Category Archives: Security

VAR Blues

Posted on by
Reply

I had to step away from the VAR I was using at work because of a recent change they had instituted with my business account. For years, I had enjoyed a classic relationship of having a single VAR Account Executive assigned to my account, where the AE would learn from me and get to know me, and I would get to know them as well. It was a very successful working relationship, and had been the way of things for six years. Around two months ago, the company made a change. They moved my business account from the structure that I was familiar with over to a team-based structure, and billed the benefits to include “There will always be an AE to work on your account” as a value-added proposition. I was worried that the change would instead eliminate the engagement, the learning, and the developing relationship between customer and reseller.

This new structure included a single shared email address that many people had access to, the AE’s assigned to the “Pod” and the “Pod Manager” who also kept a view on the shared mailbox. I was supposed to send every correspondence to this shared address. At first, I enjoyed the value proposition that there would always be someone to get my messages and to execute my requests. Although, to be brutally honest, access to my Account Executive was never really a problem, so this value proposition was actually a “solution in search of a problem” that I didn’t have. It wasn’t until much later, in the retrospective analysis, that I came to realize this as more significant than I considered it at first.

It was after this, when the rest of the feature set for this new structure started to appear. I’m certain that the VAR thought that all of these things were only enhancing value for customers, but really every step just led me further away from where I was most comfortable. I wasn’t able to “get to know” my team of Account Executives, they remain faceless, voiceless text in email. This lack of humanity was at first not considered to be an issue, but later on became significantly problematic. The disconnection accelerated as we progressed. I was no longer handing work to an Account Executive, asking them for advice and tips, and there was a significant amount of value that I was suddenly unable to access. I had come into the arrangement with a habit of asking my Account Executive to send me quotes on various items, and they would seek the best fitting item that suited my preferences and hand me a quote for the recommended items that best fit my needs and, during pandemic, had a better chance of being in stock. This habit was broken by the new way of doing things. I was no longer able to reach out to an Account Executive to get advice, to have their vantage point much closer to the manufacturers and distributors that we all were using to acquire technology, now I was supposed to simply go on the VAR website, find what I wanted, do my own shopping, and then assemble my own quotes. This feeling of being cut loose became pervasive because it was just another touted feature, considered by the VAR to be part of the “Value Added”, and quickly included not only writing my own quotes, but submitting my own orders as well.

The loss of engagement, the anonymity of the Account Executives involved, and how I was supposed to move all of my previous activities to self-directed work, ostensibly leveraged on the VAR website, all touted as “value added” components were actually just the opposite for me. It wasn’t until I started actually living in this new environment, doing my tasks this new way, that I realized just how much I had missed the old way that I used to do things. The value proposition was always above board, nobody was intentionally being manipulative or malicious, but the result was cold, impersonal, and made me feel like there was an erosion of all the value that at one point was part of my “value added” experience with my VAR.

Whenever there is a change, items can be lost in translation, they can get missed, I do not fault anyone for missing say one or two small things as the customer and the Account Executive in the VAR start to grow together and establish a working relationship together. I didn’t want to, at the time, hold people’s feet to the fire, but that’s exactly what I ended up having to do. I maintain a strict three-strikes policy when it comes to faults, if it’s awful, and you did it three times, that means that it isn’t a mistake, it isn’t overlooking something, it’s part of the design.

The first fault was completely missing the deadline on renewal of security software that my company depends upon to protect us all online. Thankfully, the manufacturer has a very gracious fifteen day grace period, where deadlines are much softer than how they actually sound. The fault resolved, and we moved forward. The second fault came shortly after the first one, and again, the same manufacturer. Missing the renewal of contractual agreements that enable me as a customer to approach the manufacturer’s technical support center if I have any questions or problems. It was addressed and we landed on our feet, but again, we had to sag backwards into the fifteen-day grace period. The third strike was one of tragic poor communication, and one of the most egregious failures I’ve ever witnessed. This failure also coincided with a new Account Executive team member whom I had never communicated with before.

The lack of experience and knowledge on both sides of the divide, again, became a problem that really got in the way. This new Account Executive asked me over several email exchanges questions that were too vague to answer because there wasn’t any included detail. IT is a detail-centric category. We thrive on details, we need exact details, like numbers, or topics, some way to clearly identify what it is that we are talking about. It doesn’t really work when people try to use vague communication styles packed with pronouns and references to unknown objects. Exchange after exchange in this manner became tedious and incredibly tiresome. After several iterations, where I had also started carbon-copying the Pod Manager, did the truth of the situation reveal itself. Once I learned what the object of the conversation was, I tracked it and realized that the subject work should have been completed months before when they had already invoiced my company for the work completed, invoiced and paid.

That was the last straw, the VAR relationship had a tragic and lethal attack right on that spot, right at that time. I began to pursue a kind of “re-entry to the VAR marketplace”, essentially shopping for a new VAR. I found one, chatted them up, had several fantastic meetings and the new VAR has more energy than I’ve seen from the previous one, more professionalism, and more effectiveness. Furthermore, I was also clear with the old VAR, telling them that it was unconscionable how things had unraveled between us, including the “Pod Manager” who never even once attempted to intervene. It was like complaining at a brick wall, for all that I got out of the subsequent correspondences.

The way I was treated was more educational than bothersome. It was a lesson for how important my companies account was to the old VAR, that during the COVID-19 Pandemic, our purchasing slowed because the supply channels also slowed. We wanted technology that was on extensive backorder, and so as our purchasing slowed and stopped, our value to the old VAR ebbed away. The group arrangement was a lesson in and of itself, we were too small, too insignificant to assign to a singular Account Executive, and so, we were effectively downsized as a customer.

We were expected to do all our own work, be our own VAR, as it were because we simply weren’t buying enough to be relevant to our previous VAR. This in itself carries a rather embarrassing knock-on side effect because we had ordered a particular kind of technology from a particular manufacturer and we had eleven items on extreme backorder with the VAR. The old VAR never valued our account, and this was proven out to us by the later revelation that the eleven items on extreme backorder actually slipped into “End Of Life” from the manufacturer. The VAR couldn’t be bothered to re-evaluate the old Open Orders unprompted, discover the EOL surprise themselves, and try saving face by explaining to us what had happened and offering alternatives. What had happened instead, was that the customer had started conversing with a new VAR, discovered the EOL condition, that highlighted just how little the prior VAR cared.

It didn’t matter what the old VAR even wanted to attempt in recovery efforts for the now fully dead business relationship because the single thing that they bring, their “Value Added Reseller” nature, was proven to be totally absentee. We didn’t buy technology for lack of funds, we didn’t buy technology because the people meant to handle the reselling never noticed that what they had already sold ceased to be for sale by the manufacturer!

So I walked away. I moved many orders from the old VAR, spec’ed them out with the new VAR, and actually ended up solving nearly all the seriously backordered gaps in our purchasing stream in one singular afternoon. I sometimes wonder, idly so, if the old VAR thinks about the suddenly cancelled orders, where we were waiting since April with extreme backorders, and then interest fades. Do they even care, do they even notice? They didn’t care enough to look at any old open orders, to even see that the item that we were waiting for shipping on was never ever going to ship because the manufacturer simply stopped selling it. Not having the attention to detail on historical items makes it not really any surprise that they kept on fumbling until the customer simply walked away.

I think that the critical lesson for me in all this drama with the two VARs has been the hidden value that engagement had throughout the entire experience. I never really had a visceral feeling for just how important the engagement was between myself and my VAR Account Executive until it was eroded almost completely. Once engagement disappeared, it was a game-changer for me because it illustrated just how important VAR Account Executives are in the process, how much I had come to rely on them. The VAR Account Executive sits in a very high place, able to see things that customers cannot. Their fingers on the pulse of international transport, distribution, and delivery. I only wish that my prior VAR had not allowed six years of solid, dependable positive experiences go down the drain like it did. I am far happier with my new VAR. With the right engagement between customer and Account Executive, I have already spent $25,000 with the new VAR! These dollar values are still small potatoes in comparison to other customers, but $25,000 is certainly more profit for the new VAR than for the old one who is just sitting on a pile of cancelled orders.

Ulysses 18.7 and WordPress 5.4

Aside

Reply

I just had a devil of a time with my Ulysses to WordPress integration. Something underhanded happened on the way to the Forum. Either it was something that WordPress tweaked in 5.4, or my host did something clever to get in the way and didn’t tell me. Someone left a very important bit out, which broke Ulysses, my editor of choice for blogging.

The solution was to be found in these two sites:

David Bosman’s Blog – Ulysses and WordPress and

Hans Bruins’s Medium Post – Ulysses and WordPress

So if you were using Ulysses all along, and it suddenly crapped out on you with WordPress, these instructions seem to do the trick, it did so for me!

YubiKey NFC 5 – Disappointing & Useless

Aside

Reply

It doesn’t take much for a technology to excite me and then subsequently fail me. Case in point, a YubiKey 5 NFC security key. I bought it on November 6, 2019 for $51.94. I was excited to use this new bit of technology, thinking that it would at least be a valuable experience for me when it came to 2 factor authentication and honing my security skills. The NFC bits were very attractive and the website clearly displayed iPhone as compatible, so why not? Chip in all the way, it’s only $50!

What I got did not at all match my expectations. The NFC doesn’t work, or at least required at the time a different kind of iPhone than the one I had, which was an iPhone 6S Plus, so that was deceptive advertising leading me nowhere. The NFC part works nowhere, so it’s just marketing mumbo-jumbo for me. I then plugged it in to my USB port on my MacBook and was dismayed to see that it doesn’t really do what I thought it would, no way to get any of my TOTP settings onto the device, no applications to make it convenient to use on my MacBook Pro, but there was a way that I could put my GPG Key for my main account on there. So I did that. Then after doing that I realized that the private key had been moved onto the Yubikey and a stub left on my MacBook Pro, meaning any time I wanted to decrypt anything I needed the YubiKey. I didn’t have a choice when it came to having it in both places, and I accepted that because I rarely if ever use my GPG key since it’s a dead-on-arrival technology itself.

All of this was an immense flash in the pan. I did learn a lot, and I guess it was worth the $50 I spent on it. Maybe I can return it to the manufacturer, as I have returned it to factory specs. If they don’t allow that, then I’ll likely put it up for sale on Facebook, Craigslist, or eBay.

What I got out of Yubico and their Yubikey is that it is like a lot of other security tools, pretty much meant for a very niche marketplace where people who would buy into these sorts of things are sold on the how, just looking for the what. I wouldn’t recommend Yubikey to anyone, it is not easy to use and completely unreliable. A little sidebar to mention here as well, if you wanted to use a YubiKey to secure your desktop or laptop computer, which you could do, they strongly recommend you buy two of them, in case you lose one or one gets stolen. The all-or-nothing deal is a huge cold shower.

Secure Channels

Posted on by
Reply

I explored the challenge of establishing a secure channel in a business-to-business use case a few days ago. Between the company I work for and another company, where the information was very sensitive, the risk of it being compromised was unacceptable, and the requirement that I share the information with the other party undeniable.

The goal was to get a secret string of text from my system into the system of another party. I have explored cryptography for a long while and so I was confident that all the tools I had could do the job very well. The real challenge was in establishing a communications protocol and a secure channel. Amongst my explorations, I had the entire suite of OpenSSL library ciphers at hand, I had GPG, and the answer which I sort of knew already even before I started this foray into cybersecurity, that Signal would eventually be my answer.

It was at first exploration of the challenge of it. How could I get a secret alphanumeric string to another party that had none of the tools or the experience of cryptography that I had in my library? All of it was fated before I even started, but I at least wanted to go through the motions and explore this problem as if I was sitting in the middle of it without any view of the win condition at the end. The first stab was GPG, so I searched for any public keys related to the other company, and there were none. That was worth a smirk, and I nodded because I would have been shocked if there was a hit at all, so GPG was a dead end. The next effort was thinking about what sort of cipher could be used. This selection of a cipher was symmetric cryptography. I would need to encode the message so that it would be suitable for email transmission, and encrypt the data using some standard cipher that I knew would be possible for both parties, and then I spent a while trying to figure out the password for the cipher. I knew that base64 would be great for encoding and decoding the message, and I still have faith in AES-256-CTR, but that left me having to select a password that I could use that both sides knew. Any effort to share that password in any other non-secure channel would render all my efforts for nothing because then the cipher would be a mathematical contrivance because the security of the password then became equivalent to the security of the payload. If the password was passed in clear text, then the entire endeavor was meaningless.

So this entry becomes a love letter to Signal. It covered everything I needed. It used encryption end-to-end and it was vetted and secure, it didn’t require public keys, or specifically, the user wasn’t involved with that part of the process, and I could trust that the inbound mobile number matched the intended recipient. I didn’t need to exchange passwords or agree on a cipher or a protocol. The application and service are free as well, so there wasn’t even a cost barrier to this solution! It checks off every box on my list. I was able to copy and paste the secure string of data over Signal to the other person and conclude the task that I set for myself at the beginning of all of this. There is more to Signal than just this use case and I encourage everyone I know to download it, sign in, and start using it.

Derailing Robocalls

Posted on by
Reply

If you have an iPhone as your mobile device, you can set up a foolproof filter for pretty much all Robocalls, unwanted solicitations, or anything else that bothers you with multiple calls on your mobile phone.

The first step is to create a Voicemail Greeting that lets people know that they have to introduce themselves with their numbers first, and then once they exist in your Contact List, then your phone will ring and you might answer it. If your callers don’t know, then they will never get through.

The second step is to make sure your Contact List in your iPhone is as up-to-date as you can make it. Trim out any junk, do your best to de-dupe the list, get it so it is nice and tidy.

Third step is to go into Settings, then to Do Not Disturb settings, Turn Do Not Disturb ON, set Schedule if you want it off, although I just leave my phone on DND permanently. Silence Always, and in the Phone section, “Allow Calls From” and set that to “All Contacts”. Turn Repeated Calls off, and any other setting is your personal preference.

When inbound calls arrive, they will be checked via their Caller ID presentation with your Contact List. If they don’t know which number will match in your Contact List, then your phone will never ring. It will obviously ring for the caller, until they arrive in Voicemail, and then they leave a message introducing themselves, which is after all, a civilized way of using these devices. If you met someone IRL, then you’d have to create a contact for them in order for them to ring your iPhone.

If you have any other iOS device, like an iPad, you should configure that the same way as your iPhone so when it is connected over Wifi it doesn’t ring the way you don’t want it to.

After that, you won’t get any more inbound calls unless they are from your Contact List. No fuss, no muss.

Cisco AMP for Endpoints

Posted on by
Reply

Several months ago we bought into Cisco AMP for Endpoints. There was a lot of work right after that, so we set up the management account and put it aside. Months later, I felt a little awkward about it, so I thought I would devote my April to Cisco AMP for Endpoints.

I just uncorked my AMP for Endpoints account, for this post and going forward, when I write AMP, I mean Cisco AMP for Endpoints, because it’s a mouthful. AMP itself seemed forbidding and difficult, but then once I started working with the site, configuration wasn’t that bad. I decided to test AMP in my environment by starting a “Factory Fresh” copy of Windows 7 32-bit in VirtualBox on my Mac, with 4GB of RAM assigned to it. A standard humdrum little workstation model.

I downloaded a bunch of starter packs, including the “Audit” model, the weakest of them all. I installed it on the workstation and the site responded well enough, noticing the install. As I was working with the system, I noticed that AMP complained that the definitions were out of date on the client, so I went hunting for a “definition update” function. There isn’t anything the user can trigger, you have to wait for it. Oh, that’s not good.

So then I had AMP on the test machine and I thought I would try to infect it. So I found a copy of EICAR, which is a sample file that all these technologies are supposed to detect and find hazardous. Symantec Endpoint Protection (SEP) sees EICAR well enough, and really gets upset by it, immediately stuffing it into Quarantine and sending an alert. AMP also detected EICAR and because it was in Audit mode, just sat on its hands. Which I expected.

So then I found a bunch of sample malware files on a testing website, because while EICAR is useful for basic testing, it’s as relevatory as a knee-jerk reflex. It’s nice to know there is a reflex, but it’s not the same as an actual malware infection. I opened the ZIP file, typed in the password and all these malware samples came spilling out into the downloads directory. So, a workstation that is quickly becoming filthy. That’s my use-case for AMP.

So after “infecting” the computer with the files, and the tamest model, which is just to have them in a folder, I went to AMP and told it to switch the model on the test machine from Audit to Triage. That took almost twenty minutes! Are you for real on this, Cisco? Twenty minutes!!!

So I knew what I had on this workstation, but I pretended that I was the admin on the other side, with an unknown workstation connected, reclassified with Triage and waiting. I knew that the computer was infected, and as the admin, “not knowing what is going on” with the endpoint, I sent a scan command. This is the worst case scenario.

On the AMP side, I didn’t see anything at all. I panicked around looking for any hint that the AMP system recognized my scan request, and so I sent five more scan requests. Obviously, one scan request should have done it, but I wanted to make sure that I worked around even an imaginary screw-up in Cisco over scanning. Nothing. Workstation just plotzing along, infected files just sitting right there in the Downloads folder, just waiting for double-clicking end-user to make a tame infection a wild one.

Obviously this is the worlds worst scenario, one were SEP somehow is gone, not installed, or somehow lost its marbles, leaving AMP on its own to run defense. Scan! Scan! Scan! — Nothing at all. AMP just sits there just merrily SITTING THERE. Like shaking a coma patient, is very much what it felt like.

So then I started with the Help feature, request help, okay, I knew how this would go. This would lead to TAC. God help me. Cisco’s system didn’t know what AMP was, hahahahaha of course not. But there was a chat system in a teeny tiny little button, so I tried that. Someone! Hallelujah! They found my contract and linked it up, and started a case for me. When I went back to the test system, AMP had done it’s work. FINALLY. It only took twenty minutes! A lot can happen in twenty minutes. How many files could have been ransomware-encrypted in those twenty minutes?

So now I await a response from Cisco TAC. During the chat I declined the entire phone call angle since Cisco TAC people cannot speak English, or at least, I cannot understand their speech. So I told them that I would only communicate over email. So lets see what TAC has to say. We spent a lot of money on this, so obviously I’ll likely deploy it, but man, I am sorely disappointed in a system where every second counts. On reflection, Cisco AMP for Endpoints was probably a mistake.

Whiteboard Secure?

Posted on by
Reply

The first time you start to involve yourself in cryptography you start on a path to suspicion and paranoia. Nearly every discussion about cryptography involves two example parties, Alice and Bob. Alice is always trying to keep secrets from Bob, and these two characters are used to illustrate everything from public key cryptography to man-in-the-middle attacks, and a lot more than just these examples as well.

This entire line of reasoning starts to kindle thoughts about how you go about your everyday life and just how much of your personal data, your privacy, your secrets are all leaking out around the edges. For all the efforts of your own personal Alice, there is a Bob out there, maybe, trying to dig up things you aren’t watching over or never expect.

A portion of cryptography, or more generally espionage in general comes down to the things you leave behind. Some folks think that strip-shredding sensitive papers is enough, while others consider upgrading to crosscut shredding to be the gold standard. For really sensitive papers, I personally have considered the only really effective way to prevent them from being reassembled is through burning and beating with some sort of implement to mix up the ashes. All this is to prevent information from leaking out where you never intend for it to leak out from. A big part of this, and in a lot of film noir detective stories, is phone numbers or passwords written on sticky notes or on a notepad. Sometimes people will write something down on a series-bound stack of papers with something like a ball-point pen, because it’s handy. The ball-point does put ink on paper, but it also can emboss paper below the sheet you are working on, and with a gentle swipe of pencil graphite, the ghost of what was written re-appears.

While I’ve been working at my desk, I got to thinking about convenient surfaces that I could take notes on, which would be handy and easily erased and reused. A while back I stopped at the dollar store and got a nice little whiteboard and a selection of dry-erase markers. Super cheap, super convenient. The whiteboard has proven to be very convenient and useful in my workplace and for $2, a non-issue when it comes to the pricetag. It struck me that this cheap cardboard and plastic whiteboard assembly could also be a very secure way to write temporary notes, say banking details for example. I can write a whole line of values and account numbers, passwords, whatever I like and with a swipe and rub of an eraser rag, whoosh, all of the details are gone forever. As I examined the whiteboard and considered this, I thought of ways that the wiping process could be reversed. There is no embossing onto a lower layer to worry about, and there doesn’t appear to be any order of anything at all on the surface or the wiping rag. So I would at least think on the outset that a whiteboard makes a very fine and secure temporary notepad to write anything on, because once wiped off, perhaps also with alcohol or Windex just to be very careful, I can’t imagine there is any way to unwind the clock on the erasure process. No way to get back what was written.

Now there is no application for this sort of security in my life, other than perhaps writing down account numbers, my SSN, or perhaps the password to some sort of system here at work, but if you are looking for a way to write temporary notes and not have to worry about security – a whiteboard at the dollar store certainly seems to be a solid approach.

C2E2: Will I Be On Camera?

Posted on by
Reply

Spotted this gem this morning. There’s something in the tall grass here at C2E2:

The paragraph covering “Will I Be On Camera?” has us scratching our noggins. What does it mean? It could mean facial tracking technology and data sales between customer flow in the exhibitors hall and their subsequent selections on the app for their fandoms. And since all our demographic data is online with ReedPOP, the managing company, they’d have to be dullards to not take advantage of this in all the ways I can think of. So, pinnacle of corruption and deep-cut privacy violations galore! But hey, we all accepted it and frankly my dear, nobody cares or even is worried over it. So I am going to be, in perpetuity (heh heh) the only Watchman shaking his canary cage.

It’s all good. I expect nothing less. Companies are corrupt, all the way to the core. That’s what they are. That is their basic nature. Paging Marcus Aurelius, and Dr. Lecter.

Moo goes the cow. Baa goes the sheep.

The Ethics Of Contact Lists

Posted on by
Reply

So far it has happened to me twice. I have received contact from people who are very much no longer with organizations that I have a relationship with. The first contact was from a telecommunications technology company, obviously remaining nameless with the offender also remaining nameless. I had recognized the name from a previous connection when I was working with a current telecommunications company that is related to my workplace. The messaging was catered to create a fear response and panic move on my behalf to drum up business for the account executives commission. They had my name and my email address, they worked at a new company, and there is no reason why they should contact me as there was no prior contact with their new company for any purpose where I should expect contact. Essentially they copied their customer list in one company, and then when they went to another position elsewhere just uncorked the list and hit up all the contacts, in a targeted fashion. The first time was remarkable, but I thought it was a situational outlier.

Today, after I got the mail out of my home mailbox, I found another card from a previous contact with which I had made a few financial arrangements with the person, they were no longer with the financial institution that I do business with on personal terms, but a wholly new company, whom I had never had contact before. Again, the person copied their customer list from one company and carried it with them to another company.

I find all this to be wrong. It could even be regarded as corporate espionage. Right now it’s a simple matter of just tossing all these cold contacts suddenly warm again right in the secure recycling bin. There is no way that I’m going to contact any of them, but because I regard this as wholly inappropriate use of privileged information, each time I spot it, the relationship is dead on arrival. I don’t want to talk to these people, and doing this underhanded thing is worth exactly what I’m willing to pay for it, which is to throw it all away and not even give it a single thought. You stole the list, you are attempting to be clever and sneaky. I will not be a party to it.

I, of course, won’t identify companies or name individuals, but I find this to be utterly reprehensible, and as a practice, I’m calling it out. If you quit a job where customer lists are handy, you leave those lists behind, and you find a more wholesome and honest way to approach customers. So, off the offending mail goes, off to the recycling bin!