SPACE ROGUE

I don’t think this will stay on YouTube very long I got an instant DMCA take down notice as soon as it was uploaded. I filed a dispute but we all know how those go so watch it now while you can.

If publishing unsourced emails claiming to be from Iran is a newsworthy event then I guess we should all copy Mikko and do the same thing.

A few years ago I received a chain of emails from ‘Michael’ that started out as the normal ‘teach me to hack’ emails I receive on an almost daily basis but this email chain went on longer than usual and took several turns I don’t usually see in such emails. I thought they might be good for a laugh or a tear depending on your viewpoint.

TL;DR

The emails start in May of 2009 and go through to December, I have not included them all and have edited some for brevity.

Things start out simple enough saying how he is a 20yr old Iranian and is a fan of the L0pht. Pretty straight forward. I responded as I usually do to emails that are at least half way intelligent. I admit I don’t always get emails from Iran with a verifiable Iranian IP address.

Then comes the first turn, ‘Micheal’ asks me to teach him to ‘hack’ specifically so he can change his grades at University. For me thats a big no no right there. If you ask me to do, or teach you to do, anything even remotely illegal in email thats where I stop. I will no longer respond. I don’t want to be considered an accessory or an accomplice or be put in an un-winnable Adrian Lamo type situation. Not to mention the whole assisting a foreign power angle. So I just stopped responding.

But Michael wouldn’t give up, he sent me an email every day for weeks, then slowed down to a few times per week. Eventually he reached out other old L0pht members, those whose email address he could find, asking them if I was OK, saying he feared for my safety since I was not responding to emails. I will admit I felt a little bad at this because who knows maybe people just disappearing like that in his country is a sign of something sinister happening. I don’t know. My remorsefulness did not last long however.

Next came the names and the threats. ‘Michael’ called me a raciest and threatened to ‘destroy my life’ and that despite my lack of assistance he was going to become the worlds greatest hacker anyway and he was going direct his efforts at me. Then he was going to hack his University, graduate and travel to America to prove to me in person that he was a great hacker and that he did it all without my help.

I had a good laugh and a tear at the time, 2009, but as I read over these emails again and place them into the context of the ongoing ‘cyber’ cold war they really take on a different meaning. How many other people in Iran have similar motivations? I wonder if Michael ever made it through University, or maybe he got caught and ‘disappeared’? I will probably never know.

Email exchange with Michael from Iran

So I recently decided to move to a new city, as I result I quit my job as an IT Manager. One of the last tasks I had was to place advertisements, read resumes, and interview prospective replacements. It had been a while since I had hired anyone and usually I had HR sifting through the first round of resumes. This time however, I was it, this company had no HR department. Considering that the position was not an entry level position I assumed that the people who would be applying for the job would know how to write a résumé, I was wrong, I was very very wrong. After tweeting out my frustrations many people asked what exactly I was seeing, so here it is.

First let me explain the what the job was. The company in question was a small 30+ person creative company. They had a mix of mostly PCs with a smattering of Macs, all authenticating against an Active Directory domain. They had a file server, a firewall, a security and telephone system, and a few other unusual tech pieces which is pretty much the same in any company. They needed one person to handle it all. I had already done most of the hard work by upgrading and organizing the mess that was there when I arrived several years earlier. The job needed someone to handle everything from paper jams and software updates to managing the VPN and telling the CEO what new technologies he should be looking at. Not an entry level job but not a CIO either.

The job description was initially posted to Craig’s List and then to Linked-In. One thing about my experience hiring for this position that was different than hiring elsewhere was that all the résumés came directly to me. No one filtered them out before hand. Résumés from Craig’s List came in one big bunch at first followed by a big surge from Linked-In. I would say I got 80% of all the resumes I received within a week of posting both ads. Linked-In seemed to have the longest tail with résumés arriving at a pretty steady rate for about two weeks although some people were still responding to the Craig’s List ad up to three weeks later. If you are looking for a job I would recommend looking for new listings daily. In this particular case we went from job posting to job offer in three weeks. People who applied during the third week did not get the same consideration as those that applied during the first week. The job was listed on a Tuesday and I was already interviewing people on that Friday. I suspect in some companies they may wait until they get all the submissions and then start going through them, however every position I have ever hired has been a ‘We need to fill this position now, get them in as soon as possible’. I’ve never had time to collect a bunch of résumés and then leisurely sort through them.

As for the résumés themselves… well, I was surprised. People seem to have forgotten what the résumé is for, it serves one purpose and one purpose only, to get the interview. That’s it. You will not get hired for any job based on how good your résumé is, what you might get is an interview. For the record I received over 80 résumés in three weeks. With that kind of competition you really need make sure your résumé is going to get you that interview. Out of those 80 applicants I actually brought in and interviewed eight people. I don’t know if that can be extrapolated to the wider job market as a whole but 10% sounds about right to me.

Something else that people seem to forget is that a real person is actually going to read the résumé eventually. All those buzzwords you use to get caught in the HR search engine are going to read like crap when a real person tries to decipher the buzzword and jargon filled ten page diatribe you submitted as a résumé. Which brings me to my third surprise, length. Seriously I see no reason at all to go beyond three pages, ever. In my book two is acceptable but if you really want to impress me go with one page. I received exactly one résumé that was one page long. Guess what, he got an interview. On the other end of the spectrum the longest one I got was seventeen pages and the second longest was eleven pages. I think I glanced at the first two pages of both and threw them on the ‘no’ pile.

I don’t usually check to see if a résumé has education listed, formal education does not impress me, I wasn’t hiring for an entry level position so I was looking for experience, however most people did list some sort of secondary education. It has been my experience that most schools force students to take some sort of career development class where they teach you how to write a résumé. Either most people forgot what they learned or schools are teaching shite. If you have never taken a résumé writing class or slept through that class in school find a class at your local Adult ed center and take it, or ask someone who works in HR to critique your résumé or something. Also don’t forget the cover letter. It doesn’t have to be long but I personally consider not including some sort of letter other than the résumé to be rude and lazy.

So what do I want to see on a résumé? First follow directions. If the job listing says to submit to a specific address then do so, don’t just hit reply on the Craigs List ad. This really upset me, if you can’t follow simple directions why should I hire you? Unfortunately it happened way to many times. At least half the résumés went to the wrong address.

The résumé should be easy to read. This should go without saying. This was for an IT Manager position not a graphic designer. Multiple colors and wacky fonts with strange layouts do not impress me. They go straight to the No pile.

If you are applying for an IT Manager position and your last job was a CTO then you are probably a bit over qualified and will end up in the No pile. If you are not really a CTO but just gave yourself the title because you are the only tech guy where you work, don’t. If you are applying for a lower position than you currently have then dumb down your résumé. If I think you are just going to jump ship as soon as you find something more on your level I’m not going to hire you. I probably got 20 or so résumés that list CTO or CIO as their last job, almost all of them wet straight to the ‘No’ pile.

I received one résumé with no job history at all, just a list of certifications and schools. This guy had every cert I think I had ever heard of. There were more acronyms than words on the page. I got nothing against certs, and if you got ‘em put on there, they can’t hurt, unless they are the only thing you have. Personally I want to see experience. Even when I am hiring for an entry level position where applicants are likely to have no relevant experience I still want to see job history. Even if it is landscaper, Burger King and Best Buy, list it. I want to know that someone else thought you were worth hiring and that you could keep that job.

And speaking of experience the first thing I look for is job titles, make sure those stick out some how on the résumé. I want to see job titles and I want to see dates of employment. If you only list the year like say 2005-2006 and those years aren’t very far apart I’m going to get suspicious. I mean I’m a tech guy I understand people jump around a lot but if I see four jobs in three years there better be a logical progression of positions or you will end up in the ‘No’ pile.

Oh, and a biggie, fix ALL typos and grammar errors. The résumé should reflect your absolute best work, a typo, spelling error or simple grammar mistake probably won’t kill your chance at an interview but it won’t help and there is no reason for it. Get someone else to proof read it for you. Personally I suck at spelling and grammar, so much so that the way I write got its own name, ‘Spaceronics’, but there is no excuse for such mistakes on a résumé.

So if you want to get called in for an interview for a position I am hiring for keep the résumé short, three pages max, easy to read, highlight job titles and dates of employment and try to make your work history as relevant as possible. Dumb it down or smarten it up as necessary (Do NOT lie on the résumé, ever!) For a bonus make sure it prints out well. I think anyone who follows those steps and applies for a position they are somewhat qualified for should at least get a phone call. Good Luck.

So I happened to be walking by the thrift store today and they had a rack of winter jackets on hangers outside on the sidewalk with a sign on them that said “Jackets $5.00″. The really interesting thing was that one of the jackets happened to be from the local security company Allied Security with the logos still prominently displayed. It would make a great costume for a Security Red Team. Something to think about next time you see a Security Guard wandering around somewhere maybe he shouldn’t be or who seems to be asking you a lot of unusual questions.

So your secure today? How about after it has been exposed to the elements for a little while? Saw this in the office parking lot today. This is what your system looks like from the outside when you haven’t applied current patches. Don’t delay, patch today!

There are few things in this world that really piss me off and blatant ignorance is one of them. On January 31st 2006 Microsoft did the right thing and removed Internet Explorer for Mac from their available IT downloads. Considering that IE5 for Mac had ceased further development in 2003 it had become riddle with unpatched security holes by the time MS removed it from the its website. Despite Microsoft’s positive action people are still recommending the software three and half years later, and not just regular Joe Schmoe idiots but major financial corporations.

Such recommendations place these corporations, not to mention their customers, at major risk for online fraud, phishing attacks, identity theft, etc… If a company does not wish to support a specific platform that is their prerogative but if they go out of their way to recommend not only an unsupported solution but also an extremely dangerous one shouldn’t they be held liable for their negligence?

I am pasting below a recent email exchange between a local IT Manager and the technical support for paychex.com. (If anyone knows anyone in security at Paychex you might want to point this out to them.) I sincerely hope that the flunky in IT who wrote this has just been misinformed and that this is not Paychex official policy, but hey, there are a lot of stupid idiots out there.

—–Original Message—–
From: Joe Smith (j_smith@smallco.com)
Date: Monday, May 11, 2009 05:19 PM
To: section125@paychex.com (section125@paychex.com)
Subject: Online FSA – Contact Us

What are the minimum requirements to use your website?

Several of our employees are having problems accessing their accounts. Do you support Firefox? Safari? Chrome? Do users need Java or Flash installed? Which versions? Thank you.

Kind Regards,

- J. Smith
IT Manager

————————————-
From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074′Online FSA – Contact Us

Hello and thank you for your email,

There are certain access issues that may occur with firefox and safari and it is not recommended to use these for this website. Internet Explorer should have no issues with access or transmitting information. No additional programs are required for access how ever to request certain documents and view them adobe acrobat reader is required.

Thank you,

Paychex Section 125
————————————-

From: Joe Smith (j_smith@smallco.com)
Date: Tuesday, May 12, 2009 04:48 PM
To: ‘Paychex Section 125′ (section125@paychex.com)
Subject: RE: RE:Online FSA – Contact Us

Internet Explorer is not available for Macintosh users. How do you recommend that those users with Macintosh computers access your website?

Kind Regards,

- J. Smith
IT Manager

—————————————
From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074′Online FSA – Contact Us

Hello and thank you for your email,

There are mac versions of internet explorer available online free of charge.

Thank you,

Paychex Section 125

———————————————-

Oh, and they had this stupid disclaimer on the bottom of their emails

The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Paychex, Inc.

All I can say is that idiocy must be brought out into the light so that it can wither and die. Become enlightened. Oh, and don’t use IE for Mac.

About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command and Control systems for satellites knew this would be almost impossible especially for a military satellite. That didn’t stop Newsbytes, Yahoo News, ZDNet, even Reuters from running the story and sensationalizing the crap out of it. None of the ‘legitimate’ media questioned the story at all. They just reran the original Sunday Business story. The only website that I know of that questioned the story at the time was The Hacker News Network.. It was the questioning of that story that prompted Brock Meeks of MSNBC to label HNN as “the voice of reason”. As it turned out no confirmation of the original story was ever obtained, the Ministry of Defense flat out denied the event ever took place and the Sunday Business never revealed where the story came from.
So? Big deal? What’s the point of this walk down memory lane? Well, here it is eight years later and the same crappy media is republishing the same bullshit story as truth and fact. Evidently Corinne Iozzio over at PC Magazine, nor her (his?) editors can be bothered to do basic journalism, simple research or check facts. No, can’t let facts get in the way of a good headline and increased page views and ad impressions. So now this supposed ‘hack’ that as far as I can tell never actually happened, is the second most mysterious unsolved cyber crime. I suppose, on the Internet, if you repeat something enough times it magically turns into fact?

For reference here are the old HNN pages from March 1, 1999 and March 2, 1999. Unfortunately the chrome is gone and none of the links work anymore but the content is unchanged.

UPDATE: Thanks to Google’s 10th Anniversary Archive from 2001 and the Internet Archive a few quick searches help to confirm that the original story was fake. (Hey, Corinne, this took me all of about ten minutes.)

ZDNet – via Internet Archive “Our Satellites are Hack Proof”
Geek.com – via Internet Archive “Satellite hack is impossible, says UK”
Reuters Retraction – via Shmoo.com “British Defense Ministry Dismisses Hacker Report”

I have never really understood Microsoft’s Patch Tuesday from a security perspective. Sure from an IT management perspective it makes a lot of sense. The ability to actually plan for events and effectively allocate resources in IT is a rare commodity. So much of IT management is reacting instead of planning that Patch Tuesday almost becomes a calming ritual performed once a month that can be rather comforting. Download, Test, Apply, eat your donut, repeat next month. From a security perspective though it makes absolutely no freaking sense.
So what happens when a hole is discovered on the Wednesday after Patch Tuesday? Thats right, nothing happens until the next patch Tuesday. Well, at least you hope nothing happens. You hope the bad guys haven’t already found and are actively exploiting the hole.
Some companies like Apple, Sun, HP, OpenBSD, etc., do not patch on a schedule, instead they patch when needed. From a security point of view this is preferred as it greatly minimizes the time you are at risk. Unfortunately this can also lead to the situation where you are rolling out patches for five of the last ten days, like Apple did earlier this month. Patching every other day from an IT perspective is bad, it means your fighting fires, it means you can’t plan, or allocate resources. It means you actually have to do your job and manage your IT! It means no honey dipped for you! Oh no, the horrors!
The reporters over at ComputerWorld evidently felt like it was a good time bring up this ancient argument again and found a couple of clueless Windows Admins who claim to be “Security Researchers” who wanted to bitch about how they actually have to do work and manage Apple’s patches. Waaaaah. It must be Apple who is not ready for the Enterprise. Since Apple is the one making them do work and apply patches on a Thursday it must be Apple who is wrong. Sun, and HP and OpenBSD, and everyone who patches when needed, according to these “security researchers”, must be wrong.
Most people in the security industry understand the double edge sword of patching on a schedule and making the enterprise IT drones happy versus patching when needed and making the (real) security guys happy. There really is no right or wrong answer, it depends on which side of the fence you stand and what is more important, being secure or having time on Wednesday to eat your honey dipped donut.

As a low-level, gravel crunching, grunt there are a few things that get drilled into your head through constant repetition, things like the only defense in an ambush is offense. If you’re caught in the middle of a well planned and executed ambush your pretty much dead so you might as well turn and run towards the hail of bullets coming at you and hopefully either run through them or scream loud enough to scare the guys shooting at you to stop shooting. Yeah, like I said, in an ambush your pretty much dead.

One of the other things that get drilled into your head is that obstacles must be kept under observation or they will be circumvented. You cannot spend all day in the hot sun setting up triple strand concertina wire and then walk away, the enemy will just cut through it. Sure it might slow them down for a while but it won’t stop them. However, if you’re standing there on the other side of the wire and the tanks come rolling along you will have more than enough time to call in the Warthogs before they can cut through the wire.

It is sometimes amazing to me how this simple principal of observation of obstacles is lost out here in the real world. Things like people installing a firewall and then never checking the logs. An attacker will bang on that firewall all day long until he finds a hole if he knows no one is watching. If you don’t observe your obstacles they will be compromised.

The folks over at Country Wide Home Loans evidently did not know of or understand his simple fundamental (to me anyway. Thanks Drill Sergeant!) security protocol. As a method to prevent dataloss by physical means they glued closed all the USB ports on their computers. Except evidently they forgot one machine. Of course the bad guy found this one machine and managed to siphon off personal information for 20,000 customers every week for two years!.

So an obstacle was put in place, the gluing closed of the USB ports, but there was no observation. No one checked the machines on a routine basis to see if rogue USB cards had been added to the system, no auditing of data transfer logs (assuming there were logs) for suspicious activity. No, just blind faith in super glue and the $14.00 an hour employee tasked with using the glue to get every single machine and not slack off early on a Friday afternoon.

Remember most security measures are just obstacles, all obstacles can be overcome given enough time and resources. Obstacles are nothing more than a deterrence, some obstacles are a bigger deterrence than others. So you can either run like a madman into the hail of bullets or keep your obstacles under observation.

The registration info for hackernews.com says the domain was first registered on July 29, 1998. Ten years ago, today. wow. You know, long strange trip and all that. News wasn’t actually posted to the site until a month or so later but July 29th is as good day as any to celebrate. (or should that be commiserate?) HNN was only around for a little under two years but I like to think the site had a pretty big impact, not just on the hacker underground it reported on, but the security industry as a whole. Hell, at one point MSNBC claimed that HNN was “the voice of reason” amongst all the hype. When HNN started search engines were just starting to aggregate news, hell even Slashdot was new, by the end the ‘security portal’ was all the rage. The site existed during that formative stage of the security industry before which security was something seldom thought of and after which Venture Capitalist where throwing money at it.

For a walk down memory lane take a look at the first news day September 10, 1998 (Spelling mistakes and all, ahhh Spaceronics!) and the last day I posted the news June 16, 2000 (What is really amazing is that the links to CNN on the 1998 page STILL WORK! ten years later. Kudos to whoever built that site.)