Book review: Who Will Accompany You by Meg Stafford

Posted on March 1, 2023 by dstrom

Who Will Accompany You?: My Mother-Daughter Journeys Far from Home and Close to the Heart

This book is the work of a mother’s separate travels with her two daughters: one visits Nepal and Bhutan, the other to Colombia. The two kids take the trips for specific reasons: to learn about total happiness and to work for an NGO that is helping with war-torn conflicts. The travels are enlightening for all parties concerned and are what Meg Stafford — who has written a regular column for years — says is an ongoing kaleidoscope of learning together with her daughters. She is a therapist, so her work listening and analyzing people comes through quite loudly in this memoir.

The travels aren’t your usual tourist romps through colorful foreign lands, but offer real insights into both the people they encounter along the way and the lessons they have learned about themselves and their own family relationships. “The more we know ourselves, the easier it is to connect with others, and the more connected we are with them,” she writes.

Regarding happiness, “the best way to predict it is to follow the example of someone who is currently where you will be in the future.”

There is also a lot describing problem-solving. “everything depends on how you use your mind. The way to solve the problems in your life is to open your heart to others.”

And this insight: “Parents cannot eliminate risk. We can shore up our children so that when they encounter it they can make better and more informed choices.

The women learn that tragedy is the same in any language, but humor doesn’t translate so easily, and there are lots of moments across this spectrum.

The title comes from answering the question about who we will accompany, not just in physical travel across the world but across our life. “We cannot always know but we can hold them close when they are near, so we can still hold them when they are far with arms outstretched.”

For those who enjoy memoirs and appreciate travel, this is a very appealing book.

Red Cross blog: Jim Gallagher and Hurricane Ian’s response

Posted on February 28, 2023 by dstrom

What skill does a retired journalist have in common with an American Red Cross disaster action team volunteer? This is not a rhetorical question: the two jobs both require you to listen to people carefully and be empathetic to their needs. This is the story about Jim Gallagher, who spent more than 27 years working for the St. Louis Post-Dispatch, mainly as a business reporter. “As a reporter you want to get people to open up to you, but that same skill in listening to people certainly helps when you are deployed. In both circumstances, you have to project sympathy,” he said. Both he and his wife have volunteered on a number of deployments. He responded to the aftermath of Hurricane Ian in central Florida last fall. Both helped out with those displaced by the California wildfires and helped ease the transition of unaccompanied minors crossing the southern border in 2021. In addition to his Red Cross activities, they also volunteer at a local food bank regularly.

You can read more about Jim and his volunteer activities on the Red Cross blog here.

Disinformation mercenaries for hire

Posted on February 23, 2023 by dstrom

In the past week I have seen a number of reports that range from unsettling to depressing. The reports document a three-pronged foundation of the darkest parts of the online world: disinformation, cyber-terrorism, and the difficulty in trying to craft better legal approaches to stop both.

Let’s start with the disinformation. A consortium of journalists from around the world wrote about a team of Israeli contractors (called “Team Jorge”) who claim to have covertly influenced more than 30 elections and placed stories to help improve the online reputations of numerous private business clients around the world. They did this by using hacking, sabotage and automated disinformation tools. Call it disinformation-mercenaries-for-hire. If this sounds familiar, it is another news product from the French-based ForbiddenStories group that broke the series of Pegasus-related stories back in the summer of 2021 that I have written about for Avast here. The group labels this effort “Story Killers” and you can read the various pieces here.

What is depressing is how adept this industry has become: by comparison, the Russian Internet Research Agency’s antics in meddling with our 2016 election looks crude and mere child’s play. The reporters uncovered a wide-ranging collection of automated tools to quickly create hundreds of fake social media accounts and generate all kinds of fake posts that are then amplified by the social networks and search engines. “We must be able to recount the life of the characters, their past, their personality,” said one mercenary. “When it’s a small agency, it’s done in a rather sloppy way. If it’s well done, it’s the Israelis.”

info1 The Israeli company behind these operations has a wide array of services, including digital surveillance, hack-and-leak smear campaigns, influence operations, and election interference and suppression. They claim to have operated for a decade.

One of the consortium partners is The Guardian and they document one of these automated systems that is used to manage a collection of social media avatars. Called AIMS, it allows for managing 30,000 seemingly real accounts to be created for nonexistent people. These can then be deployed either as a swarm – similar to a network of bots – or as single agents. Other tools are described in this piece by Haaretz.

The disinformation mercenaries sold access to their software to various national intelligence agencies, political parties and corporate clients interested in trying to resolve business disputes. Accounts span Twitter, LinkedIn, Facebook, Telegram, Airbnb, Gmail, Instagram and YouTube. Some of the identities even have Amazon accounts with credit cards and bitcoin wallets. All of this was leveraged to stage real-world events in order to provide ammunition for social media campaigns to provoke outrage.

Let’s move on to the cyberterrorism effort. Speaking about the Russians, also released this week are two reports from the Atlantic Council, a DC-based think tank that has studied the disinformation war the Russians have waged against Ukraine. (To be clear, this is completely independent of the Story Killers effort.) It is also depressing news because you realize that unlike an actual shooting war, there is never any time when you can claim victory. The totality, scope and power of this vast collection of fake news stories, phony government documents, deep fake videos and other digital effluvia is staggering and is being used by the Russians to convince both their own citizens and the rest of the world of Putin’s agenda.

And something else to worry about with the war comes from one final report, this one from Dutch intelligence forces that was covered here. The report says, “Before and during the war, Russian intelligence and security services engaged in widespread digital espionage, sabotage and influencing against Ukraine and NATO allies. The sustained and very high pressure that Russia exerts with this requires constant vigilance from Ukrainian and Western defenders.”

Taken together, you can see that disinformation has become weaponized in both the public and private sector. So what can be done? Cue up part three, which is trying to craft better laws to control these actions. Coincidentally, the US Supreme Court heard two cases that have been moving through our judicial system, Gonzalez v. Google and Twitter v. Taamneh. Both cases involve ISIS attacks. The former involves the 2015 murder in Paris of the 23-year old American student Nohemi Gonzalez, which I wrote about in a blog for Avast last fall. The latter involves the 2017 death of Nawras Alassaf in Istanbul. The first case directly involves the Section 230 statutes, the latter the various sections of the anti-terrorism act. Both were laws passed in the mid 1990s, when the internet was young and by comparison innocent.

You can read the transcriptions of the court’s oral arguments for Gonzalez here. The oral arguments transcript for Twitter are found here. I have taken the time to read them and if you are interested in my further thoughts, email me directly or post your questions here. Making effective changes to both laws won’t be easy without drastic consequences for how online companies run their businesses, and how we legitimately use them. And that is lesson from reading all these reports: as long as the bad guys can figure out ways to exploit these technologies, we will have to deal with some dire consequences.

CSOonline: What is the Traffic Light Protocol and how it works to share threat data

Posted on February 22, 2023 by dstrom

Traffic Light Protocol (TLP) was created to facilitate greater sharing of potentially sensitive threat information within an organization or business and to enable more effective collaboration among security defenders, system administrators, security managers and researchers. In this piece for CSOonline, I explain the origins of the protocol, how it is used by defenders, and what IT and security managers should do to make use of it in their daily operations.

Wreaking Havoc on cybersecurity

Posted on February 20, 2023 by dstrom

A new malware method has been identified by cybersecurity researchers. While it hasn’t yet been widely used, it is causing some concern. Ironically, it has been named Havoc.

Why worry about it if it is a niche case? Because of its sophistication of methods and the collection of tools and techniques (shown in the diagram above from ZScaler) that it used. It doesn’t bode well for the digital world. Right now it has been observed targeting government networks.

Havoc is a command and control (C2) framework, meaning that it is used to control the progress of an attack. There are several C2 frameworks that are used by bad actors, including Manjusaka, Covenant, Merlin, Empire and the commercial Cobalt Strike (this last one is used by both attackers and red team researchers). Havoc is able to bypass the most current version of Windows 11 Defender (at least until Microsoft figures out the problem, then releases a patch, then gets us to install it). It is also able to employ various evasion and obfuscation techniques.

One reason for concern is how it works. Researchers at Reversing Labs “do not believe it poses any risk to development organizations at this point. However, its discovery underscores the growing risk of malicious packages lurking in open source repositories like npm, PyPi and GitHub.” Translated into English, this means that Havoc could become the basis of future software supply chain attacks.

In addition, the malware disables the Event Tracing for Windows (ETW) process. This is used to log various events, so is another way for the malware to hide its presence. This process can be turned on or off as needed for debugging operations, so this action by itself isn’t suspicious.

One of the common techniques is for the malware to go to sleep once it reaches a potential target PC. This makes it harder to detect, because defender teams can perhaps track when some malware entered their system but don’t necessarily find when it wakes up with further work. Another obfuscation technique is to hide or otherwise encrypt its source code. For proprietary applications, this is to be expected, but for open-source apps the underlying code should be easily viewable. However, this last technique is bare bones, according to the researchers, and easily found. The open source packages that were initially infected with Havoc have been subsequently cleansed (at least for now). Still, it is an appropriate warning for software devops groups to remain vigilant and to be on the lookout for supply chain irregularities.

One way this is being done is called static code analysis, where your code in question is run through various parsing algorithms to check for errors. What is new is using ChatGPT-like products to do the analysis for you and here is one paper that shows how it was used to find code defects. While the AI caught 85 vulnerabilities in 129 sample files (what the author said was “shockingly good”), it isn’t perfect and is more a complement to human code review and traditional code analysis tools.

25 years of ecommerce

Posted on February 17, 2023 by dstrom

In today’s post, I look back on the developments of ecommerce and my role in covering this technology. I was recently reminded of this history after writing last week about Paypal — this motivated one of you to recall events that happened in the early 2000s, back when the “internet bubble” was rising and then bursting.

I last took a long look back at ecommerce in 2014 with this blog post. In it I highlighted a series of other works:

Back in the late 1990s, I tested many ecommerce products and also lectured at conferences around the world on the topic. One piece was an op-ed that I wrote for ComputerWorld back in 1999 here.
In 2010, I looked at how hard it was to take credit card payments online in my blog.
Then for ITworld in 2011, looking at the crop of mobile payment apps such as Square.
And in 2013, I looked at the frustrations surrounding eWallet technology.

While the web came of age in the 1990s, it took a while for ecommerce to get into gear. The technologies were bare-bones: back then, you could learn basic HTML coding in a couple of days and easily put together a static series of web pages. The key operative words in that sentence were “static” and “basic.” The 1990s era of HTML was waiting for the language to catch up with what we wanted to do with it, but eventually the standards process got there. The real stumbling block was making a site dynamic and being able to support online inventories that were accurate, checkout pages that were secure, and having access to software interfaces that were pretty crude and simplistic. All of that required other tools outside of HTML, which is somewhat ironic. Now if you look at the code behind the average webpage, it is almost impossible to parse its logic at first glance.

Yet, here we are today with ecommerce being a very sophisticated beast. HTML is no longer as important as the accompanying and supporting constellation of web programming languages and development frameworks that require lots of study to be competent and useful. Connecting various databases and using a web front-end is both easier and more complex: the APIs are richer, but how they are implemented will require a deft touch to pull off successfully. Payment processing has numerous vendors that occupy sub-markets. (Stripe, Bill.com, and Klarna are three such examples of companies that are all involved in payments but have taken different pieces of the market.)

You might not have heard about Klarna: they are one of more than a dozen “buy now, pay later” services that pop up at checkout. No purchase is too small to be spread across a payment plan. Back in the pre-internet times, we had layaway plans that had one important aspect: you didn’t get the item until you completely paid for it. Now items arrive in days, but attached to a stream of loan payments stretching out several months. The downside is that there are potential late fees and 30% annualized interest charges too.

And then there is Amazon and Google. The former has both made it easier and more complex to do online shopping. It used to be both free and easy to return merchandise purchased on Amazon. Now it is neither. If you don’t pay attention when you are purchasing something, you could end up using one of their contract sellers, which complicates the returns process. And the cost of Prime continues to climb.

Google’s Lens technology has also transformed online shopping. If you have a picture of what you want to buy, you can quickly view what websites are selling the product with a couple of clicks on any Android or iPhone. My interior designer wife uses this tech all the time for her clients.

Before I go, I want to mention that Cris Thomas, known by his hacker handle Space Rogue, has a new book out that chronicles his rise into infosec security, including his time as one of the founders of the hacking collective L0pht. Its early days were wild by today’s standards: the members would often prowl the streets of Boston and dumpster dive in search of used computer parts. They would then clean them up and sell them at the monthly MIT electronics flea market. Dead hard drives were one of their specialties — “guaranteed to be dead or your money back if you could get them working.” None of their customers took them up on this offer, however. There are other chapters about the purchase of L0pht by @stake and Thomas’ eventual firing from the company, then taking eight years to get a college degree at age 40, along with the temporary rebirth of the Hacker News Network and going to work for Tenable and now at IBM. I review the book in this post, and highly recommend it if you are looking at reliving those early infosec days.

Book review: The exploits of Space Rogue (Cris Thomas)

Posted on February 10, 2023 by dstrom

Space Rogue: How the Hackers Known As L0pht Changed the World by [Cris Thomas] The hacker Cris Thomas, known by his hacker handle Space Rogue, has a new book out that chronicles his rise into infosec security. I have interviewed him when I was writing for IBM’s Security Intelligence blog about his exploits. IBM’s X-Force has been his employer for many years now where he works for numerous corporate clients, plying the tools and techniques he refined when he was one of the founding members of the hacking collective L0pht.

My story covered his return visit to testify to Congress in 2018. Thomas and his colleagues originally testified there back in 1998. The book’s cover art shows this pivotal moment, along with the hacker handles shown as nameplates. The story of how this meeting came to pass is one of the book’s more interesting chapters, and the transcript of their testimony is included in an appendix too.

I also wrote this post about another member of L0pht named Mudge, during his time as a security consultant for Twitter. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers (which Thomas goes into enormous detail about the evolution and enhancement of this tool) and a website called Hacker News Network. Thomas describes those formative years with plenty of wit and charm in his new book, which also serves as a reminder of how computer and network security has evolved — or not as the case may be made.

That cracking tool carried L0pht over the course of some twenty plus years. It began as “a small little piece of proof of concept code, hurriedly produced within a few weeks, and went from an exercise to prove a point, security weaknesses in a major operating system, to shareware, to a commercial success,” he writes.

One of his stories is about how L0pht had its first major penetration test of the Cambridge Technology Partners network. The company would go on to eventually purchase Novell and numerous other tech firms. The hackers managed to get all sorts of access to the CTP network, including being able to listen to voicemails about the proposed merger. The two companies were considering the acquisition of L0pht but couldn’t come to terms, and the hackers had left a backdoor in the CTP network that was never used but left on because by then their testing agreement had expired. Fun times.

The early days of L0pht were wild by today’s standards: the members would often prowl the streets of Boston and dumpster dive in search of used computer parts. They would then clean them up and sell them at the monthly MIT electronics flea market. Dead hard drives were one of their specialties — “guaranteed to be dead or your money back if you could get them working.” None of their customers took them up on this offer, however.

One point about those early hacking days — Thomas writes that the “naïveté of hackers in the late ’90s and early 2000s didn’t last long. Hackers no longer explore networks and computer systems from their parents’ basements (if they ever did); now it is often about purposeful destruction at the bequest of government agencies.”

He recounts the story of when L0pht members brought federal CyberCzar Richard Clarke to their offices in the 1990s. Clarke was sufficiently impressed and told Thomas, “we have always assumed that for a group or organization to develop the capabilities that you just showed us would take the resources only available to a state-sponsored actor. We are going to have to rethink all of our threat models.” Exactly.

There are other chapters about the purchase of L0pht by @stake and Thomas’ eventual firing from the company, then taking eight years to get a college degree at age 40, along with the temporary rebirth of the Hacker News Network and going to work for Tenable and now at IBM.

Thomas ends his book with some words of wisdom. “Hackers are not the bad guys. Most of the great inventors of our time, such as Alexander Graham Bell, Mildred Kenner, and Nichola Tesla, could easily be considered hackers. Criminal gangs who are running ransomware campaigns or are stealing credit cards are just that, criminals. They just happen to use a computer instead of a crowbar. They are not hackers, not to me anyway. L0pht’s message of bringing security issues to light and getting them fixed still echoes throughout the industry and is more important today than ever.” If you are at all interested in reading about the early days of the infosec industry, I highly recommend this book.

Time to say goodbye to Paypal

Posted on February 9, 2023 by dstrom

PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security

I have been a user of Paypal ever since, well, forever, but certainly for at least 25 years by my guess. Today I closed my account, thanks to having gotten several invoices from fraudsters. Today I got an invoice that I couldn’t delete. {“An error has occurred” … no kidding. I felt a great disturbance in the force.) Brian Krebs wrote about this trend last year.

This isn’t the first time I have written about Paypal security and scams. Check out here for 2010, here for 2007, and here for 2006.

Last year, after getting another fake invoice, I took precautions by eliminating my checking account as a payment method, and left my account using a credit card as the sole source of funds. This comes after not having had any actual funds in my PP account for years, just using it as a transfer mechanism from some vendors that still paid me that way. Money would come in, and it would go out quickly.

It made me sad to close my PP account — the process which is very easy and just took seconds online, so thanks Paypal for making that simple. And I realize, as one of my friends remarked, that I am not really addressing the problem — any online payment vendor could become the next darling of the fraudsters and give me grief down the road. But I guess I feel that enough is enough. I already use Venmo (which is owned by PayPal), Apple Pay and Google Pay. Do I really need anything else? My son-in-law will start working at Melio, which looks interesting, but I really don’t need another service for my back office accounting.

A few months ago I wrote this piece for CNN’s Underscored about using mobile payment apps. I rated Apple Pay the best of the bunch — if you have an iPhone. But what about web-based apps? There is Google Pay, of course.

I would recommend reading my CNN piece for the caveats about how to stay safe using online payment products. But there is one thing that I didn’t mention — this concept of how to firewall your banking infrastructure. The bank account that was formerly connected to my now-gone Paypal account was my main corporate checking account. That wasn’t a good idea: some hacker could have gained access to those funds. Given the current state of fraudulent invoices, you should have a separate bank account that is just used as a repository for your online transactions. Ideally, it should be at a different bank than your “real” accounts. Just keep a small balance there when you need it. Or use credit cards (and accept the 3% processing fees are the cost of using them.

I just feel like the bad guys have won, and I hate that. I guess it could have been worse: I could have inadvertently paid that fake invoice. Keep sharp out there. Now if I could just stop those nearly daily phone calls from scammers trying to get me to sign up for various Covid cash schemes.

A report on inmates and their phones

Posted on February 1, 2023 by dstrom

If you are incarcerated, either in a local jail or a state or federal prison, chances are you are paying too much for your phone calls, in some cases more than 10x what a landline call from the outside would cost. While these rates are regulated by the FCC, the regulations aren’t comprehensive and the prison and jail providers have come up with various ways to soak inmates, paying high commissions to the local authorities. A recent report by the Prison Policy Initiative goes into details. “At a time when the cost of a typical phone call is approaching zero, a few companies are charging millions of consumers — the families of people in prison — outlandish prices to stay in touch with their incarcerated loved ones.” Although a few jails have reasonable rates such as one or two cents per minute for calls, most charge more, with the average jail charging $3 for a 15-minute call.

Lily Tomlin Previews Netflix's 'Laugh-In' Tribute — Plus, More Comedy Icons to Stream Now These calls are made on pre-paid phone cards, which have largely replaced the collect calls that were once the mainstay of the prison population’s communications. Remember dialing 0 to get the operator? That is no longer an option as of this year for non-landline AT&T customers. Sadly, this means few people will remember Ernestine, that lovable character by Tomlin.

The PPI report shows which states have the most egregious phone plans, how rates have dropped as the FCC widened its enforcement, the differences between local and long-distance rates and how local jails in general charge more than the state and federal prisons. It shows the oligarchy involved: three phone vendors (ViaPath, ICSolutions and Securus account for 88% of the suppliers to prisons and jails). And it offers some solutions and improvements to make these calls more affordable.

But until things change, these prices could be why many people behind bars have obtained contraband cell phones. While there are some jails and prisons that do allow them, for the most part they are banned. There are some good reasons to prohibit them as you might imagine. But there are also some good reasons why people use them.

A story last month by the Marshall Project, a criminal justice advocacy group, describes many situations where inmates have used cell phones for furthering their education, obtaining medical care, and making money from various legit online activities. One prisoner interviewed for the article has a website for selling his artwork, others are day traders in stocks or cryptocurrencies or are freelance writers. Working remotely has been a boon for these sorts of things, which I find interesting.

The best situation was a group of 300 across the country that was learning computer programming using Harvard’s CS50 online classes. They use group messaging to communicate with each other, just like any other online class. We have several groups doing this here in St. Louis as part of our coding academies.

As I said, these stories are nice but still inmates run the risk of having extended sentences or other punishments. Years ago I gave a speech in Singapore. I recall a news story while I was there where an inmate was caught with a cellphone, he was there because of what we would consider a minor offense. His sentence was changed to life in prison as a result.

Becoming master of your internet domain (updated)

Posted on January 23, 2023 by dstrom

If you are starting a new business, you have to pick the right name. There is a lot that goes into figuring out what is “right” — including is the name unique, is it memorable, is it descriptive of what your business does and provides, and so forth. But one thing many startups ignore is how the name will play out across the internet and its various manifestations. Becoming master of your domain (ok, you know I was going there, sorry) isn’t easy, and it has gotten a lot harder.

When I first got my domain (strom.com), the internet was still shiny and new, and largely undiscovered large tracts of land ripe for the picking. Getting my domain took a matter of minutes, and didn’t cost me anything. Then the land speculators moved in, and we have the mess that we are in now. Why didn’t I pick strom.net or for that matter davidstrom.com while I was at it? Don’t know (My full name is in use by a photography firm now.) I did manage to flip a domain that I owned for all of a day or so and made some coin, but that nothing like being-able-to-retire kind of dough. Sigh.

I have said for years that the best domain names are aurally-pleasing, meaning that you can say them to someone and they can remember the name and more importantly, remember how to spell it without you having to spell it out for them. (If you have to insert hyphens or extra letters, that spells trouble.) But that is just the first part of your domain.

When I wrote about this topic back in 2006, the number of top-level domain extensions — the second part of the domain after the dot — were limited: besides the usual stuff of .com, .net and .org to choose from, we could also select various country-specific extensions such as .uk and .fr. Since then, ICANN, the standards body that sets the rules, has introduced hundreds of extensions, from .store to .xyz to .info to business-specific ones like .travel. I have owned for many years webinformant.tv, which was a fan favorite for a while (the extension refers to a South Pacific island which has reaped some small rewards), just like the countries of Anguilla and a territory in the Indian Ocean have done for .ai and .io respectively.

But the domain name is just one aspect of your internet identity. There are also social networks, where you want to coordinate what you use for your domain name with the user account that will be part of any future communications. Given the millions of user accounts on these services, that is a much harder name space to find something that hasn’t already been taken.

This means you need a better search tool, and there are several places you can go. No single tool does it all — are you surprised?

My favorite and initial go-to for this research is Knowem.com. It allows you to search through 500 popular social networks, along with over 150 domain extensions, and the entire USPTO Trademark database. You can quickly figure out what has been taken, and what is still available. The domain extension search is focused on the country-specific ones, which it arranges by continent. It only shows you whether or not a domain is available.

Second best is Google’s own domains.google — this allows you to search 300 domain extensions if you want to find something a bit more unusual. It also shows you the current market rate for a particular available name, which may or may not be accurate, depending on which registrar you end up using to buy the domain. For example, both strom.tech and strom.store are each available for $1000/year. I will give both a hard pass.

If you want to do further research on just the domains, I would also use Domainchecktools.com. It provides deeper research into about-to-expire domains, which again may or may not be accurate. Some of this info can be obtained from the internet command whois, which shows you sometimes who owns a particular domain and when it was purchased and when it expires.

Then there is the entire world of whether or not to use a domain broker to hold your cash until the domain record is transferred over to you and which registrar to use to handle your domain and whether that should be the same as the ISP that will handle your actual web and email services. I prefer to have separate entities just in case I want to move the domain independently with the actual content, but will leave that for another day.

Web Informant

David Strom's musings on technology