Category Archives: Trust

Secure Channels

Posted on by
Reply

I explored the challenge of establishing a secure channel in a business-to-business use case a few days ago. Between the company I work for and another company, where the information was very sensitive, the risk of it being compromised was unacceptable, and the requirement that I share the information with the other party undeniable.

The goal was to get a secret string of text from my system into the system of another party. I have explored cryptography for a long while and so I was confident that all the tools I had could do the job very well. The real challenge was in establishing a communications protocol and a secure channel. Amongst my explorations, I had the entire suite of OpenSSL library ciphers at hand, I had GPG, and the answer which I sort of knew already even before I started this foray into cybersecurity, that Signal would eventually be my answer.

It was at first exploration of the challenge of it. How could I get a secret alphanumeric string to another party that had none of the tools or the experience of cryptography that I had in my library? All of it was fated before I even started, but I at least wanted to go through the motions and explore this problem as if I was sitting in the middle of it without any view of the win condition at the end. The first stab was GPG, so I searched for any public keys related to the other company, and there were none. That was worth a smirk, and I nodded because I would have been shocked if there was a hit at all, so GPG was a dead end. The next effort was thinking about what sort of cipher could be used. This selection of a cipher was symmetric cryptography. I would need to encode the message so that it would be suitable for email transmission, and encrypt the data using some standard cipher that I knew would be possible for both parties, and then I spent a while trying to figure out the password for the cipher. I knew that base64 would be great for encoding and decoding the message, and I still have faith in AES-256-CTR, but that left me having to select a password that I could use that both sides knew. Any effort to share that password in any other non-secure channel would render all my efforts for nothing because then the cipher would be a mathematical contrivance because the security of the password then became equivalent to the security of the payload. If the password was passed in clear text, then the entire endeavor was meaningless.

So this entry becomes a love letter to Signal. It covered everything I needed. It used encryption end-to-end and it was vetted and secure, it didn’t require public keys, or specifically, the user wasn’t involved with that part of the process, and I could trust that the inbound mobile number matched the intended recipient. I didn’t need to exchange passwords or agree on a cipher or a protocol. The application and service are free as well, so there wasn’t even a cost barrier to this solution! It checks off every box on my list. I was able to copy and paste the secure string of data over Signal to the other person and conclude the task that I set for myself at the beginning of all of this. There is more to Signal than just this use case and I encourage everyone I know to download it, sign in, and start using it.

Pete Buttigieg Donation

Posted on by
Reply

Everytime I see Pete Buttigieg or hear him speak I am overwhelmed with awe and respect. He isn’t spending time listening for reply, there is no wool gathering, and he isn’t lying.

He may be a longshot, but so was Obama, and he won. So I plunked down $25 for Pete Buttigieg through actblue.com. I have also decided who I want to win the Democratic primary and the presidency of the United States.

Who does he pick for VP? Beto O’Rourke, Elizabeth Warren, or even Joseph Biden. That’s his decision in the end, but anyone in that set would do very well.

Strategy to Inbox Zero

Posted on by
Reply

Earlier in the week I had talked to a friend about my unmanageable email pile in my Inbox, about 78 pieces of email just sitting there, dwelling on the edge of my consciousness and weighing on me. Is there something there that I should take care of? Did I miss something important? So I started to chat and to do some research.

There are many strategies out there, and I adapted them for my own use, and so far it has worked out marvelously well. Here’s how I process my email:

  1. Create sorting folders. I created a host of new subfolders in my work email account which runs under a hosted version of Microsoft Exchange. Because folders sort alphabetically, I forced the sort using number indexes and dashes.
    1. 1-Email Management
      1. 1-Today
      2. 2-This Week
      3. 3-This Quarter
      4. 4-FYI
      5. 5-Toodledo
      6. 6-Done/Sort
    2. 2-Help Desk
    3. 3-To Evernote
    4. 4-Barracuda
    5. 5-Syslog Alerts
    6. 6-ATP
  2. Then I sort the Inbox into the “Email Management” folder structure. If something has to be done today, it goes to 1-Today, and so on and so forth. My first consideration is the due-date for the item in my Inbox. If the item is purely informational, it goes into the 4-FYI box.
  3. I have rules set up in my email application, which happens to be Apple Mail. If I get email from Toodledo, my favorite To-Do system, they are moved into that folder. Anything from my Spiceworks Ticket sytem ends up in the 2-Help Desk folder. The messages from my Barracuda backup appliance end up in the 4-Barracuda folder, all my incoming Kiwi Syslog alerts end up in 5-Syslog Alerts, and finally the Advanced Threat Protection from Hosted Exchange reports get filed in 6-ATP. Rules are a huge part of keeping your neck above water when it comes to emails. There are a lot of purely informational emails that have zero urgency and very low importance, you want to keep them to go through them, but they don’t need to clog up your Inbox. Rules can help you sweep a lot of these away automatically. Always flag your junk mail, review that occaisonally to drag it for any false-positives.
  4. If an item is a request for help from work, and it didn’t come in as a ticket originally, those need to be pushed into the ticketing system. Thankfully Spiceworks allows you to forward emails into the ticket system by sending forwarded mail to whatever mailbox you’ve configured for the Spiceworks system. There are a litany of hashtag controls you can place in the email body to configure how tickets are arranged. My Cisco CUCM system is configured to also kick voicemails to me as attached MP3 emails, if they are requests for help, they likewise end up being forwarded with some extra flavor text to stomp down on confusion.
  5. If an item isn’t help, is urgent, is rather important, and has a clear date and time I will forward the email to my Toodledo using the configured email address on that system. Toodledo has a flag system that works on the Subject line. My preferred method is to alert people to events, include Toodledo as a BCC addressee, and then add at the end of the Subject line this text fragment: @work :1 day #{duedate} where the field duedate is whatever the date is that is relevant. Send it, forget it, it’s in the Toodledo list.
  6. The next step is to cycle through folders in Email Management, starting with Today and then reviewing all the rest. The Today folder is the action items that can be done today, or are due today. After completion, simple things are thrown away, but anything more elaborate or anything that touches on CYA gets sorted into the 3-To Evernote Folder.
  7. Evernote is a bottomless notekeeping system that I also use, and I leverage Evernote as a destination for all my CYA emails, and each quarter the extracted Sent Items from my Exchange account. I don’t trust Microsoft at all, I’d rather keep things in Evernote. Microsoft has a 50GB quota, Evernote does not have a quota. At the end of each week, I have a “Sharpen The Saw” task in Toodledo that I run, and a part of that is running along the structure in the 3-To Evernote folder, which includes all the emails across the branches of the company I work for, and all the vendors I have relationships with. Every Quarter, I search for all the emails for the previous block of time, soon Q1-2019 will be over so I search for all Q1-2019 emails and also move them into Evernote.
    1. The Evernote move is accomplished in two steps. The first step is to extract all the attachments out of the emails in my Exchange account, I use Mac Automator for that purpose, and here’s how it’s configured:
      1. Get Selected Mail Messages – Get selected messages.
      2. Get Attachments from Mail Messages – Save attachments in: “Attachments”
    2. I then run the Automator workflow, and all the attachments are put in a folder on my Desktop called Attachments. I then bulk rename them with their folder, a date such as 20190301 (YYYYMMDD), and then select them all and drag them into the right notebook in Evernote.
    3. Then I highlight all the relevant emails in my Mail App that I intend to send to Evernote, and I have created a General Service in my Mac called “Send To Evernote” which is actually another Automator Workflow, called “Send To Evernote.workflow”, that has this content:
      1. Run AppleScript: 
        1. on run {input, parameters}
 -- Slightly modified version of Efficient Computing's AppleScript: http://efficientcomputing.commons.gc.cuny.edu/2012/03/17/copy-email-message-in-mail-app-to-evernote-applescript/
 tell application "Mail"
  --get selected messages
  set theSelection to selection
  --loop through all selected messages
  repeat with theMessage in theSelection
   --get information from message
   set theMessageDate to the date received of theMessage
   set theMessageSender to sender of theMessage
   set theMessageSubject to the subject of the theMessage
   set theMessageContent to the content of theMessage
   set theMessageURL to "message://%3c" & theMessage's message id & "%3e"
   --make a short header
   set theHeader to the all headers of theMessage
   set theShortHeader to (paragraph 1 of theHeader & return & paragraph 2 of theHeader & return & paragraph 3 of theHeader & return & paragraph 4 of theHeader & return & return)
   --import message to Evernote
   tell application "Evernote"
    set theNewNote to (create note with text (theShortHeader & theMessageContent))
    set the title of theNewNote to theMessageSubject
    set the source URL of theNewNote to theMessageURL
    set the creation date of theNewNote to theMessageDate
   end tell
   -- move the email message to archive and make it bloody obvious
   set background color of theMessage to blue
   set acc to account of mailbox of theMessage
   move theMessage to mailbox "Archive" of acc
  end repeat
 end tell
 return input
end run

           

      2. It takes some time, but it efficiently moves the text parts of the emails selected into Evernote, using my default Notebook, called IN BOX.
      3. I select everything in the Evernote notebook IN BOX and move it to where it has to go, the destination notebook within Evernote itself. The messages all end up in the Archive folder, so then after that I hunt them down and delete them out of Exchange. Then empty the trash out of Exchange.
  8. In the end, I have a very slim Exchange account, a well fleshed out Evernote data store where I can search for all my email CYA details that I might need later on, and it also works on the web and over mobile apps as well. It’s very handy.
  9. It only took me a little while, maybe an hour tops to sort my Inbox and get to Inbox Zero. Then the cycling through the subfolders helped give me a handle on both urgency and importance, and I have a far better sense that I am actually on-top of my emails.

 

C2E2: Will I Be On Camera?

Posted on by
Reply

Spotted this gem this morning. There’s something in the tall grass here at C2E2:

The paragraph covering “Will I Be On Camera?” has us scratching our noggins. What does it mean? It could mean facial tracking technology and data sales between customer flow in the exhibitors hall and their subsequent selections on the app for their fandoms. And since all our demographic data is online with ReedPOP, the managing company, they’d have to be dullards to not take advantage of this in all the ways I can think of. So, pinnacle of corruption and deep-cut privacy violations galore! But hey, we all accepted it and frankly my dear, nobody cares or even is worried over it. So I am going to be, in perpetuity (heh heh) the only Watchman shaking his canary cage.

It’s all good. I expect nothing less. Companies are corrupt, all the way to the core. That’s what they are. That is their basic nature. Paging Marcus Aurelius, and Dr. Lecter.

Moo goes the cow. Baa goes the sheep.

Boeing as Microsoft

Posted on by
Reply

https://arstechnica.com/information-technology/2019/03/boeing-sold-safety-feature-that-could-have-prevented-737-max-crashes-as-an-option/

Ars wrote an article about the 737 Max aircrafts safety system gap. Boeing made a key function for safety an expensive add-on. God, that smells like a Microsoft joint, doesn’t it? Hahahahahaha. Make your flight choices clear when you buy tickets: I don’t want to fly on Boeing aircraft.

And then, in related news, a touch of quid pro quo between Nikki Hayley and Boeing, too. https://www.seattletimes.com/business/nikki-haley-nominated-for-board-seat-at-boeing/

Hilarious.

Goodbye Twitter

Posted on by
Reply

Today in my email I received this from Twitter Support:

IMG_2439

So if you click on the link, the only option is to self-censor, basically a specially crafted button to blow up whatever the offensive tweet was. In my case, my heartfelt wish that our current human stain in the White House has a stroke or heart attack. I don’t want to do anything to him, I want him to simply sieze up and die all by himself. Fly into a rage, then grab his chest and drop over stone dead.

So, Twitter took it upon themselves to force me to censor myself. Right after I got this message, I most certainly did click the “Remove” button, which blew up the Tweet. Then I downloaded my Twitter archive, once that was safe, I then deactivated my Twitter account. I would much rather it all get blown up to kingdom come than self-censor myself against the pile of waste sitting behind the Resolute desk.

I don’t really care to discuss the First Amendment ramifications, as I’m absolutely positive that Twitter will hide in the tall grass of their TOS. And that’s actually quite fine. I haven’t used Twitter in years, only logging in to lob gems like this one at the pile of fecal matter with a spray tan. I deleted Facebook, I can delete Twitteriffic too.

What am I missing out on? Nah, nothing lost. Peace of mind gained. Goodbye Twitter.

Cisco SmartInstall Vulnerability Mitigation

Posted on by
Reply

At work, I use Cisco gear everywhere. Recently the SmartInstall Hack has become a security concern. There is a vulnerability in the SmartInstall system that allows bad actors to send arbitrary commands to your network infrastructure.

So I started out knowing how my network is shaped, that I customarily keep the 10-net IP space organized by state, then by city, and then finally by kind of equipment. Out of the four octets, the first one has to be 10, the second one is the state, and the next is the city in that state, and finally, I prefer to keep all my infrastructure gear between 250 and 254.

I started with nmap because I wanted a memory refresher so that I wouldn’t miss a device.

nmap 10.1-10.1-10.250-254

This command provides me a handy report of all the places on the inside of my network where ssh or telnet (depending on the age of the gear) reside. I print off the list, and it becomes an authoritative checklist for all my infrastructure gear.

Then one at a time, either ssh or telnet into the infrastructure devices and issue these commands in one paste command:

conf t
no vstack
end
wr mem

I don’t care if the command fails, it’ll write NVRAM to Flash either way which suits me fine. Once I was sure I got all the equipment that could be affected, I know that at least for this vulnerability, we’re all done. There won’t be anything, at least for this, at work for me to worry over.

Now if you use vstack or SmartInstall, your mileage may vary, but I certainly don’t use it. The default is to leave it on, so the smart money is in forcing it off. Why leave it open as a vulnerability if you don’t have any chance of bad actors on your LAN? Because it is one less thing to worry over.

Crocodile Apologies

Posted on by
Reply

The media is starting to process the Cambridge Analytica misuse of Facebook data, and the story is only just getting some legs underneath it now. I see this as a reflective surface of the panic that we all felt back in November 2016, digging all that psychic turbulence back up again.

I want to focus more on Facebook itself. There have been several instances where Facebook has declared innocence publicly up until proof found, usually by journalists or investigators, and then when the truth comes out, Facebook stops, pauses, and issues an apology for their transgressions or mistakes. This reactivity is for me what lies at the core of my misgivings about the Facebook platform, and Facebook as a company.

In my opinion, it appears that Facebook is only chastened and contrite when caught red-handed doing something improper. I cannot trust a platform or a company that behaves this way. I honestly admit that I never really expected Facebook even to want to try to be upright and wholesome, I wanted them to, but all of this is similar to the feeling that I had when Google walked away from its mission statement “Do No Evil.” Facebook cannot be trusted.

There is no shock or surprise that Facebook has no tapeworm function available, only two options exist, leave everything alone or blow it all to kingdom come. I know there is a third path, the manual deletion of everything in the Activity Stream, but over ten years and quite a regular amount of use that is utterly impractical. Plus, I expect Facebook to be both capable and invested in retaining my data even if I think I’ve deleted it. Just because it no longer exists on the interface to me doesn’t mean that it is gone. I doubt thoroughly that even deleted accounts get deleted. I would bet money that they get hidden from view. It would not be in Facebook’s self-interest to lose any data they can get their hands on. I would also not put it past Facebook to also log every keystroke that goes into the text boxes on their site, so even if you don’t post anything, I would bet that Facebook has a record of what you did type and that you abandoned it. That they could record and store your unshared thoughts, indexing, and selling them even if you didn’t share. Logging into the Facebook site itself is a personal hazard to privacy. I have no proof of this last part, but I would fully expect a company like Facebook to do this very thing.

There is little that quitting Facebook will accomplish, since human personalities are quite fixed and constant constructs. We maintain that iron grip of control and Facebook has monetized it, and now, since Cambridge Analytica, they have lost it. Pandoras Box is open.

So why stop using Facebook then? Facebook must be caught being evil, which means that the intent is a stain that runs right to the core. I’ve abandoned Facebook itself because continued use is tacit approval of their offensive behavior, and if it makes them money through advertising revenue, and I’m a part of that? That’s personally unacceptable.

Going West With Facebook

Posted on by
Reply

Much like the elves in Tolkiens tales, sometimes the time is right to board the boats and head west. In this particular case, what to do with Facebook.

I’ve been using Facebook since July 2nd 2008. In the beginning it was wonderful, sharing and everyone seemed kinder, more conscientious, I suppose the world was better back then. Many people were looking for a new platform once LiveJournal collapsed, which if we are really serious about it, came when SixApart was sold to the Russians. Americans fled pretty much after that. And so, Facebook was a thing.

Mostly friends, it hadn’t taken off yet. Many of the later iterations that make Facebook the way it is today weren’t even thought up of back then, and in a lot of ways, it was better in the past. But then everyone started to join the service and we started to learn about the ramifications and consequences of using Facebook. I can remember that feeling of betrayal as Facebook posts were printed out and handed to my workplace management. That really was the first lesson in privacy and the beginning of the end of my involvement with Facebook.

Facebook has been on-again-off-again for a while. In time I realized that I was addicted to the service and the sharing. With enough time I realized that Facebook was actually fit more as a mental illness than an addiction. I had to stop it, because in a very big way, it was the service or my mental health.

So fleeing Facebook is the name of the game. First I downloaded all my content from the service, then I started to move the saved links from Facebook to Pocket for safekeeping. Then I went through and started hacking away at groups, pages, and apps. All of these tasks will be long-tailed, they’ll take a while for me to polish off because Facebooks tentacles run very deep, and in a rather surprising way, just how deep they actually go is remarkable.

So now I’m looking at writing more and sharing more from my Blog. This post is kind of a waypoint to this end. I installed a new theme with some new images featured, and the next step is to figure out a “Members Only” area where I can separate out the public from my friends. There are some items that I intend to write about that use specific names and I don’t want to play the pronoun game with my readers. I also don’t want hurt feelings or C&D notices, both of which some of my writing has created in the past.

I will detail my journey with disposing of Facebook here on this blog. I have eliminated publicity to Twitter and Facebook, but I left G+ on, because G+ is a desert.

So, here we go!

Network Monitoring

Posted on by
Reply

I’m in the middle of a rather protracted evaluation of network infrastructure monitoring software. I’ve started looking at Paessler’s PRTG, also SolarWinds Orion product and in January I’ll be looking at Ipswitch’s products.

I also started looking at Nagios and Cacti. That’s where the fun-house mirrors start. The first big hurdle is no cost vs. cost. The commercial products mentioned before are rather pricey while Nagios and Cacti are GPL, and open sourced, principally available for no cost.

With PRTG, it was an engaging evaluation however I ran into one of the first catch-22’s with network monitoring software, that Symantec Endpoint Protection considers network scanning to be provocative, and so the uneducated SEP client blocks the poller because it believes it to be a network scanner. I ran into a bit of a headache with PRTG as the web client didn’t register changes as I expected. One of the things that I have come to understand about the cost-model network products is that each one of them appears to have a custom approach to licensing. Each company approaches it differently. PRTG is based on individual sensor, Orion is based on buckets, and I can’t readily recall Ipswitches design, but I think it was based on nodes.

Many of these products seem to throw darts at the wall when it comes to their products, sometimes hit and sometimes miss. PRTG was okay, it created a bumper crop of useless alarms, Solarwinds Orion has an exceptionally annoying network discovery routine, and I haven’t uncorked Ipswitch’s product yet.

I don’t know if I want to pay for this sort of product. Also, it seems that this is one of those arrangements that if I bite on a particular product, I’ll be on a per-year budget cost treadmill for as long as I use the product unless I try the no-cost options.

This project may launch a new blog series, or not, depending on how things turn out. Looking online didn’t pan out very much. There is somewhat of a religious holy war surrounding these products. Some people champion the GPL products; other people push the solution they went with when they first decided on a product. It’s funny but now that I care about the network, I’m coming to the party rather late. At least, I don’t have to worry about the hot slag of “alpha revision software” and much of the provider space seems quite mature.

I really would like anyone who works in the IT industry to please comment with your thoughts and feelings about this category if you have any recommendations or experiences. I’m keenly aware of what I call “show-stopper” issues.