bill’s blog

Lying… trickery… duping… all words for the same thing. Words that have taken on a new meaning in the world of the on-line… connected… human! Words that have evolved into high stakes games on misinformation, fraud and identity theft. Words that have taken on the new moniker of social engineering!

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying (wikipedia.org, 2010). So what does this all mean? Well how many times have you answered the phone and the person on the other end of the line starts asking you questions about your mortgage? Wanting to help you reduce your rates! They start by asking benign questions and then move onto more personal information… such as your date of birth or heaven forbid your social security number. You’re happy to give away that information in exchange for $200 dollars off your monthly expenditures!

Or how about that cold call asking if you’re in charge of the network infrastructure at your place of employment? Or perhaps they want to know about what routers you use or the brand of toner purchase. Sure they may be mere cold calls… BUT they could be so much more. Social engineering in not about knocking at one door to see who answers but rather it’s about gathering as much information and using the information gathered in previous calls to further the manipulators efforts to make inroads into an organization.

In his book the Art of Deception, Kevin Metnick goes to great lengths to illustrate the ways in which we can be tricked into revealing information that may be common place within an organization but to an outsider can be very damaging if used inappropriately. In an interview in 2006 with Tom Espiner, Kevin Metnick shared his thoughts on what signs to looks for in a possible social-engineering attack.

Mostly, it’s gut instinct–if something doesn’t look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that’s a red flag. If they make a request that’s out of the ordinary, that’s a red flag. If they make a request for something sensitive, that’s when verification is necessary, depending on company policy (Espiner, 2006).

Honestly, the Art of Deception should be required reading for anyone responsible for security in any kind of organization… especially IT and HR departments! Social engineering needs to be addressed. Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions (Coffee, 2006). Employees need to be educated to the various forms phishing another social engineering practices both when using the Internet as well as answering the phones (Heese, 2007).

At the end of the day, humans have a need to help others. It ingrained within each of us. We have to get in touch with our inner selves… That part of us the screams out that something is wrong. We need to listen to that voice and heed its warning.

Resources:

Coffee, Peter (2006, August 14). Security Success Depends on Good Management, Retrieved on July, 6th, 2010, http://www.eweek.com/article2/0,1895,2001478,00.asp

Espiner, T., (2006, June 14^th), Kevin Mitnick, the great pretender, Retrieved on July, 6th, 2010 from http://news.cnet.com/Kevin-Mitnick,-the-great-pretender/2008-1029_3-6083668.html

Heese, W., (2007, February 21), Computer system security policies – key trends, Retrieved on July 6th, 2010 from http://weblog.randomdog.net/?p=942

Various, (2010, July 4th), Social Engineering (security), Retrieved on July6th, 2010 from http://en.wikipedia.org/wiki/Social_engineering_(security)

I wanted to take a moment to thank all the men and women that place themselves in harm’s way to protect myself and family… You are the backbone of freedom and liberty! Thank you!

The Art of War is governed by five constant factors, to be taken into account in one’s deliberations, when seeking to determine the conditions obtaining in the field.

The Moral Law
Heaven
Earth
The Commander
Method and Discipline

- Sun Tzu, The Art of War

Computers and science fiction are intrinsically bound at the hip! And no one individual ties the both together than Star Trek’s Mr. Spock! Spock could be seen in most episodes working at his computer workstation fine-tuning the results of a search, calculating odds or presenting definitive course of action. But it wasn’t Spock’s love of computers that made him so special… It was his impeccable logic! SO sound was his logic that Kirk would go on to say, “You’d make a splendid computer, Mr. Spock” (Roddenberry, 1967).

We as human beings often think with emotion rather than logic. Thinking with emotion clouds logical thought. In IT the ability to think logically about a problem is a must… ones and zeros. It helps with the reasoning process… “I understand that your computer seems slow but can you be more precise?” If we can eliminate subjectiveness, we can often get at the root of the problem much more expeditiously. But logic isn’t only used to troubleshoot software bugs. Logic comes in handy for project management concerns as well.

We are constantly moving solutions into and out of the organizations we work for. Returning machines on lease seems pretty benign. We buy machines… they get delivered… we image them… we deploy them to the end-users desktop. One needs to be worried about interrupting the user. We don’t want to incur additional costs because we can’t turn around the number of machines ordered. It takes a lot of planning. The more you touch a piece of hardware the more time it takes to deploy… the better your chances of messing up! Understanding how to stage the machines and being able to be flexible to change needs to be a part of your logic.

Technology data migrations are another place where logic plays a hand. The more complex a migration is the more logic needs to be applied for a successful outcome. One needs to be able to determine the order in which changes happen. Formatting out a hard drive before you move the data off would be a really bad thing. Does the users home directory reside on the server or is it cached locally on their laptop? When was the last time the data was synced? These are just some of the questions you need to adequately plan. It is logic that you use to formulate the best way to make things happen.

Common sense… plays a part here too. The most common meaning to the phrase is good sense and sound judgment in practical matters (Wikipedia, 2010). It is this judgment that when strung together makes our logic sound as well! Some may Logic does not come naturally. Just like our reasoning skills logic needs to be learned. The study of logic enables us to communicate effectively, make more convincing arguments, and develop patterns of reasoning for decision making (Angel, 2007). The more you exercise your logical thinking the better you become at it.

Resources:

Angel, A., Abbott, C., & Runde, D., (2007), A Survey of Mathematics with Applications, Pearson/Addison Wesley

Roddenberry, G., (1967, February 9), Star Trek [The Return of the Archons], New York: National Broadcasting Company.

Various, (2010, April 20th), Common sense retrieved on April 21, 2010 from http://en.wikipedia.org/wiki/Common_sense

Man’s ability to reason sets us apart from any other animal on the face of the Earth. Some call it the “Divine spark” others “God’s crowning gift to man”! Sure animals have instinct and there is an argument to be made that instinct is a learned behavior. BUT it is our ability to think through “all” the possibilities to reach our conclusions. Webster’s dictionary defines reason as the power of comprehending, inferring, or thinking especially in orderly rational ways (merriam-webster.com, 2010). Reasoning can be broken down into inductive reasoning AND deductive reasoning. We use these two forms of reasoning without ever thinking about the fact that we are using our reasoning skills to guide our actions. So how are these skills applied in real life?

Inductive reasoning is the process of reasoning to a general conclusion through observations of specific cases (Angel, 2007). In the course of everyday life we take notice of a great many things… some overt, some unapparent. We use these observations to learn from and approve our existence! For instance, we learn a flame is hot… and all fires I’ve seen have flames therefore all fire is hot. We learned not to put our hands in the fire! Taken in the context of day-to-day business dealings, we learn how to deal with individuals. In IT this is extremely important. We learn how to prioritize our work based on the person who calls in for help. “If I don’t get back to this user right away she’ll call the president of the company and try to get me fired!” Why because that’s what she’s done in the past many times over. Some successfully others not so much BUT she’s tried just the same. “Why try my luck?” We use inductive reasoning to avoid the pitfalls of our corporate existence!

In contrast, Deductive reasoning is the process of reasoning to a specific conclusion from a general statement (Angel, 2007). In IT we use this form of reasoning quite a lot. We are often faced with problems that need to be solved and in fact must if we are to keep our jobs! Very often we start with a gut reaction to a problem (or hypothesis). For example, my computer is not getting an IP address. We gain valuable new data… multiple computers are not getting an IP. We then draw some conclusions and state our hypothesis… therefore the DHCP server is down!

We start looking at possible things that could be causing the problem de jour. We check to make sure the computer is jacked into the network correctly (my computer). We check to make sure the network switch is working correctly (other computers). These basic troubleshooting skills test the soundness (or validity) of our hypothesis. We constantly narrow the scope until we prove the validity of our original hypothesis. Some conclusions are valid, reinforcing that we are on the right track (assuming our logic is correct), while others are invalid which in turn leads us to modify our thinking or come up with a completely new hypothesis. In other words, we fix the problem!

Resources:

Angel, A., Abbott, C., & Runde, D., (2007), A Survey of Mathematics with Applications, Pearson/Addison Wesley

Unknown, (2010), In Merriam-Webster Online Dictionary, Retrieved April 15, 2010 from http://www.merriam-webster.com/dictionary/reason

It’s all about being professional… The more one prepares the better you present! One thing most people fear is speaking in front of a crowd. Creating an outline of all your talking points is more important that having a scripted presentation. If you speak from a script you’re going to come across as dry and rehearsed. People all too often put everything they want to say in slides. People for the most part are visual learners. Reading off a slide is the quickest way to put your audience to sleep. It is often said that Steve Jobs is one of the best presenters in Silicon Valley. Why because he is passionate. Why because he knows his product offering. He sets up the protagonist and then along comes Steve (Apple) to save the day! He may a sentence quoted from a magazine (his evidence) one a slide but there’s never more than one or two words for any given slide when he’s presenting product.

Why am I spending so much time on this… because one needs to come off as polished as opposed to contrived. We may not always be able to set up a protagonist BUT we can be intimately familiar with our product offering (whatever it is we are trying to say). We can be passionate! We can be polished. Have outline. Know your talking points… BUT don’t spend extreme amounts of effort getting your wording prefect! Learn from your mistakes… very often as part of my job responsibilities, I have to present technical material. Often I have to give the same presentation over and over. I learn what works from what doesn’t. I make adjustments… I may use the same lines over and over but you never get the same presentation twice. I try to present technical matters as simply as possible. In explaining bandwidth concerns, I often use plumbing as an analogy (the bigger the pipe, the more water can go through it). Put your ideas into words most people can relate to. Remember you’re not speaking to yourself… and those who are familiar with your ideas… you’re speaking to the an audience that can be made up of people from various different technical backgrounds. You have to assume they aren’t as familiar with the subject matter as you (otherwise you wouldn’t be there)! These are the people you need to convince. So convince them!

WOW… Where to start… Hard drives are the garbage dump of a computer… Sure we strive to keep our data organized but in actuality… We have zero control as to where the computer places our data on disk. Files are written to the first available sector on disk. These sectors are reversed and freed based on which files are in “use” and which have been “deleted”! In actuality no files are truly deleted until they are overwritten. Point of fact… the pointer to the file on disk is the only thing that is deleted when we empty the Trash/Recycle Bin.

A bit-stream copy of a hard disc is a more exact duplicate as to the ones and zeros on a disk. One needs to have an HD of equal or larger size than the one being copied… Some may call this a disadvantage BUT the fact of the matter is that disc is cheap. The fact is that disc size grows while the cost remains fairly constant. No real disadvantage there.

It takes disc of equal size because it includes the file/disc slack. Why is this important? Because disc storage is broken up into blocks. These blocks are finite on disc based on the file system of the OS/disc that is operating upon the disc. If the block size is 8KB and you actual file/data sizes is only 4KB…that leave 4KB of free unallocated space. There are tools that can right data to the slack space. Tricky… tricky they are. You want to be able to capture everything that is on disk… No matter what.

Because Bit-stream copies are capturing every byte of data on disk it takes longer to copy. Standard backups/mirror images are only copying the actual data and then fitting it into it block size allocation on the destination disc. One would miss the slack space… AND the “deleted” files! Bad idea.

When working in IT one needs to have a game plan… a road map so to speak with regard to fixing problems. One needs to understand what is happening and look at the problem from a number of different perspectives (Our servers’ hard drives are filling at random intervals… it’s got to be a server problem). One needs to understand what is causing the problem… more often that not… What’s changed in the environment? (Well we installed the new version of Firefox onto everyone’s machine yesterday!) Then how to go about fixing the problem? Remove Firefox from everyone’s machine? But wait… problems within IT often aren’t that straight forward… often times one cannot address the problem directly… “We need to use Firefox because our WebApp requires it” BUT wait… it’s this feature that is causing the problem! “If we turn off that particular feature it will allow most of us to use Firefox although some users could still have other problems”. We’ve provided a fix for the greater good… but is it really a fix? It depends!

Having a game plan as to how you are going to attack the problem and sticking with the game plan can make the difference… finding a workable solution! Understanding what you are looking for (and that can include data that you don’t know is there) and why can only help to keep you focused. The game plan isn’t always the same…certainly the rules are different if you’re working in a corporate environment verses a government organization. They can be different depending on whether it’s a criminal matter. You as the technical expert need to understand that the suspect has rights that cannot be infringed upon or you may find that all your hard work is inadmissible in court. Make sure you have the company’s permission, in writing, before you start poking around on other employees’ computers. Know who is authorized to give the OK to begin your work. Don’t start the work until you have everything in place.

Be Professional! Stick to what you were hired to do! It doesn’t matter whether you’re a salaried employee or a consultant! Be objective! Don’t form opinions until you’ve done your homework. Forming opinions prior to starting your work could lead you down the wrong path and waste valuable time. Keep your mouth shut… you never know what you’re going to find… Confidentiality is often equated to trust. In IT we often have more access to information than our bosses! Don’t sneak a peak and their salary information. You may not like what you find! If people can’t trust you, you’ll find yourself unemployed.

The media has a tremendous influence on our entire outlook of the world! They are biased no matter what they say. The United States has always touted freedom of speech… and yet the very government that grants us these rights plays a huge part in what is reported from what is now. The media takes on many forms… print, radio, television and now the Internet.

March 5, 1770 – During the revolutionary war, the Boston massacre was seen by many as one of the pivotal acts that began the War of Independence. In colonial times, it was reported that the British Soldiers fired into an unarmed crowd of civilians killing 5 colonists. In image after image the British were depicted as firing at the backs of civilians. Sure the colonists were unhappy with the Townshend Acts… Sure the soldiers were provoked… but Paul Revere and the other revolutionaries used the media to spin the event to present an unfavorable view of their adversary.

Late summer, 1933 – During World War II Hitler, and Josef Goebbels understood the power of the radio. Before 1933 radios in Germany were beyond the reach of most citizens. The Nazis commissioned (and late subsidized) the making of an affordable radio, the Volksempfänger. The radio could only receive signals from within Germany and at the time the Reich Broadcasting Corporation had a monopoly. It was during the Nüremberg Rally in 1933 that Goebbels delivered the “The Racial Question and World Propaganda” speech. It was also during this speech that he tried to place blame on the decline of Germany at the feet of the Jewish Race. Later he invites the world send its journalists and representatives to Germany so that they can see for themselves the courage and determination of the government (Goebbels, 1933).

September 26th, 1960 – The first televised presidential debates… John Kennedy and Richard Nixon faced the American people. Kennedy (energetic, youth, polished)… Nixon (sickly pallor, “unshaven”, uneasy)… If one were to take away the visual aspect Nixon won the debate… add back the visuals and Kennedy won. At election time, more than half of all voters reported that the Great Debates had influenced their opinion; 6% reported that their vote was the result of the debates alone (Allen, 2009).

January 17, 1991 – The start of the Gulf War. Iraq had invaded Kuwait… Coalition forces were striking back at the Republic guard. Iraq fell within a fortnight. Press coverage of that evenings events showed shadowy green images of the Iraqi sky flooded with Anti-aircraft tracer rounds. Not up close and personal but from a far. In her article, “Will Truth Again Be First Casualty?”, Jacqueline Sharkey sums up the media coverage succinctly…

The Gulf War included unprecedented restrictions on the press by the military, and an extensive campaign by the White House and the Pentagon to influence public opinion by presenting Americans with carefully controlled images and information concerning the conflict and the issues surrounding the Bush administration’s decision to use U.S. troops to resolve the crisis. The result was a defeat for the First Amendment guarantee of press freedom and the public’s right to independent information about the political decisions that can lead to U.S. military involvement abroad, and the ramifications of such involvement.

Now… As I have said in the past and will say again. Government manipulates the press because they know the power of information. They know when to withhold information. The second gulf war (March 20, 2003) was not about September 11th… It was not about Weapons of Mass destruction… Now it was about oil or the more unthinkable…. that the younger Bush wanted to finish the job the elder Bush could not. The American people were misled by the President through the media… got us involved in a war that to this day we are still dealing with!

Now any one want to talk about the Federal Reserve?

Resources:

Allen, E. A., (2009, May 5), Kennedy-Nixon Presidential Debates, 1960, Retrieved on October 10th, 2009 from http://www.museum.tv/archives/etv/K/htmlK/kennedy-nixon/kennedy-nixon.htm

Goebbels, J., (1933), The Racial Question and World Propaganda, Retrieved on October 10th, 2009 from http://www.calvin.edu/academic/cas/gpa/goeb41.htm

Sharkey, J., (2001, Sept. 21), Will Truth Again Be First Casualty? Retrieved on October 10th, 2009 from http://ics.leeds.ac.uk/papers/vp01.cfm?outfit=pmt&folder=34&paper=128