The One Man Random Interrupt

Well worth the listen-

“Part of the perversity of (this) evil is that the greater it’s depravity, the greater is our natural, human temptation to avert our eyes” – Joe Lieberman, on extremism

At the moment, I’m just at the tail end of hearing Joe Lieberman talk about the end of the war on terror. While I may not agree with everything he thinks, it has been damn interesting. The one on Iran and it’s relation to Islam was also really, really good.

These are all available for almost free over at Itunes (you’ll need to give them a credit card number that is at least valid, but it actually costs nothing).

My Nokia N95 has finally bitten the dust. It appears to be completely repairable, assuming I have the time, inclination, and the $150-300 to replace the parts. In the meantime, my local telco has decided that I can have an Iphone. For free. Part of me thinks this is great, but there’s a huge chunk of my thought process that can’t accept this type of “freedom”. It’s the kind of freedom that comes with home or car ownership, and the kind that I don’t see as freedom at all. You’re stuck with whatever it was you settled for, bought, or own.

Most of the time, this isn’t too bad. House ownership (I hear) is pretty cool. Car ownership is a massive pain in the ass if you live where I do, but for most people it’s pretty beneficial, until you have to pay the insurance, gas and repair costs. Still, it outweighs the cost (for most) of sitting on the bus for 2 hours to get somewhere that usually takes 10 minutes on non-public transit. For more, it’s the only option, so it’s an acceptable cost. Most of us don’t even really think about this, or we did the math for it long ago. Some of us make fairly controversial decisions because of this process- we refuse free things because they actually aren’t (my uncle Piers famously refused a fairly big promotion as an Actuary because of the associated costs. It worked out for him). Of course, some of us never think about it at all, and that’s how we get locked in to things like the Iphone.

Computers aren’t free. Software isn’t either. It takes time, resources and labour to produce. This clever little tool that I’ve just accepted from my local Wireless Telephone Company is definitely not something free. The street price, (that Apple suggests) is about 3-400 dollars (Canadian). Telcos, of course, want to give it to you for free. Apple also wants you to have it for as little as possible. Why? Because of Itunes, the app store, and all the associated data costs. It’s a lock in. While I’d say it’s a scam, most of the people buying one already half-know the caveats of this particular piece of equipment. On the one hand, control of the hardware environment (and the network, to a lesser degree) can be very helpful. It’s precisely why Apple manages to make these things look so good, and work so well. On the other hand, I need to give Apple my credit card number in order to put applications on this machine without violating at least some of the terms of my service agreement with them and the telco. That’s a problem. This is not a game console, or a PVR. It works as a communications system first (or, at least, it should). This means it should always work- because communication is critical.

A basic rule about communication is that you, as an individual, should always have a reasonable amount of control over it. Doubly so when it’s part of your livelihood (I use phones for work on a daily basis). In fact, some people view access to advanced communications systems as a right, in much the same way that we view free speech as a right (are there any ex-phreakers in the room?). So why is it that I’m not allowed access to my phone’s innards in order to make it do what I want? The answer, in this case, is money. There’s a vested interest on the part of the OS provider to keep me locked in to their network and their distributorship. Of course, that extends, in some cases, to the service provider, too. They have to offset the cost of my free device by charging me for services, and not letting me leave.

On the other hand, Bell used to do this with telephones- the simple logic was that they didn’t want to have random, dangerous devices on their network. It seems, though, that they gave up on that in the 1980s, probably because, like any other critical service, there were exceptions to all the rules, and the service had to remain functional. The same applies to mobile devices, in my opinion. Users are all different, and their applications are, too. One phone (or computer, or hammer, or car) does not fit all, and that, really, is the main reason that locking any customer in to a particular service is plain wrong.

Perhaps it would be better if Apple used something like Steam’s model: we have it all, come and get it. You can do what you want with it once you’ve bought it, but we will still have all of the content you want, and if you want to use it, play nice with us.

(with apologies to the ghost of Ian Curtis)
One of the side effects of the last few months was a renewed interest in something that got me into security and technology work in the first place- Radio. I’ve always had a license for VHF and UHF amateur use, and haven’t really looked at it since I finished secondary school in the 1990s. That changed while I was in the US. I played with a wideband reciever for the first time, and remembered what I enjoyed about being able to hear the things I knew were already there.

This brings me to the quick, nasty point I want to make just now- I’m looking for ways to quantify it this week- Radio is a weak link in security.

This should be obvious to anyone who has ever used a police scanner, or worked with business radios on an extended basis. There is a tonne of information being passed around on the airwaves, and some of it is very, very useful for everything from would-be fraudsters to journalists who want to be first to press. What I’m curious about is how often that information is leaked across the airwaves when it shouldn’t be. I’m going to be doing a short-term survey with the equipment I have, and if I notice anything interesting, I’ll post it here. Later, I might get into MDT and packet radio stuff, but for the moment, it’s just voice. Voice, I think, will be enough.

A few quick tips to anybody planning on using or currently using FRS, GMRS, or UHF/VHF 2-way radios:
1) minimal amounts of identifiable information are better than tonnes. You know who you’re talking to, and they know you. Stick to first names unless you have to do something else.

2) phone numbers are for phones. Airwaves are a public space.

3) Locational data is handy for other people, just as it is handy for you. If I want to know where you’re transmitting from, I can find out using positional or focused antennae, or I can just listen. This is even more useful, because it’s likely you’ll say something else I want to hear.

4) Encryption (if you can afford it, and are allowed) is good. If not, you can do what our friends in the local constabulary do- use numbers, codes, and things that are jargon. It makes it harder for the casual listener to decipher. Anybody who intends to break your communications, however, will still pull it off in the right amount of time.

5) If you are a limo service, or a dispatched driver, or someone who is handling important things with a car all day, and use a radio for dispatch- don’t give out too much information about your clients over the air. Better yet, go get a set of IDEN phones (they used to be called Mike phones) if they still exist. They’re much more effective over long distances, they’re about as expensive as radios, and are already encrypted and secure enough for most uses.

6) Watch out for your antenna. It’s funny looking, attracts attention, and can poke an eye out.

It’s pouring rain in Long Beach. They’ve had 2 days of it. Day one was a hurricane. While I’m not really on vacation (I’m down here looking for a few work-related things, and trying to scare up contracts), I was also looking forward to sun. However, this has reminded me of a couple of basic rules about emergency planning that might be worthwhile to go over.

1) Don’t assume that it won’t happen.
This should be obvious, but it often isn’t. Long Beach doesn’t get storms like this, apparently, and they were caught unprepared- Here’s a little anecdote from the news: the city put grates over most of the storm drains to lower the debris being washed into the bay during peak flow storms. This is a great idea, except that the debris has to go somewhere, and it caused massive road flooding. Thankfully, there were no fatalities. How would they have done it better? Something like a grate overflow, sieve, or at least a staggered array of progressively smaller screens for debris. Yes, the last one would require infrastructure investment, but it would also clean out the water before it hits the spillway, and generate jobs for locals (this could work like the Montreal collector system.

2)You can be certain that if something does happen, people will NOT know the plan.

This one doesn’t apply to the last 48 hours here, but It applies generally. Tourists in Tsunami areas didn’t (and still don’t) know about some of the survival and escape rules for this type of event. They don’t know, because it doesn’t usually affect them, and it may be counterintuitive. This is why we have fire marshals, emergency response personnel, wardens, etc.. In a corporate setting this also applies. Don’t expect your staff to be briefed on the latest in DRP or BCP policies. In the bad old days, every town had an air-raid/hurricane siren. Now we have mobile phones, twitter and those sirens are old and unused…. however, we still have the same people who operate them. Here’s an idea: Most telcos can carry sidechannel info on mobile phones- IE: they can broadcast messages to phone users via special text channels. Why not use that to warn of hurricanes, disasters, or even missing person events? There would have to be a policy about when and how, but it’s usable, since it doesn’t require access to the actual phone system, it just requires a few bits of text.

3) When something serious happens, some people won’t have heard the alarm. Or they’ll ignore it.

This ties in with 2. I was driving when the hurricane warning was put into effect. By that point, I was driving down PCH in 6-8 inches of water (they don’t speak metric here!) I had no idea. This just looked like a typical Montreal spring storm, or the sort of thing that happens in Ireland in February. The text messaging system mentioned in 2 also applies here- It can’t be relied upon as a primary system, that’s what air-raid sirens, TV, Radio and the internet are for. Hell, you could even use pre-arranged calls if it was feasible (It is for corporate environments, but not so much for cities).

4) You can build in physical resilience, but the best mitigation and resilience comes from Local environment and society. The Locals are ALWAYS the best hope.

This one is about Haiti, Sri Lanka, and any other developing country that has been hit by a disaster. This is also my little soapbox for the moment. The disaster is ALWAYS worse when there are already civil issues. It is also compounded exponentially by the level of poverty experienced by the average person in the area. Poor areas get hit hard. Poor areas with bad government get hit harder, and poor, lawless areas are usually the worst. This much is pretty evident, but it’s also the first thing that is overlooked in relief work. The methods that we use to assist people in need in the western world need to be revisited for this reason alone. It’s good to help. It’s better to help before something serious happens, and that means fixing things before the disaster- Infrastructure, government, security, food and water are all missing in the areas that are most often hit by quakes, storms, floods and worse. Instead of fixing that we do the dramatic thing, and send in Marines, DART teams, and all manner of people who can only help for a few weeks. The United States experienced this with New Orleans, and (unsurprisingly), the unmitigated disaster that occurred there is still being cleaned up 4 years after the fact. The reason wasn’t FEMA, or Blackwater, or any specific group, it was that New Orleans was already one of the poorest places in the US, and didn’t have the social system to support an emergency like this. When your food is imported, the water is only drinkable because it’s filtered, and your Laws and Enforcers are underpaid, poorly written, and “flexible” don’t expect a fast recovery. We’re seeing the same thing in Haiti, only 1000 times worse. The reasons are the same, though.

5) You can plan and prepare for the 80% of things that will go wrong, so why don’t you?

This is the 80/20 rule. Randy Marchany put this very succinctly during one of those SANS classes that I was sitting through last year- the 20% is the sort of stuff that anyone can come up with; armed psychoes, severe earthquakes, and the sorts of things that are just unexpected and, frankly, unlikely. The other 80 is stuff we know is there. Some of it we choose to ignore, some of it we’re unaware of. As far as I know, the city of Vancouver doesn’t have a plan for the time when the shelf that they are sitting on in the pacific sinks into the ocean. They do, however, have a strict policy about explosions, digging and offshore geological work that should keep the area that could be affected stable. That’s good. That covers the 80% basically. The 80% is why fire departments in Montreal have trained Ambulance techs- they’re just as likely to arrive on scene first as the ambulance or police, so they can administer all of the first aid and basic paramedecine. This has saved lives in the past, and will keep saving lives until the policy changes. The 20% (in this case) is that the trucks all get stuck in traffic (very low likelihood when more than one truck has rolled out) and nobody arrives in the first 5 minutes. Another way of looking at this was espoused by the as yet unknown (but really good) writer, Robert Eringer: “ If you are concerned about taking risks, consult an actuary:  Odds are, you’ll survive.  Not forever, but for now you’re good.  So be bold (assuming gain outweighs risk).”

It’s the shortest day of the year. For thos of you reading this in Europe or Japan, The year is likely already over. Since I don’t think I have any readers in Japan or Europe, It doesn’t matter. Happy Yule, Solstice, Chanukah, Christmas and new year.

Bring on the night. I couldn’t stand another hour of daylight.

If you weren’t born yet, or you were asleep- before all of the Columbines, Dawson Colleges and other gun violence episodes that have caused shock, horror and the overselling of ineffective solutions to human problems, there was a massacre in Montreal. A number of women were singled out of a classroom of men and women. The men were told to leave. The following women were shot:

Geneviève Bergeron (born 1968), civil engineering student
Hélène Colgan (born 1966), mechanical engineering student
Nathalie Croteau (born 1966), mechanical engineering student
Barbara Daigneault (born 1967), mechanical engineering student
Anne-Marie Edward (born 1968), chemical engineering student
Maud Haviernick (born 1960), materials engineering student
Maryse Laganière (born 1964), École Polytechnique budget clerk
Maryse Leclair (born 1966), materials engineering student
Anne-Marie Lemay (born 1967), mechanical engineering student
Sonia Pelletier (born 1961), mechanical engineering student
Michèle Richard (born 1968), materials engineering student
Annie St-Arneault (born 1966), mechanical engineering student
Annie Turcotte (born 1969), materials engineering student
Barbara Klucznik-Widajewicz (born 1958), nursing student

The gunman then proceeded to shoot others while working his way through the school, and finally shot himself.

Why this happened is largely limited to two things- speculation, and the gunman’s own words. His letter, which if you’re interested, can probably be found using google, stated that he was “trying to fight feminism” (not a direct quote).

The backlash and ensuing political jockeying, PR and Marketing, and tubthumping was heard throughout the country, and to a lesser extent, the world (remember, CNN hadn’t started going beyond standard navel-gazing, and the internet didn’t exist as we know it yet). While the gunman’s name became well known, the victims never got the same amount of press.

The other thing that didn’t happen that time around was a sudden, intense increase in the amount of “security theatre” that has been seen in the aftermath of other massacres and violent acts, however quite a bit of decent policy, procedure and operational changes did happen at a less than obvious level. Nobody has put metal detectors in the University entrance (or any of the other universities in the city, AFAIK), and there aren’t armed guards patrolling the UdeM campus, nor will there be any time soon, but there are now plans, rules and responses for this type of crisis, and regardless of what anyone can say about the police and security agencies who carry these out, they’re still better prepared than they were 20 years ago.

This was, basically, a motivated, random attack. We can stop the obvious ones, and I’d like to think that we’re at a point now that we can weed those out pretty well, but there will always be exceptions. The gunman was deranged. This much is certain, and this much is enough for anyone in the security field to say that you can’t really be fully prepared for this sort of thing.

On the other hand, he wasn’t in a vacuum. Derangement of this sort is produced by society, and just like the other gunmen who came after him, he highlighted an aspect of our social fabric that some of us would rather ignore, or at least creatively rationalize in some way or other. Saying he was half Islamic, or was raised by wingnuts, while potentially true, only serves to write the whole issue off- we created the gunman, the same way we created all the other ones. This is why this massacre is still talked about. If he were clearly insane, it would have been different, but he wasn’t. Not in an obvious, detectable way. The same was said recently of the last gunman who attacked a school. His motives were even less well documented, but we speculated nonetheless.

We will always speculate, because we want a simple answer, and there isn’t one. The gunman was deranged. The gunman was a misogynist. The gunman was still human, just like his victims, and humans are complex as hell. What we do know is that he was “fighting feminism”. We have a pretty good idea that he didn’t like the way his world was, and figured that shooting people would change it.

I can happily say that the gunman failed. Feminism never went away. You can’t fight justice.

The SI system is largely dependent upon the stability of a 130-year-old, golf ball-size cylinder of metal stored in a vault in France. This particular golf ball sets the standards we use for weights and measures. At the right scale, everything is an estimate. There’s nothing particularly wrong with the SI, by the way. However it bears mentioning that the entirety of measurement somehow ties back to this piece of metal, and as a result, we have a theoretical SPOF. Of course, it’s not critical, since you can still generalize from the existing measurements taken from the hunk, but the question that comes up, then, is this: How far out can you generalize before it becomes inaccurate?

This question is actually something that is often repeated when discussing scientific methods in general, since the very foundations of the system we use for deducing and reducing is based on (usually) a set of assumptions. It’s possible to lose sight of the original assumption, and challenging it can get very difficult when it’s the foundation of an entire system. In the case of Le Grand K (the prottype 1Kg metal hunk mentioned above), the significance of the assumption isn’t too major, but in other cases it can be pretty paradigm shifting.

A quick survey of most popular science news reveals that we generally don’t understand the concepts of hypothesis and induction, which leads us to conclusions that are sometimes not only wrong, but dangerous. One of my favourites revolves around magnetic pole shifting and the end of the world- but I’ll let you figure that one out.

One of the assumptions that I routinely have to fight with in science is that of time. We’ve based logs, maintenance, traffic and money on time systems, and these are, to the end user, at least, considered unified. The dangerous assumption, though is that they are unified to the same time. They often aren’t. Although GMT or UTC is an expected standard, there are no rules specifying it as a baseline for time measurement. What this means is that if I (as an investigator) look at a log from somewhere in Gander, NFLD (look it up if you’re not sure where it is), while I’m in Torrance, California, I have to verify what the timestamp is. If there isn’t one, all I can do is make some assumptions. I can assume that the time is either set to UTC or the local time zone. I can also assume that the admin who set the machine up, or the user who is running it is tied in to some sort of BIOS based clock that takes over when an NTP signal isn’t present. Of course, the old Regan-era adage applies here: “trust but verify”. If I’m offsite, I’m going to try and check the config, and at least relate the logs to outside-machine events. If I can’t do that, there’s no point in even reviewing the logs, since they can’t establish a valid timeline.

For an analyist who is looking at a causal chain of events that happen over seconds, time errors are a generally a nonissue, since it’s within that hour-frame that the event happened. Those types of incidents, however, aren’t very routine. More often, analysis is based on much longer time periods. Investigations concerning fraud or machine error can require months of logs (which necessitates a search tool, usually) and can lead to error if the machines are across multiple time-zones. Investigations into QA related issues also require a certain amount of precision- you need to know why that firewal is failing under load, or why the application you are working on is crashing only when it rains.

There are simple ways to overcome this issue (*ahem* UTC), and more complex implementations, (NTP servers synced to atomic clocks), but it’s always worth bearing in mind that the assumption regarding timing is just that- an assumption. If you’re basing the rest of your analysis on it, you may find that it’s an ineffective foundation. It’s also worthwhile to remember that while some logs get stamped, others don’t, or they’ve got a differing format. That said, timestamping at least allows some kind of synchronisation- if you can establish a few other underlying assumptions first.

n and off for the past few years (like 20) I’ve been hired in to places as a technician or sysadmin for computer networks. I enjoy the work, generally speaking, because it’s a lot like Lighting or Mechanics or any other technical discipline. There are a dozen creative ways to do a specific thing, and some of them are quite showy.

One of the things that I’ve forgotten to do, however during all of this, is keep notes in an accessible place. This really hit home recently, when I realized that I had completely forgotten the syntax for a common command that I hadn’t used in a year (Rsync, for those of you who care). It smacked me again when I forgot how to operate DOS FTP for a few seconds. Obviously, the quick answer is to run the command into google, and see what comes out (often times, you’ll get stock quotes as well for those three or two letter Linux commands that also map out to the symbol for a company). This generally works, but with some issues.

While google is your friend, I’ve never fully trusted any of the “handy” command references that I have seen for complex commands. This probably stems from the fact that I see the entire internet as a google-amplified threat vector. I love cheat sheets, though. I have a small collection of them from various places (Addedbytes gets regular play here). I’ve found them to generally be pretty useful if you already know the basics of the system you’re using, but stupidly dangerous if you give them to someone who is just starting out on something. I’ve broken networks using Nmap commands that I thought were safe because they were on a cheatsheet (thankfully, that was MY network. There’s another story in there about a corporate net that I accidentally flooded, but we’ll leave that for a less busy day).

Anyway- Basic cheatsheets are fun, but what do you do when you don’t have network access and Ifconfig isn’t being helpful, or if you’ve decided that you don’t want to waste 15 minutes finding the syntax for this specific command, because it’s not there when you attempt man , or you’re using Dos, or an Atari, or something?

This is where any java capable phone becomes your best friend. If you can download a PDF or txt onto your phone, you can have a pocket guide to whatever you need, right?

Basically, yes, but it’s hard to read. However, if you’ve got a smartphone, or something that runs Java, it’s as simple as dropping a MIDlet in there that can read a PDF, and then you’ve got all those cheat sheets at hand (assuming you have space).

Better yet, build your own grimoire! This should be obvious, really, but if you can put a text file on a phone, you can put a set of CLI examples, recipies, instructions and system notes, as well. Save them as an unformatted text file with the appropriate carriage returns, and if your phone has a removable memory option, you’ve got an instant transportable copy and paste command set. You could even go so far as to put the scripts you need on the phone.

Aside from the reasoning outlined above, Smartphone memory sticks double as decent crash-kits because they’re always in your pocket or on your hip. Unlike your average USB stick, they’re less likely to break, have better security, and you’re not going to lose them in someones desk drawer.

It’s interesting to see the spread of Alternate Reality Gaming. I’m looking into it as an offshoot of some other research work I’m doing on OSI and internet sidechannels, and (naturally) ARGs pop up the moment you hit any of the lesser-known secret spaces in the world (largely Russian ones, but others as well). I’ve never actually played an ARG, but they seem like quite a bit of fun, assuming you’re sure it’s all above board. Of course, I’m a suspicious bastard who likes to think up ways of making things evil, so I immediately tried to figure out clever ways to twist ARG gaming around to do the unintended.

My first though was pretty simple- mules. Run an ARG, and you’ve got an instant source of courriers, informants and unwitting field agents for whatever you want. They think they’re playing a game- and it looks like a game, assuming that the players aren’t asked to do anything illegal, or really covert (and even if they are, there are probably still some who will go along with it). You don’t need them to know who or what they are really supporting as long as all the “real” agents of your organization are aware of this resource. As long as that fourth wall isn’t broken, all of the ARG’s player community can be an OSI/support resource. It also (conveniently) places paper trails in plain view for everyone to see, which is the best way to conceal something.

Of course, the more I thought about this, the more possibilities sprung to mind; I’m not going to go into all of them, because it’s more fun to be creative, isn’t it? Anyway- the idea of an ARG is kind of neat as a plot element in a spy novel or something. I’m doubtful that it would ever work in the real world, because the control channel for the game has to be at least public enough that it can be scrutinized by people who can get around web password systems (IE- anyone, really). Additionally, the moment you ask a player to do something that the player doesn’t agree with (law breaking, dangerous activities, or things that they have a moral objection to), you’ve lost the player, and potentially blown your cover (or at least created a PR nightmare). The other reason, of course, is that you can’t really control who joins in, unless it’s turned into a “by invitie only” system.

Still, it keeps the conspiracy gears turning, doesn’t it?

In Lieu of a real update (I’m still trying to get the hang of this routine thing), here is a silly amusement. These should work with a standard barcode reader. Print them out, cut off the text and swap them for other barcodes at your local supermarket, prison, chain-store, quartemaster’s depot, or IT shop. The fourth one will require at least a ~little~ work to decipher.