At my new job they have a fitbit step count challenge and if you can clock 40,000 steps in one day you can win a $100 gift card.
The only problem is that there is no way in the world I will ever legitimately get 40,000 steps in one day (The closest I ever came was 25,000 steps one day in London and I was near exhaustion when I made it back to my room).
So if I was ever going to get 40,000 steps in one day I was going to have to cheat. Note: I am not really cheating, I am using a secondary fitbit account for this.
Let me introduce you to Stepbot POC v.01:
With a $10 remote control car and a some electrical tape I can now average 120 steps a minute (172,800 a day) from the comfort of my desk chair.
The future plans for the Stepbot include
Stepper Motor and Stand.
Raspberry PI Intgeration
Software to control steps per minute with web interface.
What Working In Politics Has Taught Me About InfoSec
As I get ready to wrap up 9 years running network security for the Missouri House tomorrow I thought it would be a good time to do one of those blog posts where I sum up what I learned in a nice neat package.
So here are 5 things working in politics has taught me about infoSec (and life):
You can’t win every battle. If you try to win every battle you won’t win any. You have to pick the battles that are important to you and focus on winning those.
Favors are the most valuable thing in the world. The most valuable thing in the world you can have is to have someone feel indebted to you. You never know when you have to cash it in but it is always nice to know someone has your back when you really need it.
You can’t unsay things. A politician can ruin their career by saying careless things without checking the facts or knowing their audience. So can you.
To have a successful project find people who care about your cause. The first step to having a successful project is to find other people who are impassioned about the same thing. If you can’t find those people your project will likely fail.
It isn’t personal. If someone doesn’t think the same way you do on an issue doesn’t mean that they don’t like you (or that they are an idiot). If you treat everyone who has a difference of opinion as you as an enemy it quickly becomes you versus the world.
I was challenged by my friend on Facebook to name 10 books the influenced my life. I figured if I was going to put together a list I might as well put it on my blog.
So here are the 10 books in alphabetical order that have influenced my life:
48 Laws of Power I read this book 4 or 5 years ago and decided that if this is what it took to be successful l didn’t want to be. I would rather be a nice guy and be “unsuccessful” then to base my life on this book.
Augustus: The Life of Rome’s First Emperor You didn’t think I could make a list of my favorite books and not include one on roman history did you? Augustus found Rome made of clay and left it made of marble. As Rome’s first emperor, Augustus transformed the unruly Republic into the greatest empire the world and laid the foundation for all of Western history to follow.
Maniac Magee I read this book when I was in 5th grade and having a hard time fitting in. It really made a huge difference in the outlook in my life. I still love this book.
Mere Christianity I first read this book when I was so teetering on unbelief. I’ve reread it many times since but that first read through was life altering.
Paddington Bear I bought this book for my son when I was in London. He and I like to read it and laugh at Paddington. This book will always be special to me.
The Outsiders I read this book in 8th grade English. It is one of the best books I have read about class warfare and about how we all really just want to fit in.
The Pursuit of Happyness A great story about how a man can drastically change his life if he never gives up. One of the most inspirational stories I’ve ever read.
Titan Titan is a biography of John D. Rockefeller, the founder of Standard Oil and the world’s first billionaire. At its core it is about work ethic and about taking what you have and making something out of it without anyone’s help.
To Kill A Mocking Bird To quote Homer Simpson ‘To Kill a Mockingbird’ gave me no useful advice on killing mockingbirds but it did teach me not to judge a man based on the color of his skin.
You are not so smart This book is a fun read. It talks about 48 things we do that don’t make any sense. After reading this book I started catching myself making a lot of irrational decisions on a daily basis.
I just returned from a week in London for the 4th annual 44CON. I had an amazing time hosting a quiz, being on panel and giving a talk.
44CON is one of the best ran conferences that I attend. Adrian and Steve both really care about the conference and it being entertaining and educational for the attendees. 44CON (like Derbycon) has figured out how to make the conference feel like a meeting of old friends and not a sales pitch or exhibitor expo.
This morning I read “An Honest Message from Your IT Guy” and was kind of amused and disappointed and thought I should pen “An Honest Message from Your Security Guy” as a rebuttal.
I am here to help. Seriously. I know the average IT guy can come across as a jerk but I work really hard to be a nice guy. If it wasn’t for you I would be selling insurance to over the road exotic animal movers.
Please don’t lie to me. To paraphrase Jay-Z “”Men lie, women lie, logs don’t.”
While you swear you never visit “OfficeSupplies.XXX” we log all the traffic that leaves the network and I know for a fact you have a thing for swing line heavy duty staplers. It is cool… I am not here to judge but when your PC gets a virus and I have to come fix it and you have deleted your browsing history and tell me you were reading up on ancient roman birthday cakes it makes my job a little harder.
No. I don’t trust you. I have done this job for over 10 years and I don’t think anyone has actually ever told me the truth when I asked what they were doing when their PC was infected.
No. I don’t trust you. You cannot be a local admin on your PC. Doing so puts us both at a risk we don’t need. I don’t even have admin rights on my PC.
No. I don’t trust the IT guys. Don’t feel bad. I really don’t trust the IT guys. 50% of my job is to “Watch the Watchers” and they try to get away with more stuff than you do.
Yes, I think those password requirements are ridiculous, too. Our password policy should be much stronger because when (not if) our passwords get hacked I prefer it to take more processing power than your average 7th grader has available to crack them.
I am here to help. Above all my job is to help you do your job securely. If you have a question or a problem I am here to help you.
Over the last couple of days I have seen a bunch of people post a link to this blog post about how the new Facebook Messenger “crosses the line” when it comes to the permissions it asks for.
Yes, the Facebook Messenger app requests these permissions:
Change the state of network connectivity
Call phone numbers and send SMS messages
Record audio, and take pictures and videos, at any time
Read your phone’s call log, including info about incoming and outgoing calls
Read your contact data, including who you call and email and how often
Read personal profile information stored on your device
Access the phone features of the device, like your phone number and device ID
Get a list of accounts known by the phone, or other apps you use.
There are plenty of legitimate reasons for requesting these permissions. Messenger needs access to your camera so that you can take and send pictures. It needs to access your microphone so that you can use the app to make free phone calls. Etc.
These kinds of sweeping permissions are also extremely common in Android because of the “open” nature of the OS. Even the most vanilla apps collect extraordinary amounts of personal data. Most weather apps keep a detailed GPS log of everywhere you have been in order to display the local weather (law enforcement agents really like this feature).
My advice to you is dont freak out and delete Facebook messenger and to audit the rights on your Android using a tool similar to Permission Explorer removing rights that you think “crosses the line”.
If you are still worried about it you should buy an iPhone. The iPhone security is much more locked down than Android.
For the last year my doctors have been worried about my moderately high blood pressure. A few weeks ago after a bad migraine attack and a huge spike in my blood pressure my doctor decided to put me on blood pressure medicine to lower it.
I have made these handy charts of my average energy level before and after I started taking the blood pressure medicine.
The good news is my blood pressure is in a normal range and I am not going to have a stroke. The bad news is I feel like 70 year old man and am ready for bed about 8.
I wonder if this is what normal people feel like all the time?
About once a month I will get a call from someone who is upset because their account was hacked and wants to know what they can do to stop it from happening in the future. The truth is enabling two factor authentication (2FA) is one of the best things you can do to make sure your accounts don’t get hacked.
Here is a list of popular services where you should enable 2FA:
Google/Gmail: Google’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine, though it also works with the Google Authenticator app for Android, iOS, and BlackBerry. You can save each machine for 30 days. You can enable it here.
Facebook: Facebook’s two-factor authentication, called “Login Approvals,” sends you a 6-digit code via text message when you attempt to log in from a new machine. It also works with apps like Google Authenticator for Android, iOS, and BlackBerry, as well as the “Code Generator” feature of the Facebook app. You can also authorize a new machine from Facebook.com on a saved machine if you don’t have your phone handy. You can enable it here,
Apple: Apple’s two-factor authentication sends you a 4-digit code via text message or Find My iPhone notifications when you attempt to log in from a new machine. You can enable it here.
Twitter: Twitter’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine. You can enable it here,
Dropbox: Dropbox’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine, though it also works with Google Authenticator and a few other similar authentication apps. You can enable it here.
Microsoft Accounts: Microsoft’s two-factor authentication sends you a 7-digit code via text message or email when you attempt to log in from a new machine, though it also works with a number of authenticator apps. You can enable it here.
Yahoo! Mail: Yahoo’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine. You can enable it here.
LinkedIn: LinkedIn’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine. You can enable it here.
You should also check out twofactorauth.org to see if other accounts you use have the ability.
I have a Samsung S3 that decided it wouldn’t boot on Wednesday. After talking to the very helpful people at Samsung they decided that they can replace my phone for me but I need to send them my broken phone.
All my data is on my phone. All my email. All my passwords. All my texts. All my pictures. I have backups and I have a password on my phone but I still have to send my phone back to a company who could access it if they wanted to.
So what is a security professional to do? Normally I would just wipe my phone and send it in but since that isn’t an option I am stuck with either keeping a $400 brick or possibly exposing my data to Samsung.
Earlier today I was asked to come up with the best way to keep your social media accounts secure. Here are 5 easy ways to protect your social media accounts:
Update accounts with unique, complex passwords. Complex passwords will contain a combination of upper and lower case letters, symbols and numbers, and have at least ten characters.
Change your password often. No matter how complex your password is it is necessary to change it regularly. Normally I suggest changing your social media passwords two times a year.
Enable Two Factor Authentication. Google, Facebook and Twitter all offer two factor authentication. Enabling it allows these services to know that it is you logging into your account and not someone else.
Review apps and add-ons regularly. Review all apps and add-ons associated with your social media accounts at regular intervals. Remove apps and add-ons you no longer use or post to your social media accounts without your permission.
Log out. Remember to log out when you are finished using it. It is an easy and highly effective step to protect your account.
In two weeks I am on a career panel for a group of high school kids interested in technology careers. They sent a list of discussion questions they were going to use to get the conversation started and one of them was:
What does it take to be successful in information technology?
The answer to this question I always give is:
If you want to be successful in information technology and life in general you need to implement the no no rule.
The no no rule is extremely simple: When asked a question your first response should never be no.
The two none yes responses I use are:
1) Ask for more information or clarification. 2) Ask for time to research a solution.
In a lot of cases (especially in security) after you ask for clarification or time to research the answer may still be no but you will have given the question some real thought and understanding and the person making the request wont feel like you are ignoring them. A lot of information technology professionals get a bad reputation because they say no to often.
My son asked me on Saturday as we were going into the store why an old guy was selling flowers. It gave me an opportunity to tell him about the “true meaning” of Memorial Day and explain to him that some of our bravest hero’s don’t get to come home.
So today I will be spending sometime thinking about the people who gave everything.
In Flanders fields the poppies blow Between the crosses, row on row, That mark our place; and in the sky The larks, still bravely singing, fly Scarce heard amid the guns below.
We are the Dead. Short days ago We lived, felt dawn, saw sunset glow, Loved and were loved, and now we lie In Flanders fields.
Take up our quarrel with the foe: To you from failing hands we throw The torch; be yours to hold it high. If ye break faith with us who die We shall not sleep, though poppies grow In Flanders fields.
I got a call from a friend who was sure his PC was hacked because his CD-ROM drive kept randomly opening and closing. After looking at the machine I found a .vbs file in his appdata folder named RandomlyOpenCD.VBS (surprisingly It randomly opens and closes the CD drive) and nothing else that looked like an APT.
After making a copy of the code, deleting the file and rebooting his PC it was fine and his CD drive was back to a non-hacked state.
The practical joker in me makes it nearly impossible to not share the code:
Last night I sent an email to a good friend and his boss passing on an amazing career opportunity that paid an ungodly amount of money.
It was basically Scrooge McDuck build a money bin money.
So why didn’t I take it? After a lot of thinking and discussion with my wife it boiled down to timing and location.
We weren’t crazy about the location. We would have had to relocate to Atlanta. We dont have more than a handful of friends in Atlanta and our nearest relatives would be about 300 miles away. I dont like grits.
The timing wasn’t great either. My son is getting ready to start Kindergarten next month. My wife has a job that she loves. Our family is a half hour drive away. We have amazing friends. We love our church. I dont like grits.
Even after that list of cons It was still amazingly hard to say no to a great career opportunity and the possibility of my own money bin.
So why did I?
I remember seeing this quote a few months ago:
“Half of the troubles of this life can be traced to saying yes too quickly and not saying no enough.” - Josh Billings
So I took my time and thought about it. On Monday I was ready to call a Realtor and put my house and the market. On Tuesday I was trying to figure out if I was going to sound cool with a southern accent. On Wednesday I woke up and realized it wasn’t the right time to move our family half way across the country.
So yesterday I wrote an email apologizing and declining the position, put in a 16 hour day at my current job and went home and slept like a baby.
It will be hard not owning a Tesla and having a bin full of money to swim around in but I know I made the right choice for my family and hopefully there will be other opportunities like this in the future.
This afternoon a “hacker" decided to text bomb my phone with about 1000 text messages asking me to paypal him $100 to stop.
A couple of things:
I don’t negotiate with terrorists. (I always wanted to say that.).
Part of the text bomb gave me information on how it was happening.
After getting a couple of messages I noticed they were all coming from onlinetextmessage.com. After looking at their web page I noticed that you could block messages from their site to your phone.
Once I blocked the attack I was interested in how they did it and started to do a little bit of research.
I am about to give you a link to a script that can do bad things. Please dont do bad things.
With a few well placed Google searches (onlinetextmessage.com sms bomb) I found this pastebin with a two year old perl script in it. I am “researching” here so I had to test out the script myself (against my own phone) and surprisingly it works really well.
After looking at a couple of other online SMS sending website it appears the reason that onlinetextmessage.com is vulnerable to this abuse is because they dont ask for a capatcha before sending the message. This would seem to be a pretty easy addition to their code to stop this from happening. I have sent them a nice email asking this to make these changes. I doubt I ever hear from them.
This “DST” button is .25” away from the snooze button, .2” away from the source and sleep timer button.
Why is this a big deal? Because when you accidentally touch the button it magically makes it an hour earlier in my bedroom than in the rest of the world. For a feature that will save me 30 seconds two times a year they have basically put a self destruct button right on top of their product.
How in the world do products like this make it to the market?
I was having a conversation about security today with a good friend and the subject came up of what is the most difficult question in security to answer?
After a few minutes of back and we fourth we settled on the following question:
Who would want to hack us?
This question is nearly always asked with the person asking it implying they aren’t important enough to be hacked.
As security professionals we mostly do a terrible job at answering this question. Normally we end up answering with something vague like “hackers”.
(This is what a hacker looks like.)
When we answer back with a vague answer like “hackers” we dont make the threat real to the person asking the question. They will care and think about hackers as much as they do the nebulous bad guy who might break into their car and steal their 3 Doors Down CD.
The best way I have found to answer this question is by asking a question back.
Here are a few questions I always try to ask back when someone asks me who would want to hack us?
Have you ever had an employee leave on bad terms? Have you ever made a competitor mad? Is there anyone that would enjoy you having negative publicity?
Everyone can think of an answer to one of these questions and it plants a mental image of someone who would actually want to do their company harm and not a guy with a ski mask.
How do you answer the question: Who would want to hack us?
That was my four year olds response when I reminded him that his first T-Ball game was later that day as I woke him up. I love my son but he spent 80% of his first and only T-Ball practice trying to make the other kids on his team laugh. He is no Jose Abreu.
My first instinct was to tell him:
Logically the chances of you hitting the ball over the fence are not very realistic, why don’t we concentrate on a single and hustling to first base?
As I sit on his bed getting ready to tell him why he isn’t going to hit a home run he tells me:
I can’t wait for my game tonight, it is going to be a so much fun!
At that moment my 4 year old reminded me that baseball it isn’t as much fun if you aren’t swinging for the fences. The same can be said about life. I can hit singles and hustle to first all day but wouldn’t it be a lot more fun to swing for the fences?
Even if you dont hit a home run you might even end up on 3rd base talking to your friend.
This morning I was out running some errands and NPR had an interview with a David Sklansky a poker player who wrote a book called “The Theory Of Poker" and he said the most important thing to remember about poker is that:
Poker Is Fundamentally A Battle Of Mistakes
That quote stuck with me all day and when I got some time to sit down and Google it tonight I found this amazing excerpt from his book:
Every time you play a hand differently from the way you would have played it if you could see all your opponents’ cards, they gain; and every time you play your hand the same way you would have played it if you could see all their cards, they lose.
Lets make this about security:
Every time you secure your network differently from the way you would have if you could see all your opponents’ attacks, they gain; and every time you secure your network the same way you would have if you could see all their attacks, they lose.
Poker players spend just as much time while at the table thinking about who they are playing than what they are playing. Security professionals on the other hand spend a lot of time and a lot of money trying to prevent attacks that people attacking their networks wont or cant use. I know small companies who are more worried about APT’s than they are of phishing attacks because they watched a 60 minutes story about it.
Can you answer these five questions about the people who would likely attack your network:
Who would want to attack my network? Why are they attacking my network? What do they want to steal or change? Is it possible for them to access the information they want to steal? If I were them how would I try to steal the information?
I think if you can answer those five questions you would be off to a good start on understanding the correct way to secure your network because:
I have a mentor who sends me a motivational quote a couple of times a week and today he dropped this on me:
If you’re the smartest person in the room, then you need to find another room.
I have heard that quote before and actually used it in an opening slide of a talk to make a self deprecating joke. I get the underlaying meaning of the quote but I think few people would actually admit to thinking that they are the smartest person in the room.
So either the person who wrote this quote was an egomaniac or wasn’t clear in his writing. Here is what I think he is talking about:
I have an amazing four year old at home who challenges me all the time by asking me questions I don’t know the answer to (Why are bananas yellow?) and asking me questions that make me think about life (Why do we have a house and my friend lives in an apartment?).
To be honest a lot of time I turn into this guy:
One thing my son does everyday is challenges me to think and learn. So after thinking about that quote for a little bit I responded with this:
If you’re in a room with people who don’t challenge you, then you need to find another room.
Are you being challenged in your personal and professional life or is it time to find another room?
Earlier today I was reading this article on Rollingstone.com about how FXX plans to show all 552 episodes of The Simpson’s this August and noticed when I copied anything from the website it appends a link and copyright notice. That got me thinking about what else could be appended to copied text and how bad guys could use.
When you copy and paste the echo $PATH command in Firefox and Chrome you get this:
If you copy and paste directly into a terminal window you get this:
So you want to be a Twitter security expert? I have come up with an easy to follow list to make sure you are:
All Cons, All The Time! If you are not tweeting about flying to, attending, partying at, or flying home from a con at least once a month you cant be a security expert. Also try not to mention what you actually do for a living. It removes some of the expert shine.
Be an expert on EVERYTHING. Heartbleed? Drones? Malaysia Airlines Flight 370? Top Secret NSA Domestic Spying Programs? Windows Patching? Programming? All in your wheelhouse. If you are going to be a twitter security expert you need to know this stuff. Skimming half a wikipedia page qualifies you to speak on any subject authoritatively.
Everything is your business. A company you own no stock in appoints someone you dont like to their board of directors or CEO? Good thing you are an expert on EVERYTHING! Time to be really outraged and let everyone know it!
It is all about you! This is the main rule of being a security expert on twitter! Every time somebody expresses an opinion with which you disagree, they are doing it to anger you personally. It would be wrong to not to take it as a deeply personal insult.
How many followers do you have? Make you sure you are have at minimum one bot a week tweet about how many followers, re-tweet and mentions you have. You need people to know how important and influential you are!
So this is how it feels to feel abandoned? That is the question you have to be asking yourself this morning. For the last 4549 days you have been a constant workhorse for PCs around the world and this morning Microsoft has decided that you are no longer worthy of support.
I remember the first time I meet you. I was a 20 something systems admin who was in love with Redhat 7.1 and I thought you were going to be the end of the enterprise operating system. A few service packs later you were a solid work horse who did her job without any real complaints.
You have been great to me and my career. I owe you a lot and until Windows 7 came out you had been what I have used and supported nearly every day of my life for 10 years (I am still sorry about that fling I had with Vista in 2007. She was shiny, pretty and had so much promise. I am wrong and glad we can move on.).
I know you will live on in unprepared and underfunded schools, banks and grandparents systems for the next 10 years but I am going to miss you. Thanks for all the good memories you gave me and thanks for taking me this far in my career!
Twitter added a photo tagging feature today and like Facebook decided to have the default setting to allow anyone to tag you.
For your own saftey you should change it to this:
The steps to do this are easy:
1) Login to Twitter.com 2) Go to the Settings tab. 3) Go to the Security tab. 4) Under Photo Tagging click “Do not allow anyone to tag me in photos”. 5) Scroll to the bottom of the page and Click “Save changes” 6) Enter your password to save your changes.
My opening question was simple: What does social media and hammers have in common?
The two main points of my talk were the following:
My first point was: You wouldn’t give your 13 year old a box of nails and hammer and tell them to go build something without first showing them how to properly use a hammer. This means as parents you are going to need to know the difference between a snapchat and an instagram. The days of being able to say “I dont do that internet thing” are over.
My second point was: According to the FBI 2011 496 people were killed by hammers. It was terrible and tragic misuse of the tool. The way to fix that isn’t to ban hammers. This applies to social media also. There are tons of tragic cases about when people misuse social media but that shouldn’t stop you from letting your child use this very important communication tool.
This was one of the favorite groups I have talked to all year. These people all have amazingly loving hearts for kids and want to do what is best for them. It was great to talk to a group of such involved parents.
Can you name 5 people who are better at your job than you are?
I was asked this question earlier today and after trying to convince myself that “no one is better than I am” I took 5 minutes and wrote out a list of people who are better at my job than I am.
If you could ask them 5 questions what would they be?
This wasn’t as hard and I came up with these 5 pretty quick:
What drives you? What is the first thing you do when you get to the office? How do you manage work and life balance? What books have influenced your career that most? What was your biggest failure and what did you learn from it?
Now it is your turn: Can you name 5 people who are better at your job than you are? If you could ask them 5 questions what would they be?
Would you believe someone if they told you that they had four simple words that if asked honestly can make you successful?
I have those four words.
My grandpa gave them to me when I started my first job at 13 and came home complaining of being bored. He asked me if I had asked my boss “What can I do?”. I hadn’t… why would I… who asks for more work? Not me… I just wanted to work long enough to make enough money to buy a Super Nintendo.
He told me something I won’t forget. He told me that asking “What can I do?” and then doing it had made him successful in anything he had ever tried.
Why am I telling you my secret of success? Mostly because I didn’t know it was a secret and because there was this question on twitter last night:
If you had 15 minutes with your company’s Chief Executive, what would you say… RIGHT NOW. Curious on answers…
I see where he is coming from. I will admit sometimes I ask my wife “What can I do?" while I am sitting on the couch watching Teenage Mutant Ninja Turtle reruns and surfing the web while she cooks dinner. Hoping she says "Nothing… I am just doing the dishes, negotiating world peace and cooking dinner…just finish watching TV" when I know in honesty I am not doing all I can.
Asking “What Can I Do?" is a dangerous question it can lead to all kinds of unattended consequences like having to take out the trash or having your boss give you more responsibilities.
So please be careful with those four words and dont tell anyone I told you.