Fitness and Discipline for Cyber Warriors

“More PT Drill Sergeant, more PT! We like it, We love it, We want more of it!”

There is a basic tenant in most of the worlds military forces that regardless of what your actual job or rank is, whether you are a private or a General, whether you are a cook, clerk, or mechanic, below everything, at the very core of your existence you are nothing but a gravel crunching, ground pounding infantry soldier (11B). Or as an old Colonel once told me, the poor slob in the kill zone. (Thank you, Sir!)

As part of the basic core existence in your nations military all soldiers, airmen, and sailors are required to be able to perform a basic set of tasks. Things like knowledge of how to wear your countries uniform, the ability to maintain and operate a firearm, how to use protective equipment such as a gas mask, and above all the ability to give and follow orders. But these items are more than just basic knowledge and rout tasks, it comes down to discipline, self-discipline mostly, that quality of doing what needs to be done without needing to be told or even wanting to do it.

This is what basic training is for, an intense six or maybe ten week training regimen that not only teaches all soldiers basic tasks like how to operate their firearm or shine their boots but also self discipline, the ability to continue doing your job under stressful and adverse conditions. This being the military, lives literally depend on that basic skill. It is discipline alone that is more important than any other trait or skill taught during that introductory basic training course of the worlds militaries.

The only way to teach discipline is to place an individual under stress and at the same time ensure that they can complete required tasks. The easiest way to place an individual under stress without placing them in a potentially hazardous situation is through physical activity. This is one of the reasons why most of the world’s militaries have minimum requirements of physical fitness. Things like a set time and distance for running, a minimum number of pushups or sit-ups. This ensures a minimum level of fitness for all soldiers and helps to ensure basic levels of self-discipline. These basic requirements apply to all soldiers, private or General, cook or mechanic.

There are a few military job specialties that are harder to recruit for than others. Explosive Ordnance Disposal (89D) comes to mind, and there often incentives offered for new recruits to choose one job over another, often these incentives are monetary in the form of signing bonuses or hazardous duty pay. By and large however serving in the military is its own reward for most people for whatever personal reason they have, whether it is monetary compensation, future educational opportunities, patriotism, or in some cases they just like guns.

Recently a new military occupation has evidently become exceeding difficult to recruit for, that of the mythical ‘cyber warrior’ (25B, 35N, 35Q). Militaries around the world are complaining that they just can’t get enough people to fill the jobs they have available for any ‘cyber’ type position. As a way to incentivize new recruits there has been consistent talk that reoccurs every few months of dropping the physical fitness requirements for soldiers, airmen and sailors involved in ‘cyber’ activities. This is a colossally bad idea. Such an action would greatly impact morale of the entire military, will do nothing to increase recruitment numbers for these specialties and draws on an unfounded stereotype of those people who have traditionally been called ‘hackers’.

To create a special class of soldiers that are exempt from minimum fitness requirements will create resentment among other non-exempt units. It will also cause those who are exempt to suffer from issues of elitism and they will feel that they are no longer part of the basic military or required to abide by its rules. With the lack of discipline that will come with the removal of a physical fitness requirement this increase in elitism and individuality in a military setting could prove deadly.

The physical requirements and training aspects of military service are seldom a reason why someone who is interested in joining the military finally decides not to join. On the contrary, there are many examples of people who join the military specifically for the physical aspect that service requires. In fact in my own experience there were two people in my basic training unit who said the primary reason they joined the service was to lose weight, they said that nothing else worked for them and that they hoped the discipline they would learn and the physical exercise would finally accomplish what they could not do on their own.

Claiming that the only people who are qualified or want to do ‘cyber’ jobs in the military are only people who are not interested in physical activity plays on the age-old stereotype of ‘hackers’ who live in their parents basement eating nothing but pizza. Obviously the politicians and Generals who are advocating this no physical fitness requirement for ‘cyber’ operatives have no idea who it is they are trying to recruit anyway. Take a look around at any security industry or hacker conference, sure there are some obviously overweight and out of shape people in attendance but I would be willing to wager that the percentage of people who are somewhat physically fit would be far greater than the regular population.

If the militaries of the world are having problems in recruiting for ‘cyber’ specialties finding the proper incentives to increase recruitment in those areas is critical. As the world ramps up its electronic warfare capabilities being short handed at a precarious time would obviously be ill advised. However, dropping the physical fitness requirement for these soldiers, airmen and sailors is not going to increase their recruitment and retention levels and could potentially damage the effectiveness of the entire military through resentment and lowered morale. The politicians, military analysts and officers who advocate such a major change in military policies are obviously ignorant of not only who it is they are trying to recruit but the basic core of how todays modern military actually works.

MarineTimes_cover2013.03

Say Cyber Again.

I don’t think this will stay on YouTube very long I got an instant DMCA take down notice as soon as it was uploaded. I filed a dispute but we all know how those go so watch it now while you can.

Emails From Michael In Iran

If publishing unsourced emails claiming to be from Iran is a newsworthy event then I guess we should all copy Mikko and do the same thing.

A few years ago I received a chain of emails from ‘Michael’ that started out as the normal ‘teach me to hack’ emails I receive on an almost daily basis but this email chain went on longer than usual and took several turns I don’t usually see in such emails. I thought they might be good for a laugh or a tear depending on your viewpoint.

TL;DR

The emails start in May of 2009 and go through to December, I have not included them all and have edited some for brevity.

Things start out simple enough saying how he is a 20yr old Iranian and is a fan of the L0pht. Pretty straight forward. I responded as I usually do to emails that are at least half way intelligent. I admit I don’t always get emails from Iran with a verifiable Iranian IP address.

Then comes the first turn, ‘Micheal’ asks me to teach him to ‘hack’ specifically so he can change his grades at University. For me thats a big no no right there. If you ask me to do, or teach you to do, anything even remotely illegal in email thats where I stop. I will no longer respond. I don’t want to be considered an accessory or an accomplice or be put in an un-winnable Adrian Lamo type situation. Not to mention the whole assisting a foreign power angle. So I just stopped responding.

But Michael wouldn’t give up, he sent me an email every day for weeks, then slowed down to a few times per week. Eventually he reached out other old L0pht members, those whose email address he could find, asking them if I was OK, saying he feared for my safety since I was not responding to emails. I will admit I felt a little bad at this because who knows maybe people just disappearing like that in his country is a sign of something sinister happening. I don’t know. My remorsefulness did not last long however.

Next came the names and the threats. ‘Michael’ called me a raciest and threatened to ‘destroy my life’ and that despite my lack of assistance he was going to become the worlds greatest hacker anyway and he was going direct his efforts at me. Then he was going to hack his University, graduate and travel to America to prove to me in person that he was a great hacker and that he did it all without my help.

I had a good laugh and a tear at the time, 2009, but as I read over these emails again and place them into the context of the ongoing ‘cyber’ cold war they really take on a different meaning. How many other people in Iran have similar motivations? I wonder if Michael ever made it through University, or maybe he got caught and ‘disappeared’? I will probably never know.

Email exchange with Michael from Iran

Résumé Wackiness

So I recently decided to move to a new city, as I result I quit my job as an IT Manager. One of the last tasks I had was to place advertisements, read resumes, and interview prospective replacements. It had been a while since I had hired anyone and usually I had HR sifting through the first round of resumes. This time however, I was it, this company had no HR department. Considering that the position was not an entry level position I assumed that the people who would be applying for the job would know how to write a résumé, I was wrong, I was very very wrong. After tweeting out my frustrations many people asked what exactly I was seeing, so here it is.

First let me explain the what the job was. The company in question was a small 30+ person creative company. They had a mix of mostly PCs with a smattering of Macs, all authenticating against an Active Directory domain. They had a file server, a firewall, a security and telephone system, and a few other unusual tech pieces which is pretty much the same in any company. They needed one person to handle it all. I had already done most of the hard work by upgrading and organizing the mess that was there when I arrived several years earlier. The job needed someone to handle everything from paper jams and software updates to managing the VPN and telling the CEO what new technologies he should be looking at. Not an entry level job but not a CIO either.

The job description was initially posted to Craig’s List and then to Linked-In. One thing about my experience hiring for this position that was different than hiring elsewhere was that all the résumés came directly to me. No one filtered them out before hand. Résumés from Craig’s List came in one big bunch at first followed by a big surge from Linked-In. I would say I got 80% of all the resumes I received within a week of posting both ads. Linked-In seemed to have the longest tail with résumés arriving at a pretty steady rate for about two weeks although some people were still responding to the Craig’s List ad up to three weeks later. If you are looking for a job I would recommend looking for new listings daily. In this particular case we went from job posting to job offer in three weeks. People who applied during the third week did not get the same consideration as those that applied during the first week. The job was listed on a Tuesday and I was already interviewing people on that Friday. I suspect in some companies they may wait until they get all the submissions and then start going through them, however every position I have ever hired has been a ‘We need to fill this position now, get them in as soon as possible’. I’ve never had time to collect a bunch of résumés and then leisurely sort through them.

As for the résumés themselves… well, I was surprised. People seem to have forgotten what the résumé is for, it serves one purpose and one purpose only, to get the interview. That’s it. You will not get hired for any job based on how good your résumé is, what you might get is an interview. For the record I received over 80 résumés in three weeks. With that kind of competition you really need make sure your résumé is going to get you that interview. Out of those 80 applicants I actually brought in and interviewed eight people. I don’t know if that can be extrapolated to the wider job market as a whole but 10% sounds about right to me.

Something else that people seem to forget is that a real person is actually going to read the résumé eventually. All those buzzwords you use to get caught in the HR search engine are going to read like crap when a real person tries to decipher the buzzword and jargon filled ten page diatribe you submitted as a résumé. Which brings me to my third surprise, length. Seriously I see no reason at all to go beyond three pages, ever. In my book two is acceptable but if you really want to impress me go with one page. I received exactly one résumé that was one page long. Guess what, he got an interview. On the other end of the spectrum the longest one I got was seventeen pages and the second longest was eleven pages. I think I glanced at the first two pages of both and threw them on the ‘no’ pile.

I don’t usually check to see if a résumé has education listed, formal education does not impress me, I wasn’t hiring for an entry level position so I was looking for experience, however most people did list some sort of secondary education. It has been my experience that most schools force students to take some sort of career development class where they teach you how to write a résumé. Either most people forgot what they learned or schools are teaching shite. If you have never taken a résumé writing class or slept through that class in school find a class at your local Adult ed center and take it, or ask someone who works in HR to critique your résumé or something. Also don’t forget the cover letter. It doesn’t have to be long but I personally consider not including some sort of letter other than the résumé to be rude and lazy.

So what do I want to see on a résumé? First follow directions. If the job listing says to submit to a specific address then do so, don’t just hit reply on the Craigs List ad. This really upset me, if you can’t follow simple directions why should I hire you? Unfortunately it happened way to many times. At least half the résumés went to the wrong address.

The résumé should be easy to read. This should go without saying. This was for an IT Manager position not a graphic designer. Multiple colors and wacky fonts with strange layouts do not impress me. They go straight to the No pile.

If you are applying for an IT Manager position and your last job was a CTO then you are probably a bit over qualified and will end up in the No pile. If you are not really a CTO but just gave yourself the title because you are the only tech guy where you work, don’t. If you are applying for a lower position than you currently have then dumb down your résumé. If I think you are just going to jump ship as soon as you find something more on your level I’m not going to hire you. I probably got 20 or so résumés that list CTO or CIO as their last job, almost all of them wet straight to the ‘No’ pile.

I received one résumé with no job history at all, just a list of certifications and schools. This guy had every cert I think I had ever heard of. There were more acronyms than words on the page. I got nothing against certs, and if you got ‘em put on there, they can’t hurt, unless they are the only thing you have. Personally I want to see experience. Even when I am hiring for an entry level position where applicants are likely to have no relevant experience I still want to see job history. Even if it is landscaper, Burger King and Best Buy, list it. I want to know that someone else thought you were worth hiring and that you could keep that job.

And speaking of experience the first thing I look for is job titles, make sure those stick out some how on the résumé. I want to see job titles and I want to see dates of employment. If you only list the year like say 2005-2006 and those years aren’t very far apart I’m going to get suspicious. I mean I’m a tech guy I understand people jump around a lot but if I see four jobs in three years there better be a logical progression of positions or you will end up in the ‘No’ pile.

Oh, and a biggie, fix ALL typos and grammar errors. The résumé should reflect your absolute best work, a typo, spelling error or simple grammar mistake probably won’t kill your chance at an interview but it won’t help and there is no reason for it. Get someone else to proof read it for you. Personally I suck at spelling and grammar, so much so that the way I write got its own name, ‘Spaceronics’, but there is no excuse for such mistakes on a résumé.

So if you want to get called in for an interview for a position I am hiring for keep the résumé short, three pages max, easy to read, highlight job titles and dates of employment and try to make your work history as relevant as possible. Dumb it down or smarten it up as necessary (Do NOT lie on the résumé, ever!) For a bonus make sure it prints out well. I think anyone who follows those steps and applies for a position they are somewhat qualified for should at least get a phone call. Good Luck.

Red Team Uniform

Allied Security Jacket

So I happened to be walking by the thrift store today and they had a rack of winter jackets on hangers outside on the sidewalk with a sign on them that said “Jackets $5.00″. The really interesting thing was that one of the jackets happened to be from the local security company Allied Security with the logos still prominently displayed. It would make a great costume for a Security Red Team. Something to think about next time you see a Security Guard wandering around somewhere maybe he shouldn’t be or who seems to be asking you a lot of unusual questions.

Financial Company Still Recommending Insecure Software

There are few things in this world that really piss me off and blatant ignorance is one of them. On January 31st 2006 Microsoft did the right thing and removed Internet Explorer for Mac from their available IT downloads. Considering that IE5 for Mac had ceased further development in 2003 it had become riddle with unpatched security holes by the time MS removed it from the its website. Despite Microsoft’s positive action people are still recommending the software three and half years later, and not just regular Joe Schmoe idiots but major financial corporations.

Such recommendations place these corporations, not to mention their customers, at major risk for online fraud, phishing attacks, identity theft, etc… If a company does not wish to support a specific platform that is their prerogative but if they go out of their way to recommend not only an unsupported solution but also an extremely dangerous one shouldn’t they be held liable for their negligence?

I am pasting below a recent email exchange between a local IT Manager and the technical support for paychex.com. (If anyone knows anyone in security at Paychex you might want to point this out to them.) I sincerely hope that the flunky in IT who wrote this has just been misinformed and that this is not Paychex official policy, but hey, there are a lot of stupid idiots out there.

—–Original Message—–
From: Joe Smith (j_smith@smallco.com)
Date: Monday, May 11, 2009 05:19 PM
To: section125@paychex.com (section125@paychex.com)
Subject: Online FSA – Contact Us

What are the minimum requirements to use your website?

Several of our employees are having problems accessing their accounts. Do you support Firefox? Safari? Chrome? Do users need Java or Flash installed? Which versions? Thank you.

Kind Regards,

- J. Smith
IT Manager

————————————-
From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074′Online FSA – Contact Us

Hello and thank you for your email,

There are certain access issues that may occur with firefox and safari and it is not recommended to use these for this website. Internet Explorer should have no issues with access or transmitting information. No additional programs are required for access how ever to request certain documents and view them adobe acrobat reader is required.

Thank you,

Paychex Section 125
————————————-

From: Joe Smith (j_smith@smallco.com)
Date: Tuesday, May 12, 2009 04:48 PM
To: ‘Paychex Section 125′ (section125@paychex.com)
Subject: RE: RE:Online FSA – Contact Us

Internet Explorer is not available for Macintosh users. How do you recommend that those users with Macintosh computers access your website?

Kind Regards,

- J. Smith
IT Manager

—————————————
From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074′Online FSA – Contact Us

Hello and thank you for your email,

There are mac versions of internet explorer available online free of charge.

Thank you,

Paychex Section 125

———————————————-

Oh, and they had this stupid disclaimer on the bottom of their emails

The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Paychex, Inc.

All I can say is that idiocy must be brought out into the light so that it can wither and die. Become enlightened. Oh, and don’t use IE for Mac.

Fake Story Still Fake, Media Still Clueless

About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command and Control systems for satellites knew this would be almost impossible especially for a military satellite. That didn’t stop Newsbytes, Yahoo News, ZDNet, even Reuters from running the story and sensationalizing the crap out of it. None of the ‘legitimate’ media questioned the story at all. They just reran the original Sunday Business story. The only website that I know of that questioned the story at the time was The Hacker News Network.. It was the questioning of that story that prompted Brock Meeks of MSNBC to label HNN as “the voice of reason”. As it turned out no confirmation of the original story was ever obtained, the Ministry of Defense flat out denied the event ever took place and the Sunday Business never revealed where the story came from.
So? Big deal? What’s the point of this walk down memory lane? Well, here it is eight years later and the same crappy media is republishing the same bullshit story as truth and fact. Evidently Corinne Iozzio over at PC Magazine, nor her (his?) editors can be bothered to do basic journalism, simple research or check facts. No, can’t let facts get in the way of a good headline and increased page views and ad impressions. So now this supposed ‘hack’ that as far as I can tell never actually happened, is the second most mysterious unsolved cyber crime. I suppose, on the Internet, if you repeat something enough times it magically turns into fact?

For reference here are the old HNN pages from March 1, 1999 and March 2, 1999. Unfortunately the chrome is gone and none of the links work anymore but the content is unchanged.

UPDATE: Thanks to Google’s 10th Anniversary Archive from 2001 and the Internet Archive a few quick searches help to confirm that the original story was fake. (Hey, Corinne, this took me all of about ten minutes.)

ZDNet – via Internet Archive “Our Satellites are Hack Proof”
Geek.com – via Internet Archive “Satellite hack is impossible, says UK”
Reuters Retraction – via Shmoo.com “British Defense Ministry Dismisses Hacker Report”

Honey Dipped Patch Tuesday

I have never really understood Microsoft’s Patch Tuesday from a security perspective. Sure from an IT management perspective it makes a lot of sense. The ability to actually plan for events and effectively allocate resources in IT is a rare commodity. So much of IT management is reacting instead of planning that Patch Tuesday almost becomes a calming ritual performed once a month that can be rather comforting. Download, Test, Apply, eat your donut, repeat next month. From a security perspective though it makes absolutely no freaking sense.
So what happens when a hole is discovered on the Wednesday after Patch Tuesday? Thats right, nothing happens until the next patch Tuesday. Well, at least you hope nothing happens. You hope the bad guys haven’t already found and are actively exploiting the hole.
Some companies like Apple, Sun, HP, OpenBSD, etc., do not patch on a schedule, instead they patch when needed. From a security point of view this is preferred as it greatly minimizes the time you are at risk. Unfortunately this can also lead to the situation where you are rolling out patches for five of the last ten days, like Apple did earlier this month. Patching every other day from an IT perspective is bad, it means your fighting fires, it means you can’t plan, or allocate resources. It means you actually have to do your job and manage your IT! It means no honey dipped for you! Oh no, the horrors!
The reporters over at ComputerWorld evidently felt like it was a good time bring up this ancient argument again and found a couple of clueless Windows Admins who claim to be “Security Researchers” who wanted to bitch about how they actually have to do work and manage Apple’s patches. Waaaaah. It must be Apple who is not ready for the Enterprise. Since Apple is the one making them do work and apply patches on a Thursday it must be Apple who is wrong. Sun, and HP and OpenBSD, and everyone who patches when needed, according to these “security researchers”, must be wrong.
Most people in the security industry understand the double edge sword of patching on a schedule and making the enterprise IT drones happy versus patching when needed and making the (real) security guys happy. There really is no right or wrong answer, it depends on which side of the fence you stand and what is more important, being secure or having time on Wednesday to eat your honey dipped donut.

The Information Security Infantry

As a low-level, gravel crunching, grunt there are a few things that get drilled into your head through constant repetition, things like the only defense in an ambush is offense. If you’re caught in the middle of a well planned and executed ambush your pretty much dead so you might as well turn and run towards the hail of bullets coming at you and hopefully either run through them or scream loud enough to scare the guys shooting at you to stop shooting. Yeah, like I said, in an ambush your pretty much dead.

One of the other things that get drilled into your head is that obstacles must be kept under observation or they will be circumvented. You cannot spend all day in the hot sun setting up triple strand concertina wire and then walk away, the enemy will just cut through it. Sure it might slow them down for a while but it won’t stop them. However, if you’re standing there on the other side of the wire and the tanks come rolling along you will have more than enough time to call in the Warthogs before they can cut through the wire.

It is sometimes amazing to me how this simple principal of observation of obstacles is lost out here in the real world. Things like people installing a firewall and then never checking the logs. An attacker will bang on that firewall all day long until he finds a hole if he knows no one is watching. If you don’t observe your obstacles they will be compromised.

The folks over at Country Wide Home Loans evidently did not know of or understand his simple fundamental (to me anyway. Thanks Drill Sergeant!) security protocol. As a method to prevent dataloss by physical means they glued closed all the USB ports on their computers. Except evidently they forgot one machine. Of course the bad guy found this one machine and managed to siphon off personal information for 20,000 customers every week for two years!.

So an obstacle was put in place, the gluing closed of the USB ports, but there was no observation. No one checked the machines on a routine basis to see if rogue USB cards had been added to the system, no auditing of data transfer logs (assuming there were logs) for suspicious activity. No, just blind faith in super glue and the $14.00 an hour employee tasked with using the glue to get every single machine and not slack off early on a Friday afternoon.

Remember most security measures are just obstacles, all obstacles can be overcome given enough time and resources. Obstacles are nothing more than a deterrence, some obstacles are a bigger deterrence than others. So you can either run like a madman into the hail of bullets or keep your obstacles under observation.