Thursday, March 28, 2019
Interesting Analogy About Voting
http://seananmcguire.tumblr.com/post/183777959610/political-metaphor
Monday, March 25, 2019
A Dream, and Other Musings
I had a dream last night.
Heh. That opening makes me think of a song (from the Romeo & Juliet soundtrack), but it's true.
It was weird, actually, because it felt like I was having a deep conversation with someone, then woke up before it came to a conclusion. Then fell asleep and had a deep conversation with someone different... and that happened maybe three or four times?
It's gone all fuzzy now, and trying to put it into words makes it even fuzzier. Things that seemed so clear in the dream suddenly aren't. I've already forgotten what was said, and just remember the gist of it. Except even that starts seeming less clear when I try to put it into words. We were discussing... my purpose? Goal? Perspective on life?
Gyah!
I just remember the answer, which I hadn't gotten around to giving before waking up. Which was that I sought understanding.
It's an impossible task, I could spend a thousand lifetimes learning everything I could and it still wouldn't be enough. But I am generally curious by nature. It doesn't matter whether it's about quantum physics, history, biology, art, computers, national security, philosophy or what. I do have a preference, in general, for anything related to human nature.
I suppose it's a bit because I believe that "He who controls others is powerful, but he who has mastered himself is mightier still" (from Lao Tzu), or perhaps even Sun Tzu's quote:
I do remember reading the Lao Tzu one a long time ago, as a child, and having it sink in. Perhaps that's part of why I've chosen to focus so much on human nature... understanding myself and others around me.
Understanding...
Well, I don't think I'll ever get bored with that one. Over and over again, the great challenges of our day appear to be wicked problems. I still recall a really good analogy for that, though I forget which book I'd read it in. They described a wicked problem as though you were in a room full of furniture, each of which was connected to something else in the room, and you were trying to rearrange everything. Except moving one item would affect whatever was connected to it, so you were never able to do just one thing without considering the impact it would have on everything else in the room.
Solving a wicked problem requires a lot of study and understanding, like untying a Gordian knot the long way (instead of slicing through it with a sword.) We, as humans, generally get fed up and prefer the sword cutting solution... but ultimately that path has consequences, too.
Namely, well... if I could generalize one thing about a 'wicked problem', it's that there will probably be unintended consequences.
Whatever you are trying to do, if the task is complicated enough, it's almost impossible to predict and foresee all that will come from making that decision. For example, Reagan's decision to reduce funding for facilities treating mental illness contributed to a rise in homelessness (for those who had nowhere else to go) and meant more prisons had to pay money to treat mentally ill inmates.
Could that have been predicted? In hindsight, it seems a bit obvious... but from what I recall of the political climate at the time such a consequences wasn't even on anyone's radar.
I like trying to learn a little bit of everything (and a bit more than that in certain areas), of having enough of an understanding that I can somewhat predict what questions need to be asked in order to find those unintended consequences... before they become a reality.
It does make me a bit of a "jack of all trades, master of none" and it's not the sort of thing that's easily captured on a resume. Nor the sort of thing that I've ever drawn recognition for (an old ex of mine once said I had an amazing talent for being overlooked. I could write a nice little post on the topic of invisibility, and why my friend and I had an inside joke about it, but I don't feel like doing so right now.)
Anyways, I had a dream last night, and it meant enough to me that I decided to write a post about it.
Heh. That opening makes me think of a song (from the Romeo & Juliet soundtrack), but it's true.
It was weird, actually, because it felt like I was having a deep conversation with someone, then woke up before it came to a conclusion. Then fell asleep and had a deep conversation with someone different... and that happened maybe three or four times?
It's gone all fuzzy now, and trying to put it into words makes it even fuzzier. Things that seemed so clear in the dream suddenly aren't. I've already forgotten what was said, and just remember the gist of it. Except even that starts seeming less clear when I try to put it into words. We were discussing... my purpose? Goal? Perspective on life?
Gyah!
I just remember the answer, which I hadn't gotten around to giving before waking up. Which was that I sought understanding.
It's an impossible task, I could spend a thousand lifetimes learning everything I could and it still wouldn't be enough. But I am generally curious by nature. It doesn't matter whether it's about quantum physics, history, biology, art, computers, national security, philosophy or what. I do have a preference, in general, for anything related to human nature.
I suppose it's a bit because I believe that "He who controls others is powerful, but he who has mastered himself is mightier still" (from Lao Tzu), or perhaps even Sun Tzu's quote:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
I do remember reading the Lao Tzu one a long time ago, as a child, and having it sink in. Perhaps that's part of why I've chosen to focus so much on human nature... understanding myself and others around me.
Understanding...
Well, I don't think I'll ever get bored with that one. Over and over again, the great challenges of our day appear to be wicked problems. I still recall a really good analogy for that, though I forget which book I'd read it in. They described a wicked problem as though you were in a room full of furniture, each of which was connected to something else in the room, and you were trying to rearrange everything. Except moving one item would affect whatever was connected to it, so you were never able to do just one thing without considering the impact it would have on everything else in the room.
Solving a wicked problem requires a lot of study and understanding, like untying a Gordian knot the long way (instead of slicing through it with a sword.) We, as humans, generally get fed up and prefer the sword cutting solution... but ultimately that path has consequences, too.
Namely, well... if I could generalize one thing about a 'wicked problem', it's that there will probably be unintended consequences.
Whatever you are trying to do, if the task is complicated enough, it's almost impossible to predict and foresee all that will come from making that decision. For example, Reagan's decision to reduce funding for facilities treating mental illness contributed to a rise in homelessness (for those who had nowhere else to go) and meant more prisons had to pay money to treat mentally ill inmates.
Could that have been predicted? In hindsight, it seems a bit obvious... but from what I recall of the political climate at the time such a consequences wasn't even on anyone's radar.
I like trying to learn a little bit of everything (and a bit more than that in certain areas), of having enough of an understanding that I can somewhat predict what questions need to be asked in order to find those unintended consequences... before they become a reality.
It does make me a bit of a "jack of all trades, master of none" and it's not the sort of thing that's easily captured on a resume. Nor the sort of thing that I've ever drawn recognition for (an old ex of mine once said I had an amazing talent for being overlooked. I could write a nice little post on the topic of invisibility, and why my friend and I had an inside joke about it, but I don't feel like doing so right now.)
Anyways, I had a dream last night, and it meant enough to me that I decided to write a post about it.
He who controls others may be powerful, but he who has mastered himself is mightier still.
Lao Tzu
Read more at: https://www.brainyquote.com/quotes/lao_tzu_385970
Read more at: https://www.brainyquote.com/quotes/lao_tzu_385970
Wednesday, March 20, 2019
Nebraska Flooding
It really weirds me out that I see a ton of stuff about the flooding in Nebraska on Facebook - because of friends from when I lived there - and so little on the usual news sources.
Like, half of Offutt AFB is underwater apparently.
More and more I wonder what the heck is happening, and when did the world go mad?
Tuesday, March 19, 2019
Good Advice
https://warontherocks.com/2019/03/loyalty-and-dissent-getting-flag-officers-to-hear-the-truth/
Friday, March 15, 2019
On Conspiracy Theories (Re: Claims New Zealand Was a False Flag Op)
There's a post I've been thinking about for a while, and this gave me a direct lead to it.
As a people manager, I've had to address employee issues where someone was spreading rumors about another person, and I've sometimes wondered about what causes them to do it.
On a grander scale, the same sort of thing appears to be true in the political world...
Take Holocaust deniers. On the face of it, it seems ludicrous. We have well documented pictures, we have veterans (or had) who remembered being there. President Eisenhower even made a point of documenting as much as he could, and ensuring as many people saw the proof as possible. How can anyone possibly pretend the Holocaust didn't happen?
When I think about how such a conspiracy theory develops, well, there's two ways. One benign and one malicious.
The benign way is basically a bit like the game of 'telephone'. Someone said something (probably just bs-ing) that got overheard wrong, which got garbled in discussion with someone else, and it morphs into a rumor that people believe because they want to believe, for whatever reason.
The malicious way is when someone deliberately spreads something they absolutely know is false, something that they made up themselves. And they're probably doing it for political gain.
Take Holocaust denialism. For an Arab world that saw the Israeli nation as an affront (and perhaps even as yet another evil colonial act by Western powers), undermining belief in the Holocaust also undermines some of the reasons that the State of Israel was created. So spreading the belief that the Holocaust never happened is something they probably think helps their cause.
I would argue that it doesn't, but that's mostly because I've come to believe beginnings (and the things we choose to allow at the beginning) shape the end result. In the Biblical context, "By their fruits you will know them."
Our own beginning - in the American Revolution, Articles of Confederation, and writing of the Constitution - shows a mix of good and bad that has profoundly affected the America of today... from the slaveholders writing the Constitution, to George Washington's decision to step down after two terms as President, to the decision - thankfully not required - on whether or not to allow the farmers fighting in the Revolution to return home when they started losing hope and wanted to tend their farms (I'm referring to the book 1776, which discussed the importance of the Battle of Trenton. I look at some other revolutionary movements around the world, and the way the leadership decided to compel support when they started losing it, and I think the decision to force support is part of what makes the leaders of those revolutions so horrible at governing if/when they do succeed).
To get back to Holocaust deniers, I can't believe that anything good would come out of whatever gains they think they'll make by spreading such a conspiracy. Whatever they are attempting would be like building a house on sand (to use another biblical reference), easily undermined by the lie.
We clearly have people today willing to maliciously spread conspiracy theories. Take Alex Jones, and his Sandy Hook conspiracy.
I wonder sometimes what goes through his head when he does something like that. Like - does he do it for political purposes? Out of fear that too many people would support laws restricting gun use? A decision to spread the lie in order to undermine support for gun control?
Is it a power trip? Does he take joy in seeing people believe and act on his BS?
Is he crazy enough to really believe the stuff he says?
And... above and beyond all of that... how is he so completely lacking in any sort of empathy, that he doesn't care what he has done to the families of the deceased? If it were true, if there were really a story there, he should be trying to get evidence and take this to court... not spewing this stuff out onto the general public. And if he thinks the courts and police officers are so corrupt that they wouldn't act on the allegations, then he sure as heck shouldn't be publicizing it like he did. It's basically BS for the gullible, and it apparently works.
How is he capable of even looking at himself in a mirror? How can he like and respect what he sees, when he does?
Okay, okay, that got a little bit more personal than I meant. It's not just one guy, after all.
There's also the people who created pizzagate, and although the person who created it did not force Welch to go shoot up the pizza place, Welch would probably never have done so if someone hadn't created and spread the conspiracy theory.
And now? Now we've got Rush Limbaugh implying that the New Zealand shooting was a false flag operation.
Again, I just have to ask...
How do you stand yourself?
All of you, all the people who do this sort of thing. All the people who make up a bunch of BS, knowing it's BS, and use their platform to spread that BS...
How do you make yourself feel like this is okay?
As a people manager, I've had to address employee issues where someone was spreading rumors about another person, and I've sometimes wondered about what causes them to do it.
On a grander scale, the same sort of thing appears to be true in the political world...
Take Holocaust deniers. On the face of it, it seems ludicrous. We have well documented pictures, we have veterans (or had) who remembered being there. President Eisenhower even made a point of documenting as much as he could, and ensuring as many people saw the proof as possible. How can anyone possibly pretend the Holocaust didn't happen?
When I think about how such a conspiracy theory develops, well, there's two ways. One benign and one malicious.
The benign way is basically a bit like the game of 'telephone'. Someone said something (probably just bs-ing) that got overheard wrong, which got garbled in discussion with someone else, and it morphs into a rumor that people believe because they want to believe, for whatever reason.
The malicious way is when someone deliberately spreads something they absolutely know is false, something that they made up themselves. And they're probably doing it for political gain.
Take Holocaust denialism. For an Arab world that saw the Israeli nation as an affront (and perhaps even as yet another evil colonial act by Western powers), undermining belief in the Holocaust also undermines some of the reasons that the State of Israel was created. So spreading the belief that the Holocaust never happened is something they probably think helps their cause.
I would argue that it doesn't, but that's mostly because I've come to believe beginnings (and the things we choose to allow at the beginning) shape the end result. In the Biblical context, "By their fruits you will know them."
Our own beginning - in the American Revolution, Articles of Confederation, and writing of the Constitution - shows a mix of good and bad that has profoundly affected the America of today... from the slaveholders writing the Constitution, to George Washington's decision to step down after two terms as President, to the decision - thankfully not required - on whether or not to allow the farmers fighting in the Revolution to return home when they started losing hope and wanted to tend their farms (I'm referring to the book 1776, which discussed the importance of the Battle of Trenton. I look at some other revolutionary movements around the world, and the way the leadership decided to compel support when they started losing it, and I think the decision to force support is part of what makes the leaders of those revolutions so horrible at governing if/when they do succeed).
To get back to Holocaust deniers, I can't believe that anything good would come out of whatever gains they think they'll make by spreading such a conspiracy. Whatever they are attempting would be like building a house on sand (to use another biblical reference), easily undermined by the lie.
We clearly have people today willing to maliciously spread conspiracy theories. Take Alex Jones, and his Sandy Hook conspiracy.
I wonder sometimes what goes through his head when he does something like that. Like - does he do it for political purposes? Out of fear that too many people would support laws restricting gun use? A decision to spread the lie in order to undermine support for gun control?
Is it a power trip? Does he take joy in seeing people believe and act on his BS?
Is he crazy enough to really believe the stuff he says?
And... above and beyond all of that... how is he so completely lacking in any sort of empathy, that he doesn't care what he has done to the families of the deceased? If it were true, if there were really a story there, he should be trying to get evidence and take this to court... not spewing this stuff out onto the general public. And if he thinks the courts and police officers are so corrupt that they wouldn't act on the allegations, then he sure as heck shouldn't be publicizing it like he did. It's basically BS for the gullible, and it apparently works.
How is he capable of even looking at himself in a mirror? How can he like and respect what he sees, when he does?
Okay, okay, that got a little bit more personal than I meant. It's not just one guy, after all.
There's also the people who created pizzagate, and although the person who created it did not force Welch to go shoot up the pizza place, Welch would probably never have done so if someone hadn't created and spread the conspiracy theory.
And now? Now we've got Rush Limbaugh implying that the New Zealand shooting was a false flag operation.
Again, I just have to ask...
How do you stand yourself?
All of you, all the people who do this sort of thing. All the people who make up a bunch of BS, knowing it's BS, and use their platform to spread that BS...
How do you make yourself feel like this is okay?
New Zealand Attack
Posting because I think it's important to say "this is NOT okay."
https://apnews.com/ce9e1d267af149dab40e3e5391254530
Nobody should be murdering people like this. It doesn't matter if they are Muslim, or Jewish, or Christian. Doesn't matter if they're brown, black, or white.
And although claims of incitement are tough to prove (people are not mindless, and do make their own choices on who to listen to, what to believe, and how to act on those beliefs) I hope those who say things that could be taken as encouragement for such behavior would take a long, hard look in a mirror and consider how to wield their influence for the better.
Thursday, March 14, 2019
Pew Research on Independents
Guess I'm one of the few who still has an unfavorable opinion on both parties.
http://www.people-press.org/2019/03/14/political-independents-who-they-are-what-they-think/
Wednesday, March 13, 2019
Regarding White Supremacy
There's something that bothers me about the ideology.
All right, there's a lot of somethings that bother me about it, but I doubt a conversation regarding the lack of scientific support for the idea would go anywhere (they're not likely to listen, and I'm not exactly willing to be persuaded by any of their arguments either.)
So for the sake of the following post, I will concede the point...
Most people have some awareness of the bell curve these days. The notion that any measurable trait is generally distributed in a bell shape:
That is, most people will center around the middle... and a few exceptional people are at the extremes of good and bad. Talented and incompetent, smart and dumb.
If you wanted to compare two populations, and say that one is generally better than the other, the distribution would probably look something like this:
Maybe even this:
And here's the thing. Someone at the top of the left bellcurve will still do better than a number of people in the right bellcurve. Even in my final example here, which shows a very clear 'superiority' (which is a subjective concept in the first place, but I won't digress) in the population on the right, an outlier from the left bellcurve will still do better than over half the population in the right.
In other words, Serena Williams is still probably going to kick your butt in tennis, especially since skill is as much about effort and training as it is about innate talent, and she's definitely been putting in the effort.
So if white supremacy were true, what difference would it even make? Employers are supposed to want the best person for the job, and that 'best person' could still be someone of another race. Their effort and talent might have put them in the top percentile for their group, after all.
The only way it would make a difference is if the bell curves had no overlap at all, if every single person in the distribution to the right (even the least talented) was better than every single person on the left (even the best).
It's, quite frankly, unbelievable BS.
I get the fear underlying some of this... I only mean 'some'. It's tough to worry about finding a job (as I continue my own efforts at job hunting, I know this all too well.)
And when you're struggling, it's easy to wonder if other factors are keeping you from being where you want to be. I mean, if I put a more masculine version of my name on my resume would I have gotten more callbacks by now? Research indicates it's likely, and changing their name may work for minority candidates too. (I haven't, mostly because I'm not sure I'd want to work at a place that only considered me because they thought I was a guy... but as the hunt continues I admit it's tempting.)
Still, life being a terrible struggle doesn't make it okay to create a system that essentially considers all people of a particular race or ethnicity to be somehow less than all white people.
Serena Williams would still kick your butt at tennis, Mohammed Ali in boxing, Bruno Mars in singing, Alexandre Dumas in writing, and George Washington Carver in botany.
All right, there's a lot of somethings that bother me about it, but I doubt a conversation regarding the lack of scientific support for the idea would go anywhere (they're not likely to listen, and I'm not exactly willing to be persuaded by any of their arguments either.)
So for the sake of the following post, I will concede the point...
Most people have some awareness of the bell curve these days. The notion that any measurable trait is generally distributed in a bell shape:
That is, most people will center around the middle... and a few exceptional people are at the extremes of good and bad. Talented and incompetent, smart and dumb.
If you wanted to compare two populations, and say that one is generally better than the other, the distribution would probably look something like this:
Maybe even this:
And here's the thing. Someone at the top of the left bellcurve will still do better than a number of people in the right bellcurve. Even in my final example here, which shows a very clear 'superiority' (which is a subjective concept in the first place, but I won't digress) in the population on the right, an outlier from the left bellcurve will still do better than over half the population in the right.
In other words, Serena Williams is still probably going to kick your butt in tennis, especially since skill is as much about effort and training as it is about innate talent, and she's definitely been putting in the effort.
So if white supremacy were true, what difference would it even make? Employers are supposed to want the best person for the job, and that 'best person' could still be someone of another race. Their effort and talent might have put them in the top percentile for their group, after all.
The only way it would make a difference is if the bell curves had no overlap at all, if every single person in the distribution to the right (even the least talented) was better than every single person on the left (even the best).
It's, quite frankly, unbelievable BS.
I get the fear underlying some of this... I only mean 'some'. It's tough to worry about finding a job (as I continue my own efforts at job hunting, I know this all too well.)
And when you're struggling, it's easy to wonder if other factors are keeping you from being where you want to be. I mean, if I put a more masculine version of my name on my resume would I have gotten more callbacks by now? Research indicates it's likely, and changing their name may work for minority candidates too. (I haven't, mostly because I'm not sure I'd want to work at a place that only considered me because they thought I was a guy... but as the hunt continues I admit it's tempting.)
Still, life being a terrible struggle doesn't make it okay to create a system that essentially considers all people of a particular race or ethnicity to be somehow less than all white people.
Serena Williams would still kick your butt at tennis, Mohammed Ali in boxing, Bruno Mars in singing, Alexandre Dumas in writing, and George Washington Carver in botany.
Monday, March 11, 2019
Interesting Evolution
https://blog.knowbe4.com/cyber-criminals-use-domino-effect-chain-attacks-to-leverage-one-compromised-bank-to-infect-the-next?hs_amp=true&__twitter_impression=true
Saturday, March 9, 2019
Computing - Malware, Phishing, Etc.
I suppose I should do a quick recap of the scenario, such as it is:
Your business operates in a gated community, where the front office is the only 'address' the internet has. The front office routes all the messages it receives in accordance with the various rules and protocols it's told to use, forwarding most messages to the fulfillment center managing customer requests and the rest to various employee residences as needed.
Each building - the front office, fulfillment center, and residence - has a robot maid (called Rosie, in honor of the Jetsons). Rosie comes in all sorts of makes and models, and you can add attachments as needed. There's danger, though... as someone familiar with the particular make, model, and/or attachment may be able to program Rosie to act in unexpected ways. She may take pictures of the files in your filing cabinet, or make copies of all your letters and send them on, or set a particular window to receive commands from another location.
I want to discuss that process a little bit further. See, malware has two separate stages. There's the method of infection (the vulnerability that allows someone to install malicious software on your computer) and then there's the payload, which is what you want the malware to do once it's there. The payload has more to do with the attacker's intent, whether it's copying files or encrypting files until you pay a ransom or turning your computer into a 'bot' that checks in periodically for further orders.
Any method of delivering malware can be used for any of those purposes, and more. Different payloads will also give off different indicators that there's malware on your computer. If Rosie is communicating with a command and control center somewhere, there may be logs of that activity and ways to detect it... though you'd have to know how to spot it. (That's part of why I want to play with an IPS/IDS. See what it logs, what sets off an alert, etc.)
But the malware has to get to Rosie first, get through the firewall to her, and she has to read it and be affected by it.
There's a bunch of different methods for doing this, and I by no means claim that I know them all. I will say one of the biggest/best methods is to get someone inside the firewall to connect to you. Phishing attacks, watering hole attacks, and the like.
Phishing attacks, at least when someone is deliberately targeting a business, are not the laughable attempts you'll find in your spam folder. They probably did their research (the video I posted earlier has some great examples of this, though it was done after they were already in the network.)
They may look you up on Facebook, or LinkedIn. May try to figure out your home address, your pets names, your children's names. They'll try to guess your passwords and user name. They may go dumpster diving for any information they can use against you.
And when they craft an e-mail, it will be practically indistinguishable from legitimate mail. If they're trying to get you to install something malicious, they'll create their malicious software and find a way of wrapping it in something legitimate. If they say it's an ssh application, they'll attach it to the e-mail and it'll open and act just like an ssh application ought to. Or they'll add a link to an e-mail, but modify the address so that it goes to the computer they're waiting to hack you with.
They can apparently also use macros, and images, and other things. It's part of why they advise you not to let your e-mail give you a preview (since doing so involves opening the e-mail) and not to let it display images.
Or they research your company, and notice that a lot of your employees go to a specific website outside the firewall (to check the news, or stock prices, or sports... or even something work-related.)
So they set up a watering hole attack, using that website to launch an attack when your employees visit it.
Or they drop some infected USB drives in a parking lot, and wait for someone to find it and plug it in.
I'm still learning all this myself, but I've heard a couple of penetration testers say that they have never failed to penetrate the defenses of their target.
Think about that for a second.
Anyways, to bring this back to my analogy... let's say that a malicious letter was somehow wrapped up in a legitimate letter. It gets to your home through one method or another, and it goes straight to Rosie (unless it's caught by an anti-virus program before she can read it). If she hasn't been updated or modified since the vulnerability was found, then the payload is delivered and she follows whatever she's instructed to do.
Once Rosie's affected, she can also be used to send messages to her neighbors, affecting them as well.
Eh... I'm not too happy with this post, I feel like it didn't quite go where I wanted it to. But it's getting late, and I've got stuff to do tomorrow. Not sure how much I'll post next week.
Your business operates in a gated community, where the front office is the only 'address' the internet has. The front office routes all the messages it receives in accordance with the various rules and protocols it's told to use, forwarding most messages to the fulfillment center managing customer requests and the rest to various employee residences as needed.
Each building - the front office, fulfillment center, and residence - has a robot maid (called Rosie, in honor of the Jetsons). Rosie comes in all sorts of makes and models, and you can add attachments as needed. There's danger, though... as someone familiar with the particular make, model, and/or attachment may be able to program Rosie to act in unexpected ways. She may take pictures of the files in your filing cabinet, or make copies of all your letters and send them on, or set a particular window to receive commands from another location.
I want to discuss that process a little bit further. See, malware has two separate stages. There's the method of infection (the vulnerability that allows someone to install malicious software on your computer) and then there's the payload, which is what you want the malware to do once it's there. The payload has more to do with the attacker's intent, whether it's copying files or encrypting files until you pay a ransom or turning your computer into a 'bot' that checks in periodically for further orders.
Any method of delivering malware can be used for any of those purposes, and more. Different payloads will also give off different indicators that there's malware on your computer. If Rosie is communicating with a command and control center somewhere, there may be logs of that activity and ways to detect it... though you'd have to know how to spot it. (That's part of why I want to play with an IPS/IDS. See what it logs, what sets off an alert, etc.)
But the malware has to get to Rosie first, get through the firewall to her, and she has to read it and be affected by it.
There's a bunch of different methods for doing this, and I by no means claim that I know them all. I will say one of the biggest/best methods is to get someone inside the firewall to connect to you. Phishing attacks, watering hole attacks, and the like.
Phishing attacks, at least when someone is deliberately targeting a business, are not the laughable attempts you'll find in your spam folder. They probably did their research (the video I posted earlier has some great examples of this, though it was done after they were already in the network.)
They may look you up on Facebook, or LinkedIn. May try to figure out your home address, your pets names, your children's names. They'll try to guess your passwords and user name. They may go dumpster diving for any information they can use against you.
And when they craft an e-mail, it will be practically indistinguishable from legitimate mail. If they're trying to get you to install something malicious, they'll create their malicious software and find a way of wrapping it in something legitimate. If they say it's an ssh application, they'll attach it to the e-mail and it'll open and act just like an ssh application ought to. Or they'll add a link to an e-mail, but modify the address so that it goes to the computer they're waiting to hack you with.
They can apparently also use macros, and images, and other things. It's part of why they advise you not to let your e-mail give you a preview (since doing so involves opening the e-mail) and not to let it display images.
Or they research your company, and notice that a lot of your employees go to a specific website outside the firewall (to check the news, or stock prices, or sports... or even something work-related.)
So they set up a watering hole attack, using that website to launch an attack when your employees visit it.
Or they drop some infected USB drives in a parking lot, and wait for someone to find it and plug it in.
I'm still learning all this myself, but I've heard a couple of penetration testers say that they have never failed to penetrate the defenses of their target.
Think about that for a second.
Anyways, to bring this back to my analogy... let's say that a malicious letter was somehow wrapped up in a legitimate letter. It gets to your home through one method or another, and it goes straight to Rosie (unless it's caught by an anti-virus program before she can read it). If she hasn't been updated or modified since the vulnerability was found, then the payload is delivered and she follows whatever she's instructed to do.
Once Rosie's affected, she can also be used to send messages to her neighbors, affecting them as well.
Eh... I'm not too happy with this post, I feel like it didn't quite go where I wanted it to. But it's getting late, and I've got stuff to do tomorrow. Not sure how much I'll post next week.
Friday, March 8, 2019
Computing - Server Side Cyber Threats
Now that I've already covered various topics on how the internet works, I want to revisit the notion of cybersecurity as 'defending a castle'.
Though really, it's probably more like 'defending a gated community'.
Picture your typical business as a gated community, with a front office (where mail is received and sorted), various different homes (where employees do their work), and a fulfillment center (surrounded by another wall) that receives and responds to client requests.
I am drastically oversimplifying this, since businesses vary greatly in how they configure their internal network - perhaps putting all the HR people in one walled off section, all the R&D people in another. Or having one building for receiving requests, and sending valid requests on to another building for fulfillment. That's not even getting into how a large company with multiple work locations would be configured, but I'm trying to keep it simple.
So then. Each house, the fulfillment center, and the front office all have their own 'Rosie' to receive and send messages. Rosie comes in all sorts of different makes and models, and if you know her model well you may even know of some 'tricks' that will get her to act in unexpected ways. You might send her a letter with keywords that make her start taking pictures of rooms in the house, or to open up a new window or door for a specific type of message traffic, or initiate some messages of her own.
The postal service delivers all mail to the front office in part because they don't actually have any addresses for anyone inside. It's of like how a large business might need someone to sort mail to a specific building or room, though if I'm going to maintain my previous analogies I'll just say that the robot maid in the front office assigns certain windows or doors to a specific home or building inside the community, and knows that any letters delivered to that location (i.e. door number 1470) goes to house number 42 in a process called NAT, or Network Address Translation. This developed in part because we were running out of IP addresses, and needed a way for computers to re-use some numbers. It's part of why if you check the IP address for your computer it's most likely to start with 192.168.1.X.
Anyways. What this means is that anyone outside the business has no real idea how to reach any of the homes inside the business unless they are directly responding to someone's messages. There's what's called an 'attack surface' of publicly facing connections - generally the front office and fulfillment center (since all the customers need to be able to reach the fulfillment center in order to make their requests.) Individual employees do offer up a target as well, but it's mostly because they're using their computer to access sites outside their place of work - gotta check those ESPN scores, you know? - and get responses in turn. (Okay, I'm halfway joking about ESPN. There are often legitimate work reasons to access outside websites... but you can communicate with everyone inside the gated community without going through the front office.)
All right, so what happens next? Well... it depends on a bit on what you're trying to do, tbh. This is also, btw, where I feel my inexperience shows the most... I'm trying to put into words my understanding of the process, but I may get it wrong. Feel free to comment with any corrections.
Let's start with one type of Denial-of-Service Attack, and it's close cousin a Distributed-Denial-of-Service attack. There you are, at the front office, when suddenly the mailman starts delivering bags and bags of mail. Much like the scene from Miracle on 33rd St, it overwhelms the front office and they wind up throwing away a lot of mail, including legitimate letters.
If it's a straight up DoS attack, you might notice that all the return addresses are the same, which makes it easy to tell Rosie to just throw them all away.
If it's a DDoS attack, the return addresses are generally different. Generally speaking, someone sent letters to a bunch of different robot maids, telling them to send letters to your address. It's called a botnet, and all the different return addresses indicate different robots sending letters as ordered.
Certain kinds of DDoS attacks will all be the same basic form, the color and/or size of a specific type of message (like an ICMP flood). There's still some things the front office can do to help filter it out, and they can also reach out to their nearest post office for help managing the flood of traffic, but it generally requires a bit more management than simply telling Rosie to throw out all the letters from x.x.x.x address.
This sort of attack will disrupt your business, but it's not really getting inside your community.
If you want to gain access to the businesses database there's probably two broad avenues of attack (I've never heard anyone put it like this, though, so maybe not). Basically you can do what we discussed earlier, where you manipulate the input at the company's website meant for use by a legitimate customer or you can try to take over the 'Rosie' that manages that particular building.
If you attack through the website, your message traffic looks superficially legitimate and will probably pass through the front office no problem. Then it gets forwarded for processing at the fulfillment center, and it's success depends on what sort of processes occur there. You're not really taking over any computers, you're just submitting a request in such a way that the fulfillment center will respond with information you're not supposed to have.
The other option (and the same sort of option you'd probably use to target the R&D section, or some other part of the business) is to try to reach a Rosie inside. Taking over the computer, or taking over 'a' computer and then pivoting to take over neighboring computers until you finally get the access you want.
This option can be used for all sorts of things, whether it's turning every Rosie into a member of a botnet, or getting Rosie to change information in the filing cabinet, or asking Rosie to take pictures of all the files and send them out to another location, and so on and so forth. You might even just tell Rosie to do nothing, to periodically check a particular window for messages.
But getting Rosie on your side... well, I'll get to that another day.
Though really, it's probably more like 'defending a gated community'.
Picture your typical business as a gated community, with a front office (where mail is received and sorted), various different homes (where employees do their work), and a fulfillment center (surrounded by another wall) that receives and responds to client requests.
I am drastically oversimplifying this, since businesses vary greatly in how they configure their internal network - perhaps putting all the HR people in one walled off section, all the R&D people in another. Or having one building for receiving requests, and sending valid requests on to another building for fulfillment. That's not even getting into how a large company with multiple work locations would be configured, but I'm trying to keep it simple.
So then. Each house, the fulfillment center, and the front office all have their own 'Rosie' to receive and send messages. Rosie comes in all sorts of different makes and models, and if you know her model well you may even know of some 'tricks' that will get her to act in unexpected ways. You might send her a letter with keywords that make her start taking pictures of rooms in the house, or to open up a new window or door for a specific type of message traffic, or initiate some messages of her own.
The postal service delivers all mail to the front office in part because they don't actually have any addresses for anyone inside. It's of like how a large business might need someone to sort mail to a specific building or room, though if I'm going to maintain my previous analogies I'll just say that the robot maid in the front office assigns certain windows or doors to a specific home or building inside the community, and knows that any letters delivered to that location (i.e. door number 1470) goes to house number 42 in a process called NAT, or Network Address Translation. This developed in part because we were running out of IP addresses, and needed a way for computers to re-use some numbers. It's part of why if you check the IP address for your computer it's most likely to start with 192.168.1.X.
Anyways. What this means is that anyone outside the business has no real idea how to reach any of the homes inside the business unless they are directly responding to someone's messages. There's what's called an 'attack surface' of publicly facing connections - generally the front office and fulfillment center (since all the customers need to be able to reach the fulfillment center in order to make their requests.) Individual employees do offer up a target as well, but it's mostly because they're using their computer to access sites outside their place of work - gotta check those ESPN scores, you know? - and get responses in turn. (Okay, I'm halfway joking about ESPN. There are often legitimate work reasons to access outside websites... but you can communicate with everyone inside the gated community without going through the front office.)
All right, so what happens next? Well... it depends on a bit on what you're trying to do, tbh. This is also, btw, where I feel my inexperience shows the most... I'm trying to put into words my understanding of the process, but I may get it wrong. Feel free to comment with any corrections.
Let's start with one type of Denial-of-Service Attack, and it's close cousin a Distributed-Denial-of-Service attack. There you are, at the front office, when suddenly the mailman starts delivering bags and bags of mail. Much like the scene from Miracle on 33rd St, it overwhelms the front office and they wind up throwing away a lot of mail, including legitimate letters.
If it's a straight up DoS attack, you might notice that all the return addresses are the same, which makes it easy to tell Rosie to just throw them all away.
If it's a DDoS attack, the return addresses are generally different. Generally speaking, someone sent letters to a bunch of different robot maids, telling them to send letters to your address. It's called a botnet, and all the different return addresses indicate different robots sending letters as ordered.
Certain kinds of DDoS attacks will all be the same basic form, the color and/or size of a specific type of message (like an ICMP flood). There's still some things the front office can do to help filter it out, and they can also reach out to their nearest post office for help managing the flood of traffic, but it generally requires a bit more management than simply telling Rosie to throw out all the letters from x.x.x.x address.
This sort of attack will disrupt your business, but it's not really getting inside your community.
If you want to gain access to the businesses database there's probably two broad avenues of attack (I've never heard anyone put it like this, though, so maybe not). Basically you can do what we discussed earlier, where you manipulate the input at the company's website meant for use by a legitimate customer or you can try to take over the 'Rosie' that manages that particular building.
If you attack through the website, your message traffic looks superficially legitimate and will probably pass through the front office no problem. Then it gets forwarded for processing at the fulfillment center, and it's success depends on what sort of processes occur there. You're not really taking over any computers, you're just submitting a request in such a way that the fulfillment center will respond with information you're not supposed to have.
The other option (and the same sort of option you'd probably use to target the R&D section, or some other part of the business) is to try to reach a Rosie inside. Taking over the computer, or taking over 'a' computer and then pivoting to take over neighboring computers until you finally get the access you want.
This option can be used for all sorts of things, whether it's turning every Rosie into a member of a botnet, or getting Rosie to change information in the filing cabinet, or asking Rosie to take pictures of all the files and send them out to another location, and so on and so forth. You might even just tell Rosie to do nothing, to periodically check a particular window for messages.
But getting Rosie on your side... well, I'll get to that another day.
Thursday, March 7, 2019
Computing - Ports and Some Common Protocols
Well, I heard back from a potential employer, and I scheduled an exam to demonstrate that I know my stuff. Now to study/prep for it.
Honestly, I sometimes wonder what the point of that sort of testing is. Or rather, as my father says... everything you learn in school you will either use every day on the job and memorize it, or forget it. What's important is knowing how to learn and how to look things up.
This seems especially true with computers, as it's a very broad field. Even experts use Google to look things up, especially if it's a problem they don't see very often. Heck, there's a reason Linux commands have a 'man' or help page to tell you what the possible options are.
Some things... well, some things you only have to deal with once in a while... and if I'm doing it that rarely I'll probably give myself a refresher beforehand, if only to make sure I've got the latest and greatest knowledge about it (technology also changes at a pretty fast pace, after all.)
I sort of wonder if, maybe, I should ask to use my cell phone to look things up in an interview? I'd think that'd be more realistic, tbh, though I'm not sure it would fly.
Anyways. I wanted to get on to discussing businesses, and cyber security as it applies to them, but I figured I needed to expand my little postal service analogy a bit more.
If you happened to open Wireshark and tried monitoring your home network, you probably noticed a whole lot of traffic that you didn't initiate - you didn't put an address in your browser, or send an e-mail, or do anything directly to cause the traffic you're seeing.
That's because there's a whole lot of administrative work going on behind the scenes. Like in my earlier analogy, where I said that routers constantly send out messages to verify whether or not their neighbors are still up and running, or to announce their own status.
Imagine that our postal service has certain form letters. Heck, let's even make them different colors and sizes. Your website requests might all be sent in white envelopes, 8.5'' by 3''. Your e-mail messages might be sent in periwinkle blue envelopes, 5'' by 3''.
You'll see DNS requests, sent out to find the correct ip address before your actual website request (on a cream colored postcard).
Let's further imagine that everyone has their own personal Rosie, a robot maid that handles all your incoming and outgoing messages.
See, all the white letters sending and receiving information for a website get delivered to the front door. The periwinkle e-mail messages get delivered to a side door, where Rosie receives them and places them on a desk in your study. Once she has received all the letters for a particular e-mail she'll ring a bell, notifying you that there's a new message in your study.
Pale grey ICMP router advertisement messages checking on nearby routers may arrive by the back door, where Rosie receives and sends them without even bothering you.
A house, naturally, only has a few doors and windows... but a computer can make unlimited numbers of them. In networking we call them 'ports', and common methods of transmitting information are assigned a common or 'well-known' port.
You could even add that information to the mailing address, make it something like this:
Your E-mail Address
1 Main St.
Anytown, IL 99999-9999
Deliver to side door (Port 25)
Of course, the common protocols are so well known that you can leave that extra bit of instruction off. All web pages will be routed to your front door, even if you don't really specify it on the delivery address. In fact, for these well known ports, you would only add that extra information if you decided to change which door receives the messages for that protocol.
You could tell Rosie, for example, that you want all the web traffic to get delivered to the side door instead of the front, and so long as the delivery address says so it'll work out fine.
So now we can imagine someone at home, a stream of messages coming and going. All of them are actually handled by Rosie as they come and go through various doors and windows. Outgoing messages are collected by the mailman and sent through the postal service to the appropriate destination, and all incoming messages are delivered to the appropriate door or window.
Honestly, I sometimes wonder what the point of that sort of testing is. Or rather, as my father says... everything you learn in school you will either use every day on the job and memorize it, or forget it. What's important is knowing how to learn and how to look things up.
This seems especially true with computers, as it's a very broad field. Even experts use Google to look things up, especially if it's a problem they don't see very often. Heck, there's a reason Linux commands have a 'man' or help page to tell you what the possible options are.
Some things... well, some things you only have to deal with once in a while... and if I'm doing it that rarely I'll probably give myself a refresher beforehand, if only to make sure I've got the latest and greatest knowledge about it (technology also changes at a pretty fast pace, after all.)
I sort of wonder if, maybe, I should ask to use my cell phone to look things up in an interview? I'd think that'd be more realistic, tbh, though I'm not sure it would fly.
Anyways. I wanted to get on to discussing businesses, and cyber security as it applies to them, but I figured I needed to expand my little postal service analogy a bit more.
If you happened to open Wireshark and tried monitoring your home network, you probably noticed a whole lot of traffic that you didn't initiate - you didn't put an address in your browser, or send an e-mail, or do anything directly to cause the traffic you're seeing.
That's because there's a whole lot of administrative work going on behind the scenes. Like in my earlier analogy, where I said that routers constantly send out messages to verify whether or not their neighbors are still up and running, or to announce their own status.
Imagine that our postal service has certain form letters. Heck, let's even make them different colors and sizes. Your website requests might all be sent in white envelopes, 8.5'' by 3''. Your e-mail messages might be sent in periwinkle blue envelopes, 5'' by 3''.
You'll see DNS requests, sent out to find the correct ip address before your actual website request (on a cream colored postcard).
Let's further imagine that everyone has their own personal Rosie, a robot maid that handles all your incoming and outgoing messages.
See, all the white letters sending and receiving information for a website get delivered to the front door. The periwinkle e-mail messages get delivered to a side door, where Rosie receives them and places them on a desk in your study. Once she has received all the letters for a particular e-mail she'll ring a bell, notifying you that there's a new message in your study.
Pale grey ICMP router advertisement messages checking on nearby routers may arrive by the back door, where Rosie receives and sends them without even bothering you.
A house, naturally, only has a few doors and windows... but a computer can make unlimited numbers of them. In networking we call them 'ports', and common methods of transmitting information are assigned a common or 'well-known' port.
You could even add that information to the mailing address, make it something like this:
Your E-mail Address
1 Main St.
Anytown, IL 99999-9999
Deliver to side door (Port 25)
Of course, the common protocols are so well known that you can leave that extra bit of instruction off. All web pages will be routed to your front door, even if you don't really specify it on the delivery address. In fact, for these well known ports, you would only add that extra information if you decided to change which door receives the messages for that protocol.
You could tell Rosie, for example, that you want all the web traffic to get delivered to the side door instead of the front, and so long as the delivery address says so it'll work out fine.
So now we can imagine someone at home, a stream of messages coming and going. All of them are actually handled by Rosie as they come and go through various doors and windows. Outgoing messages are collected by the mailman and sent through the postal service to the appropriate destination, and all incoming messages are delivered to the appropriate door or window.
Tuesday, March 5, 2019
Cybersecurity, a Video
Came across this video from the NSA on Advanced Persistent Threats, and it fits in nicely with what I've been posting about.
https://youtu.be/bDJb8WOJYdA
I really liked what he said about reputation trackers, because I was thinking about how hard it is for the average user to really know whether a site has put the effort in to secure itself.
Take sites that use login or credit card information in the head of the request (i.e. Like putting that info on the outside of an envelope).
The average user won't know that. At best, they know to look for the 'https' and/or lock on the browser. They don't know how to look at the message traffic or site code in order to tell what's really secure or not.
There's a million different ways to write a program. Some are better than others, but if it gives you the functionality you want how can you really tell?
It takes extra lines of code to validate user input and make sure nothing fishy is going on. It takes knowledge about which methods are more secure than others. But you won't necessarily see which companies put that effort in.
A reputation tracker might be useful for that.
Computing - Broad Overview of Potential Insecurities
Well, I got pfSense working, and installed The Security Onion. Kali is up, but not connected to the internet and I'm still working on that. (The guide had this thing called Afpacket bridges for trying to isolate networks, but I'm not sure I fully understand how that's supposed to work and the stuff I'm working with has been updated since the guide came out so the instructions are not quite exact.)
Anyways. I wanted to pull together some of what I've covered, and how it relates to computer security. This is going to be a mile wide and an inch deep. For everything I touch on there are measures, and counter measures (and counter-counter measures), so if something piques your interest definitely look into it on a deeper level.
I used the postal service analogy before, and I'm going to stick with it (and maybe even expand upon it when I get to the server side of things).
Picture the many, many ways a handwritten letter could be insecure.
Someone might be reading over your shoulder while you write it. Or they may enter your office and look at it before you mail it off. Or they may intercept it anywhere along the way and open it.
You can take countermeasures to protect your information of course - like writing the letter in code, for example - but our ability to 'sniff' traffic makes it ridiculously easy to read at least the mailing information on the outside of your envelope.
And certain websites may be so ignorant (or lazy) that they put sensitive information - like your username, password, or credit card information - right there on the outer envelope.
Wireshark is a tool that passively collects information on all the letters passing through an area. You can filter and search through that traffic for all sorts of information...
And btw, there are all sorts of tools that allow you to sniff traffic, whether over a physical wire or off the wifi. Such tools are not necessarily bad in and of themselves, it's just that they can definitely be used for malicious purposes.
Even if sensitive websites (like banks, or online retailers) use https, and have that little green lock on the top indicating all the messages are transmitted in some sort of cipher, if you use the same password on every other site all it takes is one insecure site and a hacker can find out what other sites you've visited and try using your password there.
That's not even including efforts to misdirect your mail to a fake website, or add malicious software to an ad on a legitimate website, or cross-site scripting (which I don't fully understand yet, but hope to get into in more detail later.)
Which means that there are multiple cases where your information can be stolen, well before you've even reached any particular website. Talking about what happens there is going to take way more work, so I'll get into that next time.
Anyways. I wanted to pull together some of what I've covered, and how it relates to computer security. This is going to be a mile wide and an inch deep. For everything I touch on there are measures, and counter measures (and counter-counter measures), so if something piques your interest definitely look into it on a deeper level.
I used the postal service analogy before, and I'm going to stick with it (and maybe even expand upon it when I get to the server side of things).
Picture the many, many ways a handwritten letter could be insecure.
Someone might be reading over your shoulder while you write it. Or they may enter your office and look at it before you mail it off. Or they may intercept it anywhere along the way and open it.
You can take countermeasures to protect your information of course - like writing the letter in code, for example - but our ability to 'sniff' traffic makes it ridiculously easy to read at least the mailing information on the outside of your envelope.
And certain websites may be so ignorant (or lazy) that they put sensitive information - like your username, password, or credit card information - right there on the outer envelope.
Wireshark is a tool that passively collects information on all the letters passing through an area. You can filter and search through that traffic for all sorts of information...
And btw, there are all sorts of tools that allow you to sniff traffic, whether over a physical wire or off the wifi. Such tools are not necessarily bad in and of themselves, it's just that they can definitely be used for malicious purposes.
Even if sensitive websites (like banks, or online retailers) use https, and have that little green lock on the top indicating all the messages are transmitted in some sort of cipher, if you use the same password on every other site all it takes is one insecure site and a hacker can find out what other sites you've visited and try using your password there.
That's not even including efforts to misdirect your mail to a fake website, or add malicious software to an ad on a legitimate website, or cross-site scripting (which I don't fully understand yet, but hope to get into in more detail later.)
Which means that there are multiple cases where your information can be stolen, well before you've even reached any particular website. Talking about what happens there is going to take way more work, so I'll get into that next time.
Monday, March 4, 2019
Computing - User Input, Web Applications, and Security
I found a marvelous source for creating the virtual environment I want, so I am happily configuring my virtual network environment. Or not so happily, as the case may be. Since software tends to update almost as soon as any guides are created, there's always a bit of fun to be had in figuring out how to apply the instructions to your actual system. (I got pfSense installed, and it can ping out, but I can't seem to access the website for configuring it from my laptop. Google isn't getting me the answer I want, as I keep getting hits for similar-but-not-quite-the-same problems. I wonder if the same would hold true if I created a VM on the virtual network?)
I've also been reading a rather excellent book on how hackers access information through a business's particular web site - The Web Application Hacker's Handbook, which explains so much about why/how security is so complicated these days.
The issue comes back, yet again, to user input. See, since computers use 1's and 0's for everything, the only way they know whether a sequence of 1's and 0's is supposed to be a number, or a letter, or a location, or an instruction is because of the context.
Most computer science programs will focus on teaching their students at least one programming language, in part to teach you programming logic. There are some slight differences (i.e. object-oriented programming and whatnot), but the basics are fairly similar.
It's the syntax that changes. Different languages have different ways of telling the computer when an instruction ends. And so in some languages we use a ';' to indicate the end of one line of instruction, so the computer knows when to stop. And if you go to your web browser and select 'web developer' or somesuch from the viewing options, you'll see the code for the webpage you are viewing. It will probably have something like <head> and </head> or <body> and </body> to indicate which text is part of the head, and should be formatted as indicated elsewhere for headers, and so on for the body. Note the closing '/' to indicate the end of a section.
It may seem overly technical to anyone not in computers, but bear with me.
A very common 'first program' in any language, is to print "Hello, World!" to your screen. In Java the particular line of code would be -
Running a program that includes that line will give you 'Hello, World!'. But let's say you want to add another line, "How are you?" You could enter
And the result would look something like "Hello, World! How are you?"
But what if you want it printed the second half to print on a new line (entering a carriage return, in old typing terminology.)
There's code for doing that, but the computer reads everything within the quotation marks as letters and prints accordingly. So you need an escape character, something to tell the computer "Hold up, wait. This needs to be processed differently."
In java, you can use the '/' as the escape character, so if you said
It would print something like:
Hello World!
How are you?
Escape characters are actually kind of important, because that's how a hacker can tell the computer to process their input as commands rather than simple text.
I've only just begin to read the book on web hacking, but the first few chapters easily conveyed just how difficult it is to validate user input.
For example, a hacker might try typing <script> to do something (presumably start a script? Looks like the type of code you see in web pages, like those <header> bits, or xml code).
A business may code their application to remove all <script> instances from user input. But what if they type in <scr<script>ipt>?
Now if you take out the <script>, it collapses the rest of the line into another <script>.
To add to the confusion, recall that every character can be represented by numbers (i.e. ASCII coding format)... so the hex number 27 can be read as an apostrophe, or 25 can be read as a %, 3c can be <, etc.
If you know what language is being used, and how the input is being read... to include the removal of certain characters... you can come up with a particular line of code that will get through all the filters and do something unintended.
Apparently, many businesses use multiple different tools to create their web applications. And if those tools use different programming languages, and react to different escape characters, then there's no one-size-fits-all way of checking user input for hacking attempts.
I've also been reading a rather excellent book on how hackers access information through a business's particular web site - The Web Application Hacker's Handbook, which explains so much about why/how security is so complicated these days.
The issue comes back, yet again, to user input. See, since computers use 1's and 0's for everything, the only way they know whether a sequence of 1's and 0's is supposed to be a number, or a letter, or a location, or an instruction is because of the context.
Most computer science programs will focus on teaching their students at least one programming language, in part to teach you programming logic. There are some slight differences (i.e. object-oriented programming and whatnot), but the basics are fairly similar.
It's the syntax that changes. Different languages have different ways of telling the computer when an instruction ends. And so in some languages we use a ';' to indicate the end of one line of instruction, so the computer knows when to stop. And if you go to your web browser and select 'web developer' or somesuch from the viewing options, you'll see the code for the webpage you are viewing. It will probably have something like <head> and </head> or <body> and </body> to indicate which text is part of the head, and should be formatted as indicated elsewhere for headers, and so on for the body. Note the closing '/' to indicate the end of a section.
It may seem overly technical to anyone not in computers, but bear with me.
A very common 'first program' in any language, is to print "Hello, World!" to your screen. In Java the particular line of code would be -
System.out.println("Hello, World!")Running a program that includes that line will give you 'Hello, World!'. But let's say you want to add another line, "How are you?" You could enter
System.out.println("Hello, World! How are you?");And the result would look something like "Hello, World! How are you?"
But what if you want it printed the second half to print on a new line (entering a carriage return, in old typing terminology.)
There's code for doing that, but the computer reads everything within the quotation marks as letters and prints accordingly. So you need an escape character, something to tell the computer "Hold up, wait. This needs to be processed differently."
In java, you can use the '/' as the escape character, so if you said
System.out.println("Hello, World!/nHow are you?");It would print something like:
Hello World!
How are you?
Escape characters are actually kind of important, because that's how a hacker can tell the computer to process their input as commands rather than simple text.
I've only just begin to read the book on web hacking, but the first few chapters easily conveyed just how difficult it is to validate user input.
For example, a hacker might try typing <script> to do something (presumably start a script? Looks like the type of code you see in web pages, like those <header> bits, or xml code).
A business may code their application to remove all <script> instances from user input. But what if they type in <scr<script>ipt>?
Now if you take out the <script>, it collapses the rest of the line into another <script>.
To add to the confusion, recall that every character can be represented by numbers (i.e. ASCII coding format)... so the hex number 27 can be read as an apostrophe, or 25 can be read as a %, 3c can be <, etc.
If you know what language is being used, and how the input is being read... to include the removal of certain characters... you can come up with a particular line of code that will get through all the filters and do something unintended.
Apparently, many businesses use multiple different tools to create their web applications. And if those tools use different programming languages, and react to different escape characters, then there's no one-size-fits-all way of checking user input for hacking attempts.
Sunday, March 3, 2019
The Grey Area Between Leader and Led
https://hbr.org/2019/02/why-visionary-leadership-fails?utm_campaign=hbr&utm_medium=social&utm_source=twitter
Saturday, March 2, 2019
Relevant Article
I was clearing out my phone tabs (I tend to keep open interesting links that I want to review later) and found an article discussing how attackers these days rarely use bespoke malware. Fits in with what I've been saying about automating exploits and making it easy for anyone to hack a system.
Russian Kill Switch
A better write up of the coming Russian Kill switch test.
https://www.engadget.com/amp/2019/02/28/russia-putin-internet-kill-switch-cybersecurity/?__twitter_impression=true
My impression is that it's more about Russian domestic politics than anything else, though it doesn't hurt to consider what else could happen. Not even necessarily with Russia. In the back of my head I've been mulling over what the possibilities are in cyberspace. Most of what we've been seeing is more like criminal behavior, even if it's done by nation/state actors.
But I haven't really fleshed anything out on that yet. Still learning so much in the first place, you know?
Edited to add: I decided to add labels here (I tend to forget when sending out a quick link from my phone) and figured this article was worth including in the post. It's discussing how Moody is trying to incorporate cybersecurity into it's evaluation on how creditworthy an organization is.
Friday, March 1, 2019
Recruiters Recruit People Like Themselves
This article isn't about that, directly at least. But their comments about who catches the attention of a sponsor (or mentor, they are two different things, neither of which I've had much experience with, tbh) reminded me of what an NCO who'd done a stint at recruiting said.
https://www.theatlantic.com/amp/article/582175/?__twitter_impression=true
Computing - the Internet, Cont.
I debated which way to go from here - in that I can go into much greater detail on how the internet works, or I can focus more on what really is relevant to the general user. There's all sorts of important things for a network engineer to know, but going into the OSI model or the alphabet soup of various protocols (EIGRP, BGP, OSPF, as well as the TCP handshake, SYN Flooding, and more) seems more likely to cause a non-technical person to get overwhelmed rather quickly.
So I'm going to talk about databases for a bit. It's relevant, I promise, and I'll try to turn it into a personal story of sorts.
When you grow up with technology, but not a techie - in my case, at least - you just sort of absorb odds and ends as you come across them. Databases have been like that for me, a topic that started impinging on my awareness about a decade ago.
It's not that I didn't know the term, or have some general sense of what it meant, but when a colleague of mine decided our reports would be easier to work with in a database rather than the excel files we'd been using, I started learning more about when and why their important.
And the key to understanding the most common type of database is to understand relationships. That is, if you wanted to create an excel file for customer orders you would probably have to enter in the customer name and address for every single time that the customer placed an order.
If it's in a database, on the other hand, you can have a customer table and an order table, and establish a relationship between the two (i.e. a customer id number). In the customer table you only have to enter the address once, but because it's associated with the corresponding customer id in the order table you can easily create a table showing all the orders that customer has placed. Including the mailing address.
Businesses use these all. the. time. That way you can have a table showing all your employees, and a separate table showing all the wages paid, as well as a table for all customers, and a table for all the orders they placed, and a table for all the bills charged to the customer... and businesses can run queries against that database to get the information they need. Like a history of all the orders a particular customer placed, or an aggregate of all orders from a particular region, or all the customers who owe the company money.
Although I've worked more with Microsoft Access than the big enterprise databases (Oracle, MySQL, SQLServer, etc.) but most have a similar structure for querying the data - Structured Query Language (hence the 'SQL' in the databases above).
SQL statements are actually fairly obvious when you keep them simple, though they can grow to be horrendously complicated. A basic query might look like this:
It's basically saying you want to select everything from the Users table where the name is 'foo' and the password is 'bar'. (The * is a wildcard, it means select everything that matches the criteria)
So why is this important?
Well, websites these days are interactive. You don't just download a page and read what it says. You login - to check your bank account, or the news for a site you've subscribed to, to check your friends on Facebook, or post to Instagram, check your employee benefits, request time off, or any number of things online - and that login is generally used to find your specific information in a database.
When you go to a website, well... to use the postal service analogy, that site is getting thousands and thousands of letters a day, and it is passing your particular information to a warehouse (the database) that processes your request and sends back the information you wanted.
The website and database together have to a) keep track of your mail vs. all the other user's mail, so you don't have to send your username and password every time you send a letter and b) make sure that you only see your information, it doesn't send you someone else's response or let someone else see yours.
That means businesses operating over the internet generally have a way of tracking your session (that's where cookies come in to play, though it's not the only way of doing so) and some sort of system for authenticating you as the user and granting access to the information you are authorized to see.
And most of those have to deal with the exact same problem I listed when describing the buffer overflow - user input.
So I'm going to talk about databases for a bit. It's relevant, I promise, and I'll try to turn it into a personal story of sorts.
When you grow up with technology, but not a techie - in my case, at least - you just sort of absorb odds and ends as you come across them. Databases have been like that for me, a topic that started impinging on my awareness about a decade ago.
It's not that I didn't know the term, or have some general sense of what it meant, but when a colleague of mine decided our reports would be easier to work with in a database rather than the excel files we'd been using, I started learning more about when and why their important.
And the key to understanding the most common type of database is to understand relationships. That is, if you wanted to create an excel file for customer orders you would probably have to enter in the customer name and address for every single time that the customer placed an order.
If it's in a database, on the other hand, you can have a customer table and an order table, and establish a relationship between the two (i.e. a customer id number). In the customer table you only have to enter the address once, but because it's associated with the corresponding customer id in the order table you can easily create a table showing all the orders that customer has placed. Including the mailing address.
Businesses use these all. the. time. That way you can have a table showing all your employees, and a separate table showing all the wages paid, as well as a table for all customers, and a table for all the orders they placed, and a table for all the bills charged to the customer... and businesses can run queries against that database to get the information they need. Like a history of all the orders a particular customer placed, or an aggregate of all orders from a particular region, or all the customers who owe the company money.
Although I've worked more with Microsoft Access than the big enterprise databases (Oracle, MySQL, SQLServer, etc.) but most have a similar structure for querying the data - Structured Query Language (hence the 'SQL' in the databases above).
SQL statements are actually fairly obvious when you keep them simple, though they can grow to be horrendously complicated. A basic query might look like this:
SELECT * FROM Users WHERE Name = 'foo' AND Pass = 'bar' It's basically saying you want to select everything from the Users table where the name is 'foo' and the password is 'bar'. (The * is a wildcard, it means select everything that matches the criteria)
So why is this important?
Well, websites these days are interactive. You don't just download a page and read what it says. You login - to check your bank account, or the news for a site you've subscribed to, to check your friends on Facebook, or post to Instagram, check your employee benefits, request time off, or any number of things online - and that login is generally used to find your specific information in a database.
When you go to a website, well... to use the postal service analogy, that site is getting thousands and thousands of letters a day, and it is passing your particular information to a warehouse (the database) that processes your request and sends back the information you wanted.
The website and database together have to a) keep track of your mail vs. all the other user's mail, so you don't have to send your username and password every time you send a letter and b) make sure that you only see your information, it doesn't send you someone else's response or let someone else see yours.
That means businesses operating over the internet generally have a way of tracking your session (that's where cookies come in to play, though it's not the only way of doing so) and some sort of system for authenticating you as the user and granting access to the information you are authorized to see.
And most of those have to deal with the exact same problem I listed when describing the buffer overflow - user input.
Subscribe to:
Posts (Atom)