bootcamp

, , , ,

Cult of the Dead Cow

, , , ,

Under the flickering lights of our Christmas tree, I wrap presents and think about a system file check of my prefrontal cortex. It’s the part of the brain that modulates social behavior. I want to confirm the hashes on all my psychic attributes because my mind is a swarm of acronyms and random strings of numbers. Once they get in there, it’s not easy to get them out. The numbers I mean. Cryptography has scrambled my axons with my dendrites.

I refocus and fInd some tape and scissors and while finishing the gifts I think about Santa coming down the chimney as a penetration test. Perimeter check. Santa is the perfect pretense to test our physical security. Going to need a new policy. Nothing like mitigating Christmas. 

Certification is now the focus of Bootcamp. No more technical training. Now it’s review and career prep. I am a walking-talking flashcard. I’m in constant dialogue with myself. Me in my head explaining security threats to a panel of enthusiastic me. I’m describing my plan to defend employees against Social Engineering. I look back at me very impressed

Hanging ornaments, I think of all the holiday cards we got this year, and next thing I know a phishing email begins to type itself out on the screen behind my eyes. A voice whispers in my ear, “Rapport building and framing psychologies create tribal bonds, these are our goals.” I stop myself, take a deep breath, and look around at my family.  

Freeze frame for the postcard moment: Christmas tree, everyone wearing wonderfully hideous Xmas sweaters; my wife has a tiger ornament in her hand; son, headphones on, reaches high above his mother to hang basketball ornament; daughter laughing with her head back and eyes closed, whatever it is it’s so hilarious it hurts. Cats attacking ribbons and bows, rolling in liberally scattered catnip. My tribe. My love. My treasures.

The Muppet Holiday album is playing, I’ve got hot cocoa, and I sink into a deep sense of gratitude. What a crazy ride. I pray everyone is as safe and warm and loved as I am. Happy Holidays. Let’s talk about Joseph Menn’s Cult of the Dead Cow  (CDC). 

Before we jump in, here’s a little background. Academically, there are 5 basic threats in CS: APTs (Advanced Persistent Threats-national interests), criminals (it’s about $), hacktivists (philosophically motivated), pranksters (fun-power), and mistakes (distracted minds).  While Sandworm focused on the history of APTs, CDC focuses on the history of the hacker activist trying to save the internet from itself.

My instructor is fond of saying, “In the beginning, there was no security.” Simply put, the internet’s infrastructure has vulnerabilities. What kind? Well very it’s technical, so let’s try this.   If the internet was a boat, it would a paper boat headed for the street’s rain run-off drain where the clown from IT is waiting. And if the internet has vulnerabilities, then so do we. Take notice, in that story with the paper boat, we are the little kid chasing the paper boat into the street drain and we are about to reach down into the dark to find sharp teeth.

Similar to It, CDC is the story of a bunch of kids who discover that beneath the normal world there is an underground system stalked by an otherworldly predator. Ok, maybe I’m pushing the comparison. I’ll stop there but if you’re a Stephen King fan at all, you can see how ugly this could get. Let’s try a different tac.

At the dawn of the digital age, the prehistoric version of the internet was built for nerds by nerds to share information. They weren’t worried about anyone listening, cause the idea was to be able to listen or at least hear. The main point was sharing. 

Quick note: Kopimism is an official religion whose faith it is to copy and share information. They believe that information is holy and to share it is to take part in that sacred process. I mention this because sharing on bulletin boards is how CDC was born. It all begins with people sharing ideas through text files and trying to make phone calls on the cheap. But that small (dare say meager or mild) attempt at fan fiction and manifestos might just have saved us all. For now.

CDC is a history lesson of the internet and the people who grew up with it, love it and are afraid of what could happen if our grand experiment goes wrong. Put simply the Internet of things, IoT, the Web, our phones, every application, and service they provide has not been planned well. 

Well, it wasn’t planned at all. It was co-opted. Repurposed. You might even say, hacked. Because now the Internet is actually an ATM. The biggest wealth maker ever seen in the history of humanity. So much wealth we could feed, clothe, shelter, educate, and provide medical care to the entire world. But we don’t. So the CDC has been trying to hack the hack and give us the Internet back. 

I keep using the word hack. Before the Bootcamp what did I know about hackers?

Hackers. The movie War Games introduced me to my first hacker. Remember the 1980’s: VCRs, Miami Vice, John Hughes. Then maybe you recall a young Mathew Broderick almost starting a nuclear war by hacking into a government war simulator.  “Would you like to play a game?”  

Cult of the Dead Cow is kinda like what would happen if Mathew’s character was actually represented by a dozen or so hackers who grew up with the internet, made it their habitat, learned to forage and hunt, found treasures, discovered pitfalls, and then rushed back to the outside world to warn us of what lurked in the digital forest. There are highwaymen, rickety rope bridges, hidden passages, boobytraps, spies, pirates, swindlers, and more. Oh so much more.    

Think IT meets Mr. Robot and the show runs for 50 years.  

You don’t know it yet, but we owe them big. Because while we were sleeping, they held the great glowing neon firewall. They snuck behind the GUI and took a look at the code holding the data-world together. What they learned scared them. They could have said nothing. They could have robbed us blind. Instead, they played David vs Goliath and set about hacking the world. 

They went up against Microsoft, mass media, and terrorists. Along the way, they crafted code, political philosophies, mayhem, and modern-day security analysis. Not all of them are heroes. The truth is complicated. They hacked for good, for fun, for country, and sometimes merely for chaos. They are at times activists, inventors, mercenaries, vigilantes, pranksters, soldiers, spies, and even Presidential hopefuls. Ugly warts and all CDC doesn't try to hide the flaws of the community. Instead, it gives enough space to let things be as they are and the reader to make their own judgments. 

My takeaway: The future is coming and we are going to need a bigger boat.

What do I mean by that? It’s the line from Jaws. That moment when they are chumming the water and Scheider’s character sees the shark for the first time. That’s me after 6 months of CS training. We are going to need a much bigger boat than the paper one we are in now.

That translates into: we need a much broader understanding of what we are dealing with.


Next: Matthew Holland talks about Cyber Security


,

Sandworm

,

The Solarwind hack is all over the news. How bad is it? Hmmm. Say you’re at the grocery store and some random person walks up to you, hands you an envelope, and then walks away. You open that envelope and inside is a picture of your young child asleep at night taken from inside your child’s room. There is a timestamp at the top of the picture. According to the time and date, this picture was taken last night. Someone snuck into your house and took that picture while you were there. They could still be there. I’m simplifying things of course, but you get the picture.

Sandworm is an excellent history primer for current events. But before we chat about the present, let’s take a stroll back in time. A time just a little while ago that already feels eons past. And answer the question: why did I get into cybersecurity?

End of Summer 2020, Portland, amidst other trials, suffered from the forest fire smoke. On the radio, NPR reported the air was toxic. Those traveling from homes for necessities were specters in an ochre haze. All of us foragers under a road-rash sky. The sun a blood-orange orb dragged across heaven into the howling darkness of night where megaphones and sirens sounded across the river coming from the protests at the Federal Court House. The civil rights activism hadn’t let up for months. The news reported the feds responded with tear gas, rubber bullets, and unmarked vans snatching people off the streets.  

Things looked bleak when I started Bootcamp. And it wasn’t just Portland. Much of the world seemed on fire and headed to hell as well. Honestly, the whole planet was feeling a wee bit dystopian. I made a mental apocalyptic checklist: Global pandemic (check), financial crisis (check), social unrest (check), runaway wildfires (check), and expanding authoritarian rule (check, double-check).  

Part of me wanted to believe that things really couldn’t get worse. After a run of bad luck the world was going to get a break, right? Ummm…not likely. In fact, I felt we were actually on a break and things were going to get weirder. But I am biased.

Quick insight about me. I grew up in the South with Christian narratives of many interesting persuasions. The most mentally potent versions blended Pentecostal absolutism, evangelical exaltations, and rapture debates. Yes, there were rapture debates. As a senior In high school, I worked at a Christian radio station. My role was to review and identify possible links between biblical prophecy and international events in the news. These “threat assessments” were for a news report designed to inform those concerned with calibrating their rapture clocks. I was entrenched, mind and soul for a long time. It’s the kinda thing that sticks with you.

So, that End-Time part of my mind had the sneaky suspicion things could easily get tougher, weirder, or just plain worse. If there was anything I learned in the sweet arms of the church it was that there is always enough room to fit the devil.  

My faith was renewed by the patron saint of cyberpunk, Sir Mr. William Gibson. Since starting school, when I slept, Neuromancer danced in my dreams. Why cybersecurity? Because if I’m going to be stuck sitting on my ass in front of a screen watching the world burn and crumble, then I damn well need to figure out a way to interact rather than eating popcorn and binge-watching movies about the end of the world. Look out your window. It’s surreal for real.

How do you handle the end of the world? Get a new job, and I needed something amazing to do. Something that offered a sense of control. Maybe even a little bit of agency, Something that I can do to make my family and friends safer without buying a gun. 

With cybersecurity, I imagined, I could punch people on the other side of the planet with a digital fist. It was/is energizing to be in school again. Juiced! My brain feels like it’s on steroids. The metaphor is literal. When I flip open my laptop it feels like I am going to train at the martial arts school. I mean you are learning how to fight with a keyboard. Dare I say Kung-fu Console training.

Anyway, it felt like the world was getting kicked around and I could hear the ghost of 80’s heroes calling to me. In the back of my head, the opening phrase to the Last Starfighter video game was looping: “Greetings, Starfighter. You have been recruited by the Star League to defend the frontier against Xur and the Ko-Dan armada.” (My wife thinks I should mention this to my therapist). I know I’m not really saving the world. But who knows, their time left yet.

To expand my understanding of the cyber-landscape in which I dream of doing battle I read Sandworm

The title is from Frank Herbert’s Dune. Dune is a science fiction novel from the late 1950’s.  I studied the book as part of a focus on messiah narratives in science fiction. Loved it. David Lynch made a movie of Dune in the 80’s and a remake is scheduled next year by Denis Villeneuve (directed Arrival and 2049, the Blade Runner sequel).  

Sandworm references the leviathan worms that rule the desert planet known as Dune. And for our cyber history purposes, it represents a group that is responsible for possibly the most costly cyberattack to date.

Sandworm is riveting. Who are the good guys and bad guys? It’s murky. But one thing is for sure, nerds rule the world now. Maybe they have ever since Oppenheimer, but these nerds aren’t splitting atoms, they are creating code, combining with python, and developing whole new paradigms without making people evaporate inside of nuclear clouds

This first is a story of nations hacking nations. From there it gets complicated fast. A couple of disclaimers about the book. If you are paranoid at all, do not read this book. If you have a hard time getting to sleep because you wonder about government and shadow governments, do not read this book. If you wanna have a whole bunch of reasons why you should learn as much about cybersecurity as possible, do read this book. Your country may need you.

Let’s look at the broad strokes: 

1) In general, it would appear every nation is spying on every other nation as much as they (or we) can get away with. Anyone who has the power to listen is. Some nations are doing more than just listening, they are analyzing and influencing. But honestly (sarcasm),  most of this shouldn’t bother us since we signed away our privacy by using social media. Oops. No judgment, I’m included on that list.

2) Now little guys, countries with tiny little armies, who could never win a toe-to-toe can get digital leverage by hiring or training a few hundred evil nerds to hack. You don’t need all the overhead anymore when you can create an army of a trillion bots made out of people’s smart fridges. A revolution with crushed ice.

3) Arguably the most immediate danger is industrial sabotage, causing catastrophic failure to highly sensitive and critical structures. Like, say, power grids. There has been evidence of intrusion into these systems for some time, well before Solarwind.  No one has made a move but everyone is wondering who is going to push the button first.

4) The US government has a plethora of smart people working for them (probably the smartest people ever assembled in history) and, historically speaking, they/we might have a little “Han Solo shot first” issue as far as technological warfare goes. It all depends on how you look at it. 

5) Spoiler: Russia is Sandworm and has been (and probably still is) digitally terrorizing Ukraine. Ukraine is target practice for destabilizing the EU.

Ukraine is where Sandworm cut its digital teeth, but they were just breadsticks before the buffet. Now with the Solarwind breach, Russia is done looking at the menu and ready to order the all-you-can-eat-data-plan meal.  In this particular case we are really worried they have seen all our secret recipes and now can they make better-fired chicken than we can. That would be my no jargon way of describing it.

Not to worry though, Russia isn’t trying to make better chicken/take over the world. Running a world is way too difficult. They just want to cripple all global authority structures and do backstrokes in a wave-pool of political chaos. 

5) There are many private players who hold the proverbial Firewall. Every day hacker is keeping an eye on the electrical-wire of things and companies with good hearts and good intentions trying to protect us physically and digitally. And then there are mercenaries and institutions that are actively disrupting and disturbing the minds and hearts of citizens around the world with an array of hacking methods.

6) It is very difficult to tell who is doing what.

7) Basically, world war has already broken out and is being fought online. It’s a battle for data that every nation and corporation in the world is playing. Make no mistake, this isn’t a game. It is war, just a new kind. Fewer bullets, but lives are still on the line. When you shut down the electricity to a hospital, people die (particularly in the middle of a pandemic). Unlike past wars fought for territory and material resources, this war is all about controlling information and obscuring perception. 

To win this war, you don’t need to defeat your adversary, you just need to distract and confuse them. Erode trust, destroy certainty, and you nurtures unrest. Why is unrest the goal? It’s a whole lot easier to sneak in and rob a bank (or a government) when the cops are busy dealing with protesters outside.  

Next, enough government nation-states, it’s time for the hacktivist. It’s time for you to discover the Cult of the Dead Cow.

, , , ,

Hello Cybersecurity World

, , , ,

The world has changed. In the face of Covid, the ensuing shutdowns, and social distancing, I’ve made a change as well. I’ve been an in-person kinda guy all my life. Massage is literally a hands-on job. Martial arts also involves a fair amount of physical back and forth with another person. Since working face to face with people isn’t as easy anymore, I decided to retrain myself and transfer my skillset into another field of expertise. I landed on cybersecurity.

Just before covid, I was working my way through a javascript tutorial and dabbling in some python when I came across a bug bounty video. The process of hunting down flaws in programs and networks hooked me.  I couldn’t follow the particulars to save my life, but the process was thrilling: recon, identify vulnerability, exploit, entry, cripple, exit.

It struck me how similar this was to my pain management system. Pain management is about understanding flaws in the system and building programs to improve resilience. And martial arts is the study of conflict strategies. Thus, when the world shut down, I dove into a VM rabbit hole and enrolled in the University of Oregon’s Cybersecurity 6-month Bootcamp. 

I had found a way to continue identifying weak points, building up hardened systems, and fight bad guys.

In Bootcamp, everything is remote and we (my 15 person cohort) were thrown into the deep end of the digital pool immediately. You get a machine and you load it up on your own, and then go. You better be able to follow directions, even if you don’t know which way you are going or where you are. I have been three virtual machines deep and unsure of what window I was in because my cursor was lost between interfaces.

It’s impossible to describe concisely how much material we have covered in so little time. It can break a brain. Neural networks can only take so much. I have had some serious cerebral-buffer overflow issues.

I’ve heard Bootcamp experiences described as learning by firehose. I agree and at times this has even felt a little more like learning by flame thrower. I would recommend this program if you don’t mind feeling overwhelmed. 

Many nights, my mind melted from being on the command line trying to grep answers. 40-hrs a week studying just to keep up with each new offensive, defensive, or forensic application that is introduced. I tried short cuts that were long ways back to the beginning to do it all over again and again. My rig crashed, looped, rebooted, and eventually fried its battery. I learned to live in the glow of at least three screens at all times. It’s like playing missile command but they are checking for good grammar as well your strategic aptitude.

Supposedly speaking another language in your dreams is good evidence the language is really settling in. A move toward unconscious competence. Asleep, I find myself searching for the password to my dreams, unaware I am already asleep.  It would appear my subconscious is concerned with the abstract syntax of a deeper logic. It’s trying to hack its own psychic login and get root access.  Data denied the waking me, the user.  Am I running hot or just getting warmed up? Not sure, but I am totally fascinated.

Why cybersecurity? I have thought about it and there are a whole bunch of answers. OMG, have you heard of Nerdcore? There are so many answers that I can’t put them all in this post. The next few posts should really start to give a fuller picture. 

That said, one of my favorite responses to “why cybersecurity?” is found in an analysis of three movies:  Bladerunner, Tron, & The Matrix. 

You didn’t think this could get any dorkier, did you? Grab your favorite nerd, cause it gets so much dorkier. But I digress.  Why these three movies? Long story short, they explore the perils of accelerated technological growth and the consequence to humanity.

Why cybersecurity? Because I like big ideas and what’s bigger than the transformation of humanity? Wait, but what does cybersecurity have to do with the transformation of humanity? Well, I’m glad you asked.

I will be exploring just that. In the simplest sense, cybersecurity patrols the infrastructure that makes the information-world work. Every electronic communication, bank account transfer, social media post, email, link, app, and or website/game. None of it works without cybersecurity.  

Next: Sandworm