Monday, March 26, 2012

The Secret to Life

From Computer World's Shark Tank Blog
http://blogs.computerworld.com/19786/infinite_loop


Flashback to the 1990s, when this new-to-IT pilot fish is trying to perform a calculation in Visual Basic as part of a database query -- and he's not having much luck getting it to work.
But he has an idea. "I had served on a committee with an older colleague who had betrayed a knowledge of such things and a willingness to help out a neophyte, so I wrote to him with a code sample and explanation of what I was trying to accomplish," fish says.
"After about 30 minutes, a reply came back -- I suspect he hadn't read my email for 25 minutes after I sent it -- and he provided an altered code snippet which, of course, worked perfectly.
"I wrote back to thank him and I asked, 'How do you know all this programming stuff?'
"His reply: 'It's very simple. You make mistakes. You learn from your mistakes. You repeat for 30 years.'
"As I was only 28 years or so behind him, I was much heartened by this statement."

 I was really struck by this simple story. One of the reasons I don't play online games with others is the hatred others have for a new player, who hasn't learned all the conventions of play. The same is true in industry, the veterans often maintain their place by pointing out all the mistakes made by the new guys, and how useless their training is, they should know all this stuff.

The problem is that as we gain experience, we forget what it was like to be a newbie. We are all newbies in one way or another, and veterans in others. As a technician, I deal almost exclusively with people who just don't know computers very well. My clients often apologize for their lack of knowledge, to which my question is almost always "What do/did you do for a living?"

One client replied "I used to build roads and bridges". I have never done that kind of work, and if I found myself on a road crew I wouldn't know the first thing to do. I would be a safety hazard and be getting in the way of everyone else. BUT as I learned I would become a better teammate, and if a member of crew took some time to show me how things worked, that learning would be sped up dramatically.

Below is my (slightly edited) comment from that Shark Tank Entry. I think it sums up the key to happiness in any profession:

while (!dead) {
  trySomething(new);
  make(Mistake);
  askForHelp(fromSomeone);
  learnFrom(Mistake);
  teach(someoneElse);
  beHappy(); 

  succeed();
}
Posted by at 1 comment:

Saturday, March 17, 2012

The why's of passwords

 WHY is a very important concept. Skilled social engineers know this, and will always give their target a plausible reason they need to do what they are doing, but companies rarely talk about the why of security. They will have policies like this:
  1. All passwords must be a minimum of 8 characters, with at least 1 number, and 1 special character
  2. All passwords must be changed every 90 days.
  3. Passwords cannot be reused
  4. Do not use the names of friends, family, pets, children, grandchildren, or "grand-pets"
These are sensible rules, but in my experience, employees do not like these rules, so they end up with a series of passwords like this:

Muff!n1 Muff!n2 Muff!n3 . . . . 

I have had much more success with compliance with the security rules when I add this bit to the "rules sheet".

These password rules prevents others from gaining access to they system, and can also protect your own personal accounts.  If an attacker guesses your password from information you have posted on Facebook, they can gain access to ALL of your accounts, including on-line banking, email, and anything you have access to on the company network.
The more complex a password, the harder it is for someone to guess using brute force methods. Steve Gibson has created a calculator on how long it would take to crack a password at https://www.grc.com/haystack.htm. Try out a few passwords and see the difference adding numbers and punctuation has on the length of time it would take to break - especially when you add characters. Try to get the Massive Cracking Array Scenario over 30 minutes.
Once an attacker has a password, they will sometimes wait for a period of time just in case you get suspicious and start checking everything. Changing the password regularly combats this problem - a compromised password will not work very long.
Once I explain the WHY behind my password policies on the networks I manage, there is much less "flak" from employees about having to change their passwords on a regular basis. In fact, I often get asked if the same rules should apply to their other accounts. The rules become more personal.

WHY is such an important concept when it comes to convincing people to do something you want them to do  - even in marriage. Don't just say things like "stop getting your nails done every week for $100". Instead, say things like "If you can do your nails once a month instead, we would have $3600 to pay down our debts. Once the debts are paid off, we can go anywhere in the world we want on vacation every year." In most cases, when people aren't seeing your point of view it's because they don't see the WHY.
Posted by at No comments:

Technology is cool, but wetware is critical.




Every so often, you read a story about drivers following their GPS system off a cliff, onto rail tracks, down a dead end, etc. The rest of the Internet know-it-alls then start saying that GPS stinks, you should never use it, compasses only - and that's if they ignore the colour of the driver's hair.

As this CTV report notes - the problem is not with the hardware, it's accurate to within 5 meters when you have clear skies. The two major issues are the maps that are supplied to the GPS makers, by definition they are always a bit out of date. Roads change and businesses move or close. It's also the people who ignore everything else around them - dead end signs, low bridge alertsbad roads, as well as little things like, say, the Pacific Ocean.

I have three systems that allow GPS navigation, and I like them all. My car's Nüvi gets me to all my client appointments in Regina even when I've never been to that particular house. The directions are easy to follow (especially with an Australian accent), accurate, and usually quite quick. Whenever I fly out to other cities for work, I bring it with me so that I can navigate along strange cities like a native, always knowing which lane to be in well before the turn off. It allows me to drive in Toronto - that's saying something. When my wife and I went to Los Angeles, we drove the rental car around LAX, San Diego, Anaheim, and back to LAX without having any problems (well she drove, I hate driving, and she hates navigating so it worked out well).

My iPhone also has GPS, and although I can't use it when driving, it works well for the newer areas that the  Nüvi  doesn't have in its system since I haven't bothered buying new maps for it. I can put in an address, have it show up, and I then generally know where to go. It eats battery time though, so I don't use it often.

Finally my Garmin Oregon 400, while not used for navigating my car has allowed me to find all sorts of geocaches in 5 different countries - it is accurate to within 3 meters. At that point, my eyes and mind take over to find those hidden treasures.

Why don't I have problems with my GPS navigation? Because I don't turn off my brain - it's a lesson I learned the first time I drove in Toronto with it. I told the GPS to take me to the Toronto Airport, and it was doing a good job. Then as I approached an exit - labelled with the Airport symbol, my GPS told me to keep going straight - ignore the exit. I trusted the GPS. I ended up at the cargo entrance and had to ask for directions at a nearby gas station. I got to the proper spot eventually, but I learned my lesson - highway signs take priority over the Australian girl on the GPS. The next time I was in Toronto, I followed the sign, and after a quick "RECALCULATING" the GPS did take me to the airport.

It's like that with any technology. In an inter-group discussion in class we talked about how people are unable to do simple calculations without a calculator. While I don't expect someone to do 3.54 g / 40.08 g/mol to get 0.0883 mol in a Chemistry lab, you should still be able to do $50 * 1.10 = $55.00 including the tax when at the store. Planning on going hiking in the woods with a GPS? That's fine, but bring extra batteries, and take a course on how to read topo maps and use a compass. Those don't require batteries - in an emergency, you need to be prepared to rescue yourself and do it without batteries.

In other words, don't be this guy....


Posted by at No comments:

Tuesday, March 13, 2012

Innoculation

23 Questions with Kevin Mitnick from Hak5

(Skip to 11:15 for the section I'm talking about. The full interview can be found here.)



In our project for CS 280, we had initially intended to do what Kevin Mitnick is doing now, simulating an attack on the employees in a business, so that they could recognize what a social engineering attack looks like. Medical vaccinations work the same way, you give the body a weakened form of a disease so that when the body is infected by the real deal, it can recognize the antigens and mount a strong defense.

The reason behind this is the basic human need to be helpful. Humans evolved as social creatures, where each individual did their best to help the pack. Much of our internal wiring is based on trusting others and helping out, so we do not initially (at least deep down in our guts) seek out to distrust others - it is experience that brings out distrust. Think about it - ever been on vacation, handed over your camera, and ask a total stranger to take a picture of you and your significant other? And 9 times out of 10, what is that person's response? Either "Sure. Say Cheese!" or at most, you will be asked to reciprocate the favour for them. I've done it myself (both ways) at Grey Cup 2008 in Montreal and when my wife and I went on our cruise in July. People do want to be helpful, and that is not a bad thing.

The problem is when the "bad guys" take advantage of loop holes and short circuits in basic human psychology. As I've said before, the best security products and "least privileged accounts" will always fail when the staff is fulling willing to hand over the keys to the network. Donuts, coffee, and some flattery (bonus marks if the bad guy even means it) will get you much farther than learning about 0-day hacks, cracks, and weaknesses in the system. Do employees mean to compromise system security? Other than disgruntled employees (what's a gruntled employee anyway?), in most cases they are simply trying to be helpful.

This is where Kevin Mitnick, and other White-hat hackers like him, come in (although due to his past, at best Mitnick could only be called a Grey-Hat). The simulation of social engineering attacks shows three main things to employees:
  1. What a social engineering attack looks like and how to recognize it.
  2. The damage that can be done.
  3. And most importantly, WHY security protocols are they way they are, and how YOU personally can help us protect the network.
This inoculation is vital for companies, and an employee who "fails" the test should actually be considered more valuable to the company. In my opinion, someone who passes the test has a risk of becoming complacent, and may not treat a real attack seriously. Whereas, someone who has failed is much more likely to want to prove themselves to their employer. They will ask more questions, they will know why to ask those questions, and they won't be afraid to ask those questions even to someone claiming to be a police officer or a high ranking executive in the company. 

In one secured building I'm in on a regular basis, even the CEO must show his ID to the security guard, and they actually check the ID. It only takes a few extra seconds, but those few extra seconds are what matters when it comes to security. Asking visitor to wait a few extra seconds while you verify their presence will scare off the social engineer (there are much easier targets out there), but legitimate visitors will often say "No problem", especially if you become a social engineer yourself and offer them a cup of coffee while they wait.



Posted by at No comments:

Saturday, March 3, 2012

Patent Trolls

There are three main ways to protect your creative and inventive works. In most cases, the method you use depends on the type of work you have created. Your choices are:
  1. Patents are used for inventions, processes, or improvements on an existing invention. You can get a patent for a "better mousetrap" or for a method for turning mouse bodies into a new energy source. Patents cannot be issued if the method is "obvious to one ordinarily skilled in the art". Also, according to the exisitng law, patents can be overturned if you can find "prior art". In the IT world, devices can be patented, and so can software.
  2. Copyright is used for creative works like music, fiction, non-fiction, paintings, photographs, sculpture, dramatic performances and other creative works. This is why you cannot legally record a video of a live performance or share copyrighted music with your friends. 
  3. Trade Secrets are only effective as long as you keep the method or recipe secret. Once it is revealed, even inadvertently, you lose all protection. Examples include the receipes for Coca-Cola and KFC's "secret herbs and spices". Nothing prevents someone from using reverse engineering to learn the methods. I remember once creating some fried chicken in my kitchen that tasted almost exactly like KFC. Too bad I didn't really pay much attention to what I used....
Unfortunately, the patent system is busted. Patents are being issued for things that are clearly obvious. For example, the shape of the iPad is patented, it's a rectangle, Amazon has a patent on "One-Click" shopping, 

The other problem, which I will deal with here, is companies (Patent Trolls or Non-Practicing Entities) who buy up as many general and vague patents as they can, with no intention of actually creating a product with them

For example:

The patent, titled "Automatic message interpretation and routing system," is unsurprisingly general. It was filed in 1998 and awarded to a company called Brightware, Inc. in 2002, and it basically describes an autoresponder. "The method for automatically interpreting an electronic message may also include the step of retrieving one or more predetermined responses corresponding to the interpretation of the electronic message from a repository for automatic delivery to the source," reads the patent.
Polaris accuses Google of "actively inducing infringement" on the patent and contributing to the infringement of others by implementing its own automatic e-mail responder within the company. Amazon, Borders, AOL, and all of the other named defendants are accused of doing the same. "As a result of these Defendants' infringement of the '947 Patent, Polaris has suffered monetary damages in an amount not yet determined, and will continue to suffer damages in the future unless Defendants' infringing activities are enjoined by this Court," reads the complaint seen by Ars Technica.
Patent Trolls increase the cost, and slow down the pace of development in the IT world due to the expense of having to deal with inadvertent patent infringements. In most cases, the business model of the Patent Troll is simply to sue for damages whenever someone infringes on their patent, they do not otherwise produce any product or service. With copyright protection, when software is found to be accidentally too similar, the developer can fix their code easily using different algorithms to solve the same problem. When the problem is patented however, no amount of re-writing the code will make it non-infringing.

One defense against a bad patent is to prove "Prior Art". Farhad Manjoo wrote in Slate about how a company is using crowd sourcing to find prior art to allow their clients to overturn bad patents.


http://www.slate.com/articles/technology/technology/2012/02/article_one_partners_how_a_bunch_of_amateur_sleuths_are_stamping_out_patent_trolls_.html

The problem is that searching for old inventions is really difficult. Patents in the United States are keyword coded and searchable, but they use dense, technical language that makes them difficult to browse through. What’s more, “prior art”—a description of an invention published prior to a particular patent’s filing date—can exist anywhere, not just in a patent database. If I sue you for infringing my patent on an ancient Chinese healing technique, you’d have to look all over China for a description of the technique that was published in days of yore. But how would you know where to begin?
Unfortunately, this makes it still difficult to combat Patent Trolls. So here is my suggestion for reforming Patent Law. I release it into the Public Domain, no patents here:
  1. Software cannot be patentable, only hardware. Firmware is defined as software since it can be updated without replacing any parts.
  2. All issued patents are conditional for 12 months. A company has 12 months of protection to begin producing a product and releasing it to the market.
  3. If a company is producing a product within 12 months, their patent protection continues for the standard duration of the patent.
  4. If, after 12 months, if there is no process in place to produce a product, the conditional patent expires. Transferring the patent to another company does not restart the clock.
  5. A company can request a one time, 12 month extension if there are unanticipated glitches that need to be worked out prior to manufacture or sale.
  6. The definition of "Producing a Product" can take many forms:
    • Self -manufacturer and sale
    • Subcontracting the manufacturing and/or sale to another firm
    • Licensing the patent to any interested firm, who then manufacture and sell the product
    • Any or all of the above, plus any other arrangement that could be considered production.
However, merely suing infringing companies is not considered "Production". You may sue during the first 12 months, but any damages will be put into escrow until the patent is no longer "Conditional", and the infringing company will be subject to cease-and-desist until the end of the 12 month period. If the patent expires due to non-production the escrow money is returned and the injunction expires. If however, the patent holder begins production, they get the damage reward (plus interest) and the injunction becomes permanent.

The main idea behind this is that patents can still be issued when valid, BUT a company is not allowed to sit on them and use the court system to make all their money. If you cannot monetize your patent yourself, you can still license the patent and make money off the royalties, but you cannot use the legal system to bully others.

This system still allows inventors to profit from their inventions, but explicitly disallows them to simply sue others into oblivion - they must take action to bring their patents to market to justify being awarded damages by the court. If you have no intention of marketing your product, another company is not damaging you by releasing a similar product. Innovative individuals are still rewarded, but innovation itself is not needlessly frozen by legal threat from Non Producing Entities or Patent Trolls.

Is my idea perfect? Nope. It isn't. So please improve on it.

Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)