, , ,

Dawn of the Bot Hunter

, , ,

It’s raining and the morning sky is still dark, but the light is slowly shifting from ebony to blue. 

I’m thinking about Bladerunner as I listen to the rain. Harrison Ford narrates my near-future dystopian fantasy as a billion drops per second shower the world. I imagine each drop a malware-loaded bot, a digital armada with greater power than humanity has yet amassed but smaller than an atom, slamming against my firewall. 

Good morning, it’s a great day to hunt bots.

The information security company WhiteOps is the genesis of this daydream. Claim to fame: authenticating trillions of online interactions. The service: determine if it’s a bot or not. 

That’s what reminds me of Bladerunner, the Voight-Kampff test from Ridley Scott’s cyberpunk masterpiece. A digital detective tasked with identifying bots imitating humans. Sounds like another way of saying non-human investigations. So spooky and suspenseful, I’m definitely going to need a trench coat.

Detecting and defending against bots isn’t the future. It’s now. These bots are the new tanks and the next-generation super-cyber bombers. Consider how devastating the German u-boats were to the battles in the Atlantic. Bots are cyber-dimensional submarines exploiting the trade routes of the internet. They are electric ideas driven by algorithms with ambitions. And one of their greatest powers is passing as human.   

WhiteOps has a position open: Threat Intelligence Investigator. That sounds slick enough to me. If there is an AI that loves me, then there will be a bright and shiny circuit-badge with this gig. Just once, I want to unfold my wallet, flashing my ID, and say, “I’m Investigator Twitchell, this is my partner, we’re looking for some bots that were spotted in the neighborhood.”

I sent in a resume and cover letter a few days ago. Not just because Threat Intelligence Investigator sounds badass, it does, but also because figuring out what is human online is essential.  

If you find my words dramatic, well then don’t read this report on fraud and definitely don’t read this article on the AI-containment problem. And most definitely don’t read this one about Facebook being a Doomsday Machine with 90 million bots lurking around trying to friend the planet to death.

I hope to hear back from WhiteOps, but if not, I’m still going to hunt bots! 

And once I find them, game on. Ding ding goes the boxing-ring bell, let the match begin. In this corner hailing from 3-dimensional space fighting for humanity and weighing in at 170-pounds of bravado and hyperbole, Jay “The Bot Hunter” Twitchell. 

Well, like my grandfather used to say, “If you’re going to fight robots, you need to go to robot fighting school.” So, before my certificate of completion as a Digital Detective (artistic license with title) arrived, I was already signed up for a 4-day SOC analysis course with Black Hills Information Security taught by John Strand. 

SOC is short for Security Operations Center. It’s where the cybersecurity team responds to possible intrusions into the network. Picture a cyber-war room. Kinda like a NASA launch control room, with a two-story wall covered in screens, flashing red and green lights, maps from missile command, and graphs and dashboards keeping the score of the living and the dead. In the heat of it, sweat flowing from every brow, a dozen people furiously typing on keyboards, faces aglow in the wash of screen light, whispering battle commands into their microphones. 

SOC Analyst Level 1...gets that team’s coffee. Everybody’s got to start somewhere. As a coffee-dog and bot spotter, you let the team know about a flashing alarm and then Level 2 and 3 deal with capture, containment, and neutralization. You survey the network like a bushman on the savannah scanning for evidence of predators’ digital skat, dissecting packets, and looking for paw prints of persistent connections in silicon. 

Information security is totally hunting the hunter, spy vs spy. Just not the fast cars and jet packs, but instead SQL injections and rootkits. And If you're going to hunt down the enemy, you have to learn how to read the threat landscape and appreciate the tactics. To hunt a fox you must become a fox, yes? You need to know the methods so you can spot the signs that you are being stalked. 

John Strand is a great resource for honing cyber-safari skills. John is formerly a SANs institute instructor (15yrs) and runs BHIS, a cadre of devious cyber ruffians. 

A quick summary of the 4-day course:

There is no one product or strategy that is foolproof. Anything, given time and persistence, can be bypassed. The trick is layering the network with enough security gambits that it costs too much time and/or sets off enough alarms that an attack can be prevented or quickly resolved. The idea is to create a layered web. A spider uses more than one string to catch a fly. 

Endpoint analysis and common command-line magic tricks combined with a slew of open-source network monitoring tools and Shazam, you can respond to an incident. Right?   

Hmmm...not so fast. Even a good plan won’t help you if you aren’t used to responding to threats. There are a couple of fun quotes about this,  “Everyone has a plan until they get punched in the face.” and “No battle plan survives meeting the enemy.”

This is why you hire penetration specialest-teams like BHIS, and run attack simulations. If you can’t afford that, then attack your own system and test the defenses. Sounds like martial arts to me. Seeing as how I’ve paid professionals to beat me up most of my life, I totally get this principle. When you're getting your ass kicked isn’t the time to discover you're not ready for an ass-kicking. No one has time to think when they are getting pummeled. It takes practice to learn to roll with the punches. 

And if you're going to pay someone to cyber punch you, John and his team seem like the right kinda people. 

My takeaway from the 4 days: John is a passionate and generous instructor. The class was pay-what-you-can. So, the cost wasn’t an obstacle for the education. And I’ve rarely seen someone outside of a Pentecostal tent so evangelized about their work. It’s great to see that this field can keep a fire alive in the belly. Borders on inspiring.

My favorite quotes from the course were:

“You don’t get paid for the good days, you get paid for the bad ones.”  

and

“You don’t train until you get it right, you train until you can’t get it wrong!” 

To get your own dose of John, listen to this Darknet Diaries podcast where he shares stories about all kinds of penetration testing. One story involves his mother popping shell on a prison system. Below is the podcast and an article from Wired for the extra curious (it’s totally worth it).

Darknet Diaries - 67: The Big House (google.com)

(Darknet Diaries is my favorite podcast)

How a Hacker's Mom Broke Into a Prison—and the Warden's Computer | WIRED

I signed up for another course in March: Active Defense & Cyber Deception. I also enrolled in BHIS’s Cyber Range where you can build your cyber skills and supposedly compete for a position on the BHIS team. I also bought a t-shirt. I know it’s not quite a trench coat, but it’s a good start for the newest bot hunter on the block. Watch out, robots. I’m coming for you.


, , , ,

Cult of the Dead Cow

, , , ,

Under the flickering lights of our Christmas tree, I wrap presents and think about a system file check of my prefrontal cortex. It’s the part of the brain that modulates social behavior. I want to confirm the hashes on all my psychic attributes because my mind is a swarm of acronyms and random strings of numbers. Once they get in there, it’s not easy to get them out. The numbers I mean. Cryptography has scrambled my axons with my dendrites.

I refocus and fInd some tape and scissors and while finishing the gifts I think about Santa coming down the chimney as a penetration test. Perimeter check. Santa is the perfect pretense to test our physical security. Going to need a new policy. Nothing like mitigating Christmas. 

Certification is now the focus of Bootcamp. No more technical training. Now it’s review and career prep. I am a walking-talking flashcard. I’m in constant dialogue with myself. Me in my head explaining security threats to a panel of enthusiastic me. I’m describing my plan to defend employees against Social Engineering. I look back at me very impressed

Hanging ornaments, I think of all the holiday cards we got this year, and next thing I know a phishing email begins to type itself out on the screen behind my eyes. A voice whispers in my ear, “Rapport building and framing psychologies create tribal bonds, these are our goals.” I stop myself, take a deep breath, and look around at my family.  

Freeze frame for the postcard moment: Christmas tree, everyone wearing wonderfully hideous Xmas sweaters; my wife has a tiger ornament in her hand; son, headphones on, reaches high above his mother to hang basketball ornament; daughter laughing with her head back and eyes closed, whatever it is it’s so hilarious it hurts. Cats attacking ribbons and bows, rolling in liberally scattered catnip. My tribe. My love. My treasures.

The Muppet Holiday album is playing, I’ve got hot cocoa, and I sink into a deep sense of gratitude. What a crazy ride. I pray everyone is as safe and warm and loved as I am. Happy Holidays. Let’s talk about Joseph Menn’s Cult of the Dead Cow  (CDC). 

Before we jump in, here’s a little background. Academically, there are 5 basic threats in CS: APTs (Advanced Persistent Threats-national interests), criminals (it’s about $), hacktivists (philosophically motivated), pranksters (fun-power), and mistakes (distracted minds).  While Sandworm focused on the history of APTs, CDC focuses on the history of the hacker activist trying to save the internet from itself.

My instructor is fond of saying, “In the beginning, there was no security.” Simply put, the internet’s infrastructure has vulnerabilities. What kind? Well very it’s technical, so let’s try this.   If the internet was a boat, it would a paper boat headed for the street’s rain run-off drain where the clown from IT is waiting. And if the internet has vulnerabilities, then so do we. Take notice, in that story with the paper boat, we are the little kid chasing the paper boat into the street drain and we are about to reach down into the dark to find sharp teeth.

Similar to It, CDC is the story of a bunch of kids who discover that beneath the normal world there is an underground system stalked by an otherworldly predator. Ok, maybe I’m pushing the comparison. I’ll stop there but if you’re a Stephen King fan at all, you can see how ugly this could get. Let’s try a different tac.

At the dawn of the digital age, the prehistoric version of the internet was built for nerds by nerds to share information. They weren’t worried about anyone listening, cause the idea was to be able to listen or at least hear. The main point was sharing. 

Quick note: Kopimism is an official religion whose faith it is to copy and share information. They believe that information is holy and to share it is to take part in that sacred process. I mention this because sharing on bulletin boards is how CDC was born. It all begins with people sharing ideas through text files and trying to make phone calls on the cheap. But that small (dare say meager or mild) attempt at fan fiction and manifestos might just have saved us all. For now.

CDC is a history lesson of the internet and the people who grew up with it, love it and are afraid of what could happen if our grand experiment goes wrong. Put simply the Internet of things, IoT, the Web, our phones, every application, and service they provide has not been planned well. 

Well, it wasn’t planned at all. It was co-opted. Repurposed. You might even say, hacked. Because now the Internet is actually an ATM. The biggest wealth maker ever seen in the history of humanity. So much wealth we could feed, clothe, shelter, educate, and provide medical care to the entire world. But we don’t. So the CDC has been trying to hack the hack and give us the Internet back. 

I keep using the word hack. Before the Bootcamp what did I know about hackers?

Hackers. The movie War Games introduced me to my first hacker. Remember the 1980’s: VCRs, Miami Vice, John Hughes. Then maybe you recall a young Mathew Broderick almost starting a nuclear war by hacking into a government war simulator.  “Would you like to play a game?”  

Cult of the Dead Cow is kinda like what would happen if Mathew’s character was actually represented by a dozen or so hackers who grew up with the internet, made it their habitat, learned to forage and hunt, found treasures, discovered pitfalls, and then rushed back to the outside world to warn us of what lurked in the digital forest. There are highwaymen, rickety rope bridges, hidden passages, boobytraps, spies, pirates, swindlers, and more. Oh so much more.    

Think IT meets Mr. Robot and the show runs for 50 years.  

You don’t know it yet, but we owe them big. Because while we were sleeping, they held the great glowing neon firewall. They snuck behind the GUI and took a look at the code holding the data-world together. What they learned scared them. They could have said nothing. They could have robbed us blind. Instead, they played David vs Goliath and set about hacking the world. 

They went up against Microsoft, mass media, and terrorists. Along the way, they crafted code, political philosophies, mayhem, and modern-day security analysis. Not all of them are heroes. The truth is complicated. They hacked for good, for fun, for country, and sometimes merely for chaos. They are at times activists, inventors, mercenaries, vigilantes, pranksters, soldiers, spies, and even Presidential hopefuls. Ugly warts and all CDC doesn't try to hide the flaws of the community. Instead, it gives enough space to let things be as they are and the reader to make their own judgments. 

My takeaway: The future is coming and we are going to need a bigger boat.

What do I mean by that? It’s the line from Jaws. That moment when they are chumming the water and Scheider’s character sees the shark for the first time. That’s me after 6 months of CS training. We are going to need a much bigger boat than the paper one we are in now.

That translates into: we need a much broader understanding of what we are dealing with.


Next: Matthew Holland talks about Cyber Security


, , , , , , ,

The Giving Way: Sun Style Tai Chi Notes

, , , , , , ,

The Giving Way

Still mind

Steady feet

Breathe, sink

Time the beats

All doors a trap

Desire the map

Give, facilitate

Occupy the back

Gifts freely given

Cannot be taken

Offered options

Limit choices

Show the way

They want to go

Feeling strong

In a disappearing hand

Extend their range

Let them reach

Make them long

Support what they seek

Corrupt the balance

Change the target

Seeking strength

Opens the gates

Catch them

As they tumble

Stable them

Humble

Striking a gift

Rare, swift

Creating space

Where none exists

Mind Hopeful

Body Supple

Beyond the target

The goal waits


, , , ,

Sapiens and 21 Lessons for the 21st Century

, , , ,

I have this fantasy about creating a Kung Fu Science Fiction High School. The kids would get rigorous physical training 3 hours of the day from msater monk-ninjas, and their curriculum would be focused on saving the world from humanity. Yuvol Noah Harari’s work would be at the center of their studies.

Yuvol should be required reading or listening for those who want to understand the human condition and the complex evolving forces that form this condition. Sapiens covers the history of Homosapiens and just about every factor that has and still does affect each of us personally and everyone of us together as an entire species. It’s not a pretty picture but his sense of humor helps keep things in perspective. By far one of the best books I have ever read covering biology, psychology, sociology, technology, politics, economy, and religion. At the end of the book you find yourself front row and center for the big Now What? Well 21 Lessons for the 21st Century, Yuvol walks you through the cognitive dissonance of the present and tries to provide a way through the maddening chaos of tomorrow. He asserts there are 3 great dangers we must come to terms with: nuclear war, climate change, and technological disruption. Terrorism, AI, Transhumans…oh my, the Apocalypse is already here, it’s just not equally distributed.

, , ,

Tai Chi notes: On Power

, , ,

People seek to be powerful. They seek the feeling of power so they can take, so they can push and not be pushed. Seeking power limits power. Power exists already, you are power.  Feeling is power, not feeling of power. If you feel power, you are feeling too much. Somewhere in your body you are holding to feel such a push, such pressure. To feel power is to feel power over, and what are you desiring power over.  Yourself? This is a strain. It assumes limits. Real power is the power to give, to hold, to wait, to have no intention but to be present. The abundant mind, changes the frame and aligns the body. The spirit of giving is not a weakness, it is a strategic advantage. Giving space comes from abundance, holding ground comes from the ego, which is afraid to give up, which is afraid to lose something it does not have. Control. The Giving advantage allows for movement and stillness.

Something you have to push by definition isn’t meant to be moved. It desires to rest.  Using force to change things reduces your energy. I am forcing nothing, I am allowing and filling the empty space. This costs me less energy. You not wanting to move, to hold your space that is the ego trying to control. This comes at an unnecessary cost in time and energy. Control requires thought, one must device, design multiple ways to remove resistance. Giving there is no other strategy, it does many things by doing nothing that does not want to be done. It does not try to move things that do not want to be moved, and it does not try to stop that which needs to move.


, ,

You Need a Bigger Cup

, ,

 

Clients ask how often they should get massage. My general answer is that getting a massage once a month is very helpful for a number of reasons. How often depends on how intense their activity is.  Are they an athlete, or has their body been through some kind of trauma? But massage functions best as part of a whole program, and is by no means a panacea.

The major function of massage is to place the soft tissues in the optimal state for recovery.  The metaphor I have been using lately, is that massage is the condiment on your therapy sandwich. You need a full physical program that includes range of motion therapy and restorative exercise that counter the physical habits or event that led to imbalance and discomfort. How does the sandwich analogy work with this?

Let's try another analogy. Your body builds up tension all day, like a cup being filled with water. Every time you deal with physical stress (inactivity is physically stressing), or mental stress, your cup fills a little. When you feel pain, that's when the water starts to flow over the top of your cup. Massage helps empty the cup. Yet, it doesn't actually change the cup. Massage makes the cup ready for change. That is, if you get a massage, but don't introduce compensating exercises or movements, then your cup fills up again quickly. However learning new movements to help train your body to deal with stress, increases the size of your cup.  

So consider this, coping with stress requires 2 steps: 1) empty your cup 2) build a bigger cup.

 

, , , ,

Coaching Journal # 1: Sparring Yourself

, , , ,

I say, "50% speed," to keep the students from getting hurt. From my right, I hear the snap of a gi sleeve. The noise is an indicator someone is moving way faster than 50%. I turn following the sound and in this case the speed issue is with two new students running into each other and playing slap hands. No technique, no control.

I repeat with emphasis, "I said 50%. Slow it down." And right after a student's spinning heel kick just misses the face of another student. My mind's eye sees the heel crush the cheek bone. Part of me is always ready to call 911 or grab smelling salts. The kicker and the nearly kicked both stop in shock at the near collision and broken facial bones.  Both students look terrified for a second, then smile, bow, and continue as I repeat the direction, "50%!" They move a little slower.

50% is a hard task when someone else is trying to hit you. What does that even mean, 50%? I'm learning to fight, right? Shouldn't I be giving it my all? Absolutely, but what is your all? Speed means nothing without control, so I say to the room, "Breath. relax." Some settle in, some keep on doing what they were doing, breathing heavy and fast through their mouths. Some pant, some hold their breath. Some slide around in circles, some hop back and forth, some switch feet looking for their angle.  Most are red faced and sweating. All eyes are focused though, bright and intense. Sparring can wear you out fast, but it wakes you up. It makes you pay attention.

"Cover your head." Everyone raises their arms a little more.  One student has his hands opened with the fingers spread wide, as he reaches down to block kicks with his fingers extended. Fingers vs shin? Shin usually wins. I know, so I bark out, "No Fingers."

I totally know about blocking kicks with your fingers. 8 years ago, the middle finger of my left hand tried to block the shin bone of a 6'7, 300 lb black belt's round house kick. His lower leg was the size of my whole arm. As you can guess his shin was not damaged. My finger, well...it turned into the letter Z. Dislocated and probably fractured in couple places, the finger had accordioned the first and second knuckle, folding it twice. I almost passed out when they yanked it back into place.

So I say, "Fists, not fingers." They dance around kicking and chopping, punching and lunging for a couple more minutes before calling time. They all bow to their partners. Some hug, some shake hands. I give them ten seconds between rounds to find a new partner, “This time lower belt to upper belt, please." Without being asked the upper belts raise their hands to let the lower belts know who to partner with.

There are mostly white uniforms in this class, all the belts are represented though. A few black belts are here to play today as well and I want to make the most out of it. They mingle throwing up their hands looking for their lower belt partners for the next round. There are four women in class and six guys.

One lady is a 2nd degree black belt getting ready for her 3rd degree test. She's fierce. She fights head-on, 3-punch combos and well controlled kicks. She seems like she has an endless amount of energy. I think it helps new women who come to class to see her intensity.  

I say, "Upper belts use only sweeps and takedowns. You must be able to catch your partner. Lower belts pick a form." I point at each in turn and they name off the form they want to use.

They slip in their mouthpieces and check their cups with a little wrap of the knuckles and look at me to let me know they are ready. I try to make eye contact with everyone, making sure everyone looks like they're having fun. Some look tired, some frustrated. Nobody looks scared, so I continue, "Bow to your partner, spar carefully."

Sunday at 9:30 AM sparring class. Only bad thing  about this class is I don’t get to spar. My job is to teach techniques, create drills, and watch over them to make sure no one gets over-excited. I’m not here teaching them how to fight. This isn’t training for the octagon. This is sparring, not fighting. But sparring can feel like its fighting. Adrenaline starts flowing fast when someone’s fist are aimed at your head. Blocking and dodging can be harrowing. You can get frustrated and embarrassed easily under these conditions, especially if you want it really bad. And some of these students do. They want it bad. They want to be martial artists.

Today is one of those days a student gets upset. While I'm looking one way I here the sound of a body hitting the ground.  I turn and one student is reaching down to help their partner up. I call and end to the round and walk over to the student who hit the ground. Their eyes are tearing up and they are trying to hold back the waterworks. I'm not sure if its pain, shock, or embarrassment. I check in. They are little out of breath, but no broken bones. Yet they still don't won't to make eye contact. They walk away head down to change into their street clothes. When class is over and almost everyone else is gone, I ask again if they are okay. The student was still very upset, their eyes not watering, but they are red and they looked emotionally exhausted.

I assume they are embarrassed more than hurt and tell the student to not worry about the crying. “Go ahead and let that shit out." They nod, but don't say much and they leave quietly. I remain concerned I that haven’t properly addressed the issue. Thinking on it there were so many things I wanted to offer them, but didn't. 

1- don’t get upset about getting upset. If you could have stopped the emotion you would have.

2- whatever emotion you feel like you are having; actually it is having you. Once the chemicals kick in, you are going to feel what you feel. That’s not your fault. Give yourself a break and feel what's going on w/out judging yourself.

3- all emotions pass. The main point is you get in touch with yourself and become more aware of your desire to improve. That means making mistakes is necessary. Learn to love them.

4- frequency with intense emotional states creates familiarity with the emotions and reduces their power. As long as you are aware of them as rising and falling states and not wholesale estimates of who you are.  Get in the ring with your emotions as often as you can.

5- tough experiences help us discover our hidden reserves and deeper knowledge of what we can handle. 

 

,

Breathing Meditation

,

Meditation

Focus on the speed of your breath. Without trying to change your natural breath, count the length of inhale and exhale. You will find it slows as your attention to it increases. Once you feel you are breathing naturally, Calmly and slowly build on your breath trying to put one second extra in each exchange. This exercise of the diaphragm stretches and squeezes the internal organs. Let the breath inform you of your internal state.

Become aware of your heart beat pushing against your chest. Feel it pumping blood into the large muscles of your body. Slowing your breath, inhale and scan your back, chest, arms, and legs. Feel for their connections, where they begin and end. Feel the weight of the muscles. Feel the stretching tension created at the joints as you inhale. Your ribs should be inflating, stretching the muscles of your neck and back. Assess your shoulders, knees, elbows, wrists, and ankles as you exhale. Allow that tension to sink down through you into earth. Inhale and lengthen your spine.

Bend your knees slightly as you exhale and feel the fascia connecting everything together. The fascia wraps around and and webs through you, encasing organs, tendons, ligaments, and bones. These tissues hold you together. Breath and feel the expanding body and contract as a whole, fascia connecting muscle, tendon, ligaments, and organs.

Breath into the long bones of the arms and legs. Lengthen between each vertebrae of the spine up to the skull. Imagine the bones of your skull, expanding and contracting, along with the bones in your hands and feet. Feel the bones that support you as you breath. Register the weight hanging on the scaffolding of your bones, from heel to crown, each breath reverberates through the skeleton.

Inhale and feel your skin stretch and contract around your body. Breath and feel the weight of the air on your skin. Feel the temperature of the room. Exhale and reach out through every hair to feel the world around you. Feel the air settle around you, the environment subtly pushing on you, air pressure, moisture. Be aware of gravity pulling you into the earth.

Exhale and send your attention to the distal parts of your body. Your eyelashes, toe nails, finger tips, the thin lens over your eyes. Breath and fill your muscles, ligaments, tendons, fascia, bones, and skin with oxygen enriched blood. Each breath stretching and moving your organs, pulling and pushing, contracting, and expanding fluids through your body.

Rushing through your tissues, blood and lymph pump thru you with each heartbeat, each breath. With each breath you take in oxygen in exchange for the co2, delivering energy and releasing toxins. Drawing in and expelling molecules. Each breath polarizing every atom in the body.