually remember? SATT had covered that in lesson 7 and lab 5 of their introductory training course that Franz took in an otherwise empty hunting lodge out in Melrose, Montana. “I like coming here in the off-season” he had to tell anyone who asked what he was doing there. “See the nature while it’s not being shot at.”
Franz entered in his username and password, but the “OK” button was grey. No response from it or the Enter key. What was up?
Franz remembered. He could do whatever he wanted with the big windows, but he had to open the blinds on the window above the sink in the kitchenette – they said there would be a smaller window – and look out of it while counting “One, Mississippi” all the way up to 20. Do that every day, no rushing.
Once Franz got back from that, the “OK” button was a nice, accepting shade of blue. He clicked the “OK” and got ready to wait 30 whole minutes.
There was no Internet. The workstation wasn’t set up for that and the suitcase-sized box with six antennae over in the corner made sure no wireless device would have Internet, either. Franz hit the bathroom, then took a look at the bookshelf by his workplace to see what there was to read. He could bring his own books, to be sure, but the folks at SATT also had a recommended reading list for him to go through at least once. So what’s up on offer in the SATT library?
There were books on reading packet captures and debugging code, but also quite a few books about shipwreck survivors, polar explorers, and life aboard space stations. Say, what kind of message were they trying to say about the job ahead? Franz also noticed on one book spine, “The InfoSec Joke Book.” He pulled that one from the shelf. He opened it to the middle.
“That’s on a need to know basis.”
Franz laughed, that was a good one. Another line on the opposite page read simply, “3DES.” Right after that, the line “End users.” Franz laughed even harder. OK, this was the one he’d start with.
30 minutes after pressing “OK”, Franz was at the welcome screen. The quick start guide instructed,
At the welcome screen, enter the default username and password for accessing the SATT management server. A list of default usernames and passwords is provided in the envelope you received after the first phase of SATT setup.
Franz rummaged through the manila envelope and found a page completely filled in 10-point Courier type on both sides. Well, not completely filled. There was a small space at the end of every 100-character line. 64 lines on each side. Franz had to count in order to counter his disbelief. Which ones were usernames and which ones were passwords? Was a username the same as its password? Well, probably no to the last one, these guys were pretty good at security. But that then made him wonder if he was to enter the lines as seen or if he should put them in backwards. Or to read them as 100 columns of 64 characters instead of 64 lines of 100. 64 sounded like a nice and binary number, so he went with that, using one side for usernames and the other side for passwords.
None of them were working. He had entered 4 combinations when the phone rang. It was another one of those landlines with thick cords, but with no way to dial it. It was a direct line to somewhere, wherever SATT tech support sat, probably. Franz picked up the line.
“I’m sorry, there’s no one here by that name.” That’s how Franz was supposed to answer every time. Unless the person on the other end didn’t ask for Mr. Zimmerman. In such a case, he was to tell the caller to wait a moment and then press the panic button to cause the SATT server to self-destruct.
“5th row and 27th column.” The other person hung up.
Well, even if the person didn’t say which sides to use or how to count in to the 5th row or the 27th column, at least it was narrowed down to 16 possibilities. On the 9th try, using the 5th row down from the top on the backside and the 27th column in from the right, also on the back, Franz got in. And while 5 and 27 were burned into his mind, good luck to anyone trying to use that card to brute force on in to the system. Manual entry of long lines of characters was such a pain, but, hey, that’s security, right?
Like it said in the InfoSec Joke Book, “How many [REDACTED] does it take to [REDACTED]? [REDACTED]!” It was so funny because it was true.
Once in and past the welcome screen, the initial configuration wizard kicked off.
Congratulations! Your Secure All the Things(TM) management server is now active! Let’s get the rest of the system activated and busy securing your entire enterprise! Step One: select a vendor at random from the list below. Once you’ve selected the vendor from the drop-down list, click the OK button for the next step.
There was a very long drop-down list and Franz was glad this wasn’t a java-based app he was working with. Those things can lag so badly. Franz picked “Martin Industrial Fire Suppression Systems” and then clicked the obligatory “OK” button. He vaguely remembered something about a vendor installing a behavior analysis system. These guys would probably rig up the whole company while they also maintained the whatever, the fire thingy or whatever.
Great! You’ve selected a vendor! Step Two: Now, select someone in your facility maintenance department. This person will be involuntarily terminated, to be replaced by a licensed and bonded SATT security specialist.
Franz hit the drop-down list and picked some lady at random. In his training back in Montana, they had told him that whoever gets fired will spend about 2-3 weeks unemployed and then be contacted about an opportunity to work with SATT. That’s how SATT kept up a ready supply of bonded and secured security specialists. For now, though, they needed someone in place that would approve the vendor from step one without question or hesitation. Another “OK” button click and Franz was at the next screen.
Steps three through seventeen involved picking someone in the networking, desktop management, antimalware, wireless, web development, cloud services, virtual desktop management, physical security, datacenter operations, backup/storage, virtual server, network security, application development, mainframe, and database administration departments. These individuals didn’t know it yet, but they would soon get instructions to enter certain lines of code where needed so that the SATT system would have full access to all the devices under their supervision. If they didn’t cooperate, Franz understood that SATT could do things that would get them to cooperate, not to worry. Franz “OK”-d his way through all those screens.
Awesome! We’ll work with that database administrator soon! Step Eighteen: Press the OK button to initiate the Internet of Things management phase. This will take a while, so we hope you’ll enjoy a good book in the meantime!
Franz punched the “OK” and got back to the joke book. This was the cool part, where SATT would use its repository of default admin usernames and passwords to break into every IoT device in the company and then change that combo. But wait, there’s more! SATT would also patch the code so that no other system could break in like that. As an added bonus, SATT would act as a proxy between the vendor and the device. If the vendor had a code update, SATT would vet it and then pass it along.
And if a vendor stopped maintaining a device, SATT would be there to watch over it. SATT would gather those devices as a hen gathers her chicks under her wings, keeping them safe and even re-writing their source code if that was necessary to protect against a just-announced zero-day. How SATT had access to all this source code, Franz wasn’t all that sure, but maybe it wasn’t very difficult to get in the first place? Good for SATT for at least using its penetrating power for good.
About an hour after Franz finished his lunch, step eighteen completed.
You’re good to go! The basic Secure All the Things(TM) configuration is now complete. You will receive a notification when the behavior analysis installation is complete. You will also receive notifications when each department identified in a previous step has completed his or her required work. If there is an issue with a department staff member, you will be notified, but will not be required to initiate any escalation measures. Press Finish to exit this wizard.
Franz pressed the “Finish” button and the servers in the closet began to emit prolonged sub-bass tones that did not agree at all with the Swedish meatballs Franz had at lunch. Strong green light poured out of the cracks around the door to the server closet and out of the hole for the network cable. Although Franz knew to expect that, it was still terrifying to witness firsthand for the first time. After five minutes that seemed like an eternity spent hurtling through deep space towards a mad god at the center of the universe, it was all back to normal.
Franz went to use the bathroom and re-acquaint himself with reality.
As his company’s SATT administrator, Franz had to deal with configuration and maintenance of the system. He was also the person empowered by his company to deal with major security incidents. SATT itself could handle most security functions automatically, once some parameters were set, but those major issues still required a human call about how to handle.
After that first day, Franz’ travel to and from the workplace was on his own. In the days immediately following the initial setup, Martin Industrial Fire Suppression Systems got awarded a maintenance contract by the new guy in Facilities Maintenance and rigged up the behavioral analysis system lickety-split. This came in handy for working with the admins from steps 3-17 that didn’t cooperate right away. Two were just lazy and needed only a friendly prompt from their bosses to take care of that request in their inboxes. One, though, was getting ready to leave the company, as evidenced by his copying of quite a few files he really had no business copying. Win number one for SATT! That behavioral analysis portion was beginning to pay for itself.
Franz approved the sanctioning of that admin, the guy in charge of virtual desktop management. SATT launched trojans against his personal PCs to encrypt all his files, at home and in the cloud. SATT also worked a little magic with a department store’s security video footage so that there was enough evidence to put out a warrant for his arrest on felony theft charges. SATT security specialists within the police force sent out arresting officers while SATT security specialists within the department store spirited away the appropriate items of jewelry that would be found at the home of the virtual desktop administrator. There were even SATT security specialists at a nearby dog track, ready to create huge gambling losses for the hapless admin, ensuring he’d have plenty of motive to steal the jewelry.
SATT philosophy was that it was easier to prosecute someone for physical theft than it was for digital theft, so it was better to fabricate immediate felony charges than wait for the wheels of justice to clank along for a difficult to understand and hard to prove intellectual property case. Franz rationalized, “Hey, we can see the guy is guilty. It’s six of one, half dozen of the other how he gets brought to justice.”
Franz had to pick another person in the virtual desktop group and then, soon, the installation was complete! There was another awful episode of sub-bass tones and unearthly green light, but that was really the only thing that Franz wanted to submit a feature request about. The rest of the SATT installation process had gone quite well. Or, wait, was there something else that was a problem?
Hang on. Franz looked up at the coffee maker he had to bring in to his office. *That* was the other thing he wanted to add to his evaluation of the install process. Gotta have a coffee maker in that office, or what else were the admins supposed to drink as they dealt with people’s lives?