Friday, August 16, 2019

Epstein, Maxwell, the .05%, and a bit of a tirade.

The Epstein story bothers me. A lot. Though in some ways Ghislaine Maxwell bothers me even more. So I figured I'd write a post about it, but I feel the need to go into some of my own personal heuristics before doing that.

But first, a bit of  story.

In college I had a job as a cashier and grocery bagger, a typical low-paying job to help pay the bills while I went to school. I sometimes was responsible for bringing back the shopping carts, and, well...

People are lazy. They leave them all over the parking lot, and not always in the cart corral like they're supposed to. I was sitting outside once, on break, and noticed a customer taking the time to clean up some of them... and sort of realized that even though the constant mess can give you a pretty negative view of human nature, there are often other people - good people - who do more than their share to try and clean it up.

So messes, well... it's more about how many people choose to leave a mess, how many decide just to take care of their own stuff, and how many people do that little bit extra to help. More people being lazy? Lots of carts not in the right place. (tbf, someone once said that there are reasons, sometimes good reasons, for leaving the carts where they shouldn't be. Mostly to do with disabilities or somesuch... though if that were the case I'd expect more of the carts by handicapped parking, so I'm pretty sure not ALL of the mess is for legit reasons.)

Leaving that, for the moment, some heuristics.

Things are always more complicated than you think, and issues are very rarely black and white. (Though just to add to the confusion, sometimes they are.)

People generally like to think they're good people, so they will rationalize whatever it is they're doing. If you want to know "how can they think that's acceptable!?!?" it helps to consider what sorts of things would make you think it's acceptable. You generally won't be that far off.

Ummm. And most people, well, tend to go into auto-mode and forget they have things like free will, so they'll do what 'everyone' does, and accept the norms of the people around them, without necessarily questioning it or deliberately choosing to create the systems/structures they live in. (Not an excuse, per se, but it frames the issue a certain way, and encourages thinking of systemic solutions instead of rather superficial and ineffective ones.)

So. Epstein, right?

In some ways, he's the perfect caricature of everything we hate about the wealthy. A criminal - yes, a criminal - who seemed to think his wealth and status protected him from the consequences of his bad behavior... and who seemed to be right about that. After all, how many people knew or suspected what he was doing and just... looked the other way? Deciding to ignore it, and continued to allow him into their social circles, or take his political money, or whatever?

This is where (if the article is true) Ghislaine, in some ways, bothers me more. A criminal is a criminal, after all. But the person willing to overlook all that? Who decides he really is somehow better or should be allowed to get away with it? Who thinks the young girls he's screwing are 'trash', and thinks nothing of it? Those are the ones that make their assessment true... that wealth and power can make up for a lot of sins.

But let me add another little bit to this. I've seen my fair share of anger at the wealthy, people pointing out just how outsized their influence is. There was one meme going around talking about the one percent, and it made some comment about how "it's 12 people".

This seems to me to be an exaggeration. I mean, we talk about the 1% a lot, but one of those fancy income graphs pointed out we're really talking about the .5% (the rest are more likely to be doctors or lawyers who are affluent, yes, but not at the ridiculous levels that really get people mad. And, well... .5% is more than 12 people. In a nation of 327.2 million, you're really talking about 1,636,000 people.

Still a ridiculously small portion of the population, but a heckuva lot more than 12. Enough for their own social norms, their own ways of thinking. And given (as I think seems obvious) that most of them hang out with each other, they have a good chance of living in their own little bubbles where they only take seriously others like them, and develop their own norms and whatnot. You know... since they've got enough wealth to avoid all the peons, they generally aren't flying economy on airplanes, or waiting in lines at amusement parks, or grocery shopping for themselves. (Hence all the stories about presidential candidates who don't know the price of milk, or have any sense at all of what it's like for the vast majority of us.) Some of this is speculation, of course. It's not like I have any great access to that sort of life.

Anyways. I figure like any reasonable large population of people, and over a million is large enough for that, you've got the same sort of mix I described with the grocery carts. You've got some who do bad things, you've got others that wouldn't cross that line but are mostly just minding their own business, and still others who are doing really great things. (My hair dresser gets some rather wealthy clients, and she says they're some of the nicest people... and I can believe that.)

The problem is that, collectively, what proportion is there of each?

Right now it feels like the world is, to continue with this grocery cart analogy, just full of carts left all over the place.

Yes, I know there are some amazing philanthropists out there, and they're doing fantastic things.

But we still have people dying because they can't afford insulin. We still have people working two or three low-paying jobs while the rich keep getting richer, and there is story after story of people who have more money than sense doing stupid things that keep making the world a worse place.

It's not just the Epsteins and Maxwells, either. I'm having the darndest time finding the quote, but I believe I heard a major figure in media tell his people that the only black person he wanted shown in the news was one in cuffs. (Maybe that's an exaggeration? I can't seem to find a source, though there are plenty of sources for media bias in general, like the classic one where white survivors of a catastrophe are 'finding' things whereas black ones are looting. Little things like that which shape perceptions with an unfair double standard. Also consider how the Stanford rapist was shown with a rather nice school pic, whereas the pics using for black men tended to be arrest photos or other negative pics. I'm sad to say that I generally didn't notice that sort of thing until it was pointed out to me, but it's definitely there. Also sad to say that in this hyper-politicized times people would rather claim Snopes isn't reliable than address this sort of thing.)

I do wonder how the people in positions of power and influence on these matters can honestly like what they see in the mirror, but whatevs.

Seems too many of those in the .05% are either so busy with their own lives that they aren't doing anything about it, or are just willing to look the other way.

Still, they'd have to be living in a rather serious bubble not to realize how much anger and resentment there is at them, for exactly that sort of reason. Like, you're in a position to do things we can only dream of, and yet you'd rather ignore the Epstein's among you, look the other way, and when you hear stories about people dying because they can't afford insulin just shrug and say 'not my problem'.

It's almost the same problem for other things - like trash and whatnot. So long as you can send it elsewhere (like a third world country), and don't have to deal with massive piles of waste in your own backyard, it's all out of sight and out of mind... and not your problem.

Push the consequences on those less fortunate, and go about your lives thinking you're somehow better than everyone else.

Bah. I sort of want to hear some stories of the good ones, just to restore my faith in humanity, and think that we're not entirely doomed.


Wednesday, August 14, 2019

Another Update

I went to Defcon last weekend, which was a lot of fun. The only downside is that I caught some sort of bug and am now sick.

The sniffling and coughing isn't too bad, I suppose... but I also apparently lost my voice. I haven't been able to speak above a whisper for a couple of days now.

Not exactly how I planned on returning from vacation, but I suppose between airplanes and crowded conventions it's not entirely surprising. (As usual, there's a 'Defcon Crud' that refers to getting sick at Defcon, not too different from the 'Kuwaiti Crud' we encountered flying to Kuwait. I'm sure it all has something to do with encountering different viruses/bacteria than what we're used to at home.)

Aside from getting sick, though, I had a blast. Saw some talks, a demo or two, got to solder a badge and pick some locks and bought some cool things. There was a Voting Village, which showed various voting hardware and had talks discussing cyber security for elections. Apparently local election officials have made a lot of changes since the 2016 elections. I won't take their word for it that things are necessarily secure, but I figure I at least need to look into it more before flat out saying it isn't.

There was also a Car Hacking Village, and an Industrial Control System (ICS) Village, and a bunch of other things that seemed interesting. I asked some questions and got some recommendations on books to read for further study (like the Car Hacker's Handbook. This publisher, btw, had a vending booth t the convention with all sort of intriguing titles.)

Oh, and got to see some relatives, who are amazing btw.

See, one of my aunt's has a stepdaughter that lives in the area. I don't think I've met her since I was like, idk, eight or something at my grandparent's 50th (or 40th?) wedding anniversary, though we've been facebook friends for a while and I know one of my other aunts and uncles visit her when they come to Vegas for his poker tournaments.

So I figured, wth, I'd let her know I was in town and we could do lunch or dinner or something. Apparently she then told some of my other aunts I would be there, and since they (and another uncle) were living in Arizona they decided to drive down and visit. My cousin kept this all entirely as a surprise, so I had no clue they were coming.

They showed up at the restaurant where we were, and my aunt asked if we'd mind sharing a table. Someone was recording me when they did this, and apparently my reaction was priceless. Like... I was totally not expecting to see my aunt there, and almost didn't recognize her. Then I was processing her request, which was really strange (who asks to sit at another group's table? Especially when there are plenty of empty tables?) and then it dawned on me who it was and...

Yeah.

So that was pretty awesome, and they stayed in town a couple of days so I got to hang out with them more after Defcon wrapped up on Sunday. (My flight left Monday, so I had a bit of free time.)

I also... well, I didn't end up gambling At. All.

Not even once. I didn't expect to win, or anything, but I thought I'd figure out how much I was willing to lose and do something. Just because it's, you know, Vegas.

But between the convention and visiting with relatives I just didn't really have the time. And that's okay.

I picked up a few gadgets, though it may take a while before I can play with them. Did you know that there were USB-C cables that look exactly like your usual charging cables, but that can be programmed to deliver some sort of malicious payload?

I figure I'll eventually use one of my old phones, configure some sort of keylogger program or something, and then see how it all works.

I don't have any intentions of using this sort of stuff outside my own home, but it's pretty hard to defend against things you don't even know exist, and I'm curious. Like, how would the malicious payload look on my phone? What does it take to recover the data?

What sorts of things could indicate someone's using this irl, and could I spot it if/when it happens?

Oh, and someone I ran into on Friday said she wasn't going to use her badge for another conference (the Diana Initiative, smaller and covering some of the same things but more focused on women in the industry), so she gave it to me. In some ways, the smaller convention was nice... less of a crowd at the lock picking and soldering villages, and it's nice to see other women interested in the things I am.

Lock picking, like some of the other stuff I mentioned, is not something I intend to use seriously... people say they do it more for the art of it? It just seems like a cool thing to know, and understanding how locks work is kind of neat. I don't claim to be any good at it, but I did pick up a set of practice locks - they increase in difficulty level, so once you master one you go on to the next.

I did do a stint with the Ethics Village, a part of Defcon put in by my local group. Sat in on a 'coffee talk' with Joshua Steinman, which was interesting.

There was plenty more to do and see. I didn't participate in any of the (many, many) Capture the Flag events, for example. And figuring out what's up with the convention badge is apparently a regular thing.

So plenty of things to do, lots of stuff to learn, and I had fun... even if I'm currently slightly sick and unable to talk.

Saturday, August 3, 2019

Job Update - Part II, Business Applications

Earlier I wrote a series of articles discussing what happens when we connect to a website, and I used an analogy of the post office to describe how messages get routed. I talked a little bit about what goes on at the business side of things, and now I want to go into much greater detail.

Let's say you want to shop online, or transfer funds, or any of the zillion things we now do over the internet.

You open a browser on your phone, tablet, laptop or desktop and connect to a URL. In my previous series of posts I described how this gets translated into a series of messages that get routed to the 'front office' of a business, which then sends your information on to their fulfillment center or distribution center for processing.

There's a bit more to it than that. You see, the business will have one machine (or building) that responds with the webpage you requested, but in order to fulfill your request it needs to know a few things. Like your login info, and whether you're authenticated as the person authorized to view your account info. Then it needs to find your particular information (out of all the other people who have accounts there) and let you see yours, and yours alone. Plus there has to be a method for adding new customers, or removing old ones, and getting your billing information, and more. 

So one machine may be dedicated to offering up the requested web page, and another machine may handle authenticating login information, and still another machine may hold the database with all your order history or transaction history, and still another may be secured more tightly because it holds everyone's billing information, and so on and so forth.

But wait, there's more!

If the business is reasonably large, it may have thousands or millions of people interacting with their websites on any given day. So they need a way of handling all that traffic. PLUS, people get pretty upset when a service isn't available. If they want to order something, or pay a bill, or whatever they want to do it Right. Now. and they aren't going to be pleased if your website crashes.

So businesses need redundancy, because you as an individual may survive if your hard drive crashes, but a business might not. So there are ways of having two or three machines acting like one web server, so that if one fails the other two can pick up the slack. And there are things called 'load balancers', that help make sure that all that traffic gets routed to the servers in an even manner. Otherwise, one server might get so overwhelmed that responds to requests more slowly, while another is sitting idly by.

But if you have two or three machines doing the same thing, you also have to make sure they're synchronized and share the same data sources. So instead of having a hard drive on one machine, you'll probably store everything a shared Storage Area Network (SAN), which will also have built in redundancy so that if one of the drives fails the data can still be recovered.

Oh, and you also have to worry about making sure that transactions happen once per request, and only once. That is, if something crashes while a request is being made you have to make sure that the request finishes processing (or doesn't process at all, undoing anything done before the failure). That way you don't get charged twice for the same order or something.

All of which sounds like a lot, when you think about it. But businesses are aware of all this and most of them have figured out how to make it happen (even if that sometimes involves outsourcing services, like using a cloud provider to manage your machines.)

Anyways. Three years ago if you had asked me what an application was, I'd probably have said it was something like Word for Windows, or Pokemon Go. You download some sort of file (most likely an .exe file, since it's an executable), install it, and it does stuff.

And learning to code meant I was much more aware of how complicated creating that .exe was. I mean, the Windows operating system has something like 50 million lines of code. Trying to figure out how all that fits together would be insane.

I knew that there had to be a way to allow multiple people to work together on a program that large, and I'd heard about things like GitHub, and understand the importance of version control. After all, I had the joy of trying to figure out why a change in one part of my program broke something in another part, and that was all just me. Trying to manage the efforts of five or ten different people all working on different parts of the program at the same time? That requires a good supporting structure in terms of tools (like GitHub), division of labor (who is responsible for which parts of the program), and procedures for deciding when something gets accepted into the official program.

Anyways, I've come to realize that at the business side of things 'application' refers to much more than just the lines of code that get compiled into an executable. Especially since more and more businesses offer up their applications on websites, which has several advantages. (i.e. the user just has to remember the website. The business can update the application as desired, and the client doesn't have to download and install any of the updates... they'll see the changes when they go to that URL. My company apparently used to offer a .exe program that our customers downloaded and installed, but I believe we stopped doing that and now offer it as a web application.)

Which means that, from the business side at least, an 'application' refers to more than just the code that goes into it. It also refers to the various machines required in order to make the website work, to include the databases, the processing of requests, and more.

And we're still not quite at what I'm doing.

See, businesses need a process for developing and maintaining their application. Something like the Software Development Process. There's apparently a lot of different ways of doing this, and you can follow the link to explore more on that. Most have some variation on the basics - i.e. figuring out what the requirements are, coming up with the code to do it, then testing, testing, and more testing before finally releasing it into production. And really, that last stage might be considered the final test, as anyone who's had to deal with bugs after an update can attest.

Each of those phases need their own version of the application. They might not get the heavy traffic that the official application does, so they may not need the load balancers and multiple servers, but they still need a web server, database, machine for authenticating users, etc. In other words, you need to duplicate the entire environment.

Not only that, but occasionally issues come up with the current (live) version. The one in production. Maybe a vulnerability was discovered, whether in the business's program or a third party's software used by the business, and a patch needs to be applied. Maybe an issue came up after the latest version was released into production. Plus if you've divided up the labor, you may need one environment focusing on a particular part of the application (like billing, or the website), and another environment focusing on something else. Whatever the reason, you need to have multiple environments for every stage of development.

And this is where I come in. My official job title is "Technical Integration Engineer". We've got, I dunno... maybe 40+ environments involved. Each with at least four or five different applications. I say I don't know because some of them have been retired or aren't currently in use, so I can't really say how many there are altogether.

Each of them have to deal with reboots and what we call a 'build push',  rebooting because (as you may have experienced) rebooting can clear out old data that causes errors and bugs otherwise, so it's good to regularly reboot your machines. And a build push? Well, if you've made some changes and want to test them, you have to incorporate them into your software build and then push them into the environment for testing. Then you can try doing all the actions a user would and see if it works or not.

I'm still very much at the beginner stage of my job, so right now most of it is about dealing with any sorts of issues with rebooting or pushing a build. It also means monitoring how much memory we're using and clearing out some of the older and more obsolete files if we start running out of space.

It often means working at the 'back end', that is... if someone in one of these environments is having a problem accessing a web page or performing an action, I'm checking logs or running scripts in the shell environment. Luckily, my predecessors have already created a bunch of scripts for our most common tasks. Mostly I'm just learning my way around, learning where to go to find the logs or scripts for which application in which environment, and what to do when one of the gajillion alerts comes up. (I learned about something called 'alert fatigue', and I think my organization really suffers from it. I've also spent a bit of time coming up with a system for my Outlook e-mail that I think is satisfactory. I already knew about creating rules to sort e-mail, but we get waaaaaayyyy too many of those for me to rely on. So I simplified it down and created some rules dividing things by environment, and sending all the automated e-mails to a couple of folders. Then I created some search folders so I can easily find any of those specific alerts or reports. Outlook was annoyingly unhelpful at doing some of the things I wanted to do, I'd love to place some of those Search folders near the folders related to whatever the alert was... and given that I repeatedly saw other people having the same wishes when I looked online for solutions, I think it's a pretty common desire... but I'm going to guess there'd be some complicated coding involved in doing so. Anyways... I put the ones the search folders I know how to address up in my favorites, so I can easily see when something new comes up.)

There's a lot more, of course. I'm still learning what various alerts and messages mean, and I'm sure I'll eventually be updating and/or writing my own scripts. I spend most of my time on the command line (or, well, with Linux it's the terminal for a Bash or Korn shell) and I'm getting pretty good at running commands like 'ps -ef | grep <xxxx>' to find whatever current processes have <xxxx> going on.

I think I can safely say that applications are a lot more than just the .exe file. That it contains the machines, third party software for synchronization or whatever, database queries, scripts, logs, and various methods for monitoring and alerting when issues develop... all of that, for each of the many, many environments...

And the back end is a complicated, complicated place.

Job Update - Part I, Background Info

I figured I'd take a bit of time to write about what I'm doing now, though I'm going to write for the (hypothetical) layperson that I used to be.

I suppose I actually need to start with scripting. Or rather, the command line.

If your around my age or older, you may remember how computers used to be. You may remember sitting in front of a computer screen and seeing simple text. No fancy pictures, no windows. No mouse.

Just a (most likely black) screen where you could type in whatever commands you wanted.

Windows... heh. Well, they've been around so long it's easy to forget what it was like before.

Windows make computers much more intuitive and easy to use. You can easily see menu options, select what you want with a mouse, and more. But the older methods are still there.

For instance, if you're using a Windows machine you can go to the Start menu and find cmd.exe. ('cmd' will generally find it, but there apparently are malicious programs that will call themselves things like cmd.bat, so just to be safe I like to type the whole thing in.)

If you open it, it will give you a little black window with some text and a blinking cursor indicating where you can start typing.

You can type in commands here, just like on an older computer. Although it's not as easy to use, once you know the commands it can actually be faster. Mostly because the computer doesn't have to waste any time displaying a window, or re-sizing it, or modifying it to show your menu options.

If you wanted to find your IP address, you can search through some of the menu options on Windows (I don't know them off the top of my head, but I recognize them when I see them. It's probably under Network Settings or Control Panel -> Network or somesuch), or you can just open up the cmd.exe program and enter 'ipconfig'.  Iirc. The command terminal runs shells, and there are lot more than just cmd.exe out there. Windows created their own Powershell, which does some similar things (and has some differences)... and in Linux you're more likely to use Bash, though there are plenty of other options (like Korn shell), so in Linux instead of 'ipconfig' it may be 'ifconfig' or 'ip addr' depending on what version you're using. I can generally look them up if I need to, but it's actually just faster to type whichever seems correct and enter one of the others if it doesn't work.

I don't really want to get into the difference between a command line, shell, or terminal, suffice to say they all give you a place where you can run commands strictly through text.

So... why'd I even bring all that up?

Well, the next thing to understand is scripting.

Basically any command you can do in a shell can be written in a text file and run at will. You may not get much out of saving a script to run 'ipconfig' to your computer, but if you consistently do the exact same series of commands it makes sense to write a script. It's faster (since the computer doesn't have to wait on your slow data entry) and more consistent (since it will never forget a command, or put them in the wrong order).

If you wanted to, let's say, make a back-up of a particular file every day... you could write a script to copy 'important_file.txt' and paste it in another location under the name 'important_file_bak_YYYYMMDD.txt'. You can even (generally) tell the computer to run that script at a particular time every day.

That way your file is backed up at least once a day and once you've set it up to run you won't have to do another thing. (Okay, you might want to create another script to clear out older copies. Otherwise you'll eventually start running out of space.)

Why did I explain all that, you ask?  I'll explain in the next post. :)