So this am I look out my hotel window. I’m on a sort of ground-floor/flat-roof thing, w/ a somewhat sketchy patio door leading out. And what greets my eyes? A few cigarette butts, a discarded lighter, and a pair of tighty-whiteys. So, uh, what sort of party was ongoing last night outside my window (long enough for ~5 butts)? Old school surveillance it seems, which was ‘clothing optional’.

Suggestions on my course of action?

How should I combat this surveillance?

View Results

Loading ... Loading ...

So I’m reading the disaster that is Equifax/Deloitte/… security hacks. And it got me thinking about how one method we learn is by pain, and another is by vaccination. And maybe that can apply to a corporate learning organisation.

First, lets look at some examples. I have a big ugly scar on my arm from where, many many years ago, some horse doctor jabbed me with a smallpox vaccination, a weakened set of the real deal. And my little body, in addition to cursing that doctor, developed antibodies, and I’ve never got Smallpox (so it must have worked!)

Lets look at another example. Think of something you did as a child that hurt. You didn’t do that again, right? Poke a bee maybe? That small but tolerable pain now makes you always on the lookout.

One of the big challenges out there today in security is spear phishing. To do this, I take a small set of facts that I can find out about you, and use that to overcome your distrust. As an example, lets say I find out the name of your Aunt, her cat, and the city she lives in. I construct a narrative where she is distraught at a vet, and the vet needs some cash via paypal (or more commonly apple itunes gift cards). You turn off your distrust when you hear these 3 pieces of information, but in reality they are easily obtained (dumpster diving, facebook, …)

So lets say as a society we were to create an environment where you could get spear phished once, and learn from the pain. The pain would be tolerable, but memorable. Perhaps we make it legal to spear phish anyone for up to $100 in the first month of their 18th year? Perhaps we make it not for money but for social status (at that age looking stupid in front of your friends is something you a) do often, and b) dread doing).

Maybe it could be a contest, each person could have some secret they try to guard, and everyone could try to get it?

But the point is, like the weakened smallpox vaccine, you would live through this and remember how to do it next time, and, like the bee sting, you would be on the lookout, you would not drop your guard instantly when aunt betsie’s vet says fluffy needs a tail-transplant.

Back to an organisation. There is a concept called herd immunity. And, an organisation learns (read The Fifth Discipline, its one of the best books i’ve read). So, if we ‘innoculate’ enough members of the ‘herd’ (the company), the company becomes immune, and, due to the learning effect, stays immune.

So, back to the ‘steal $100 with impunity on 18th birthday’ suggestion. Perhaps we make it so that black hats can steal up to 1% of turn-over of a company with impunity, and, some huge penalty and fine if they steal more than 1%. This would create an environment where you would have your guard up because you had felt the pain.

Equifax fired their management team, but they all got a golden parachute. That isn’t going to teach anyone. Lets create an environment w/ acceptable, but memorable, consequences, a type of training-wheels, and let people and teams play there first.

Recently I acquired a ZenScreen MB16Ac. Its a single cable (USB-C) 15″ monitor that you travel with. It has a unique feature, it can do USB-C ALT-MODE (e.g. act directly as a monitor), or become USB 3.1 and do DisplayLink (no where near as good).

Since my laptop supports ALT-MODE, it works out of the box. Plug it in and you are good to go, its just another Display Port monitor.

But wait, every once in a while in dmesg I see a complaint:

[48155.889780] usb 1-1: new full-speed USB device number 85 using xhci_hcd
[48155.889891] usb 1-1: Device not responding to setup address.
[48156.097880] usb 1-1: Device not responding to setup address.
[48156.305808] usb 1-1: device not accepting address 85, error -71

It seems to have no ill-effect, other than filling the log and using a bit of battery. But, why bother having it mostly perfect when you can have it perfect?

So I added this snippet of config:

$ cat /lib/udev/rules.d/99-zenscreen.rules
# Blacklist 0bda:0412
# This is used in the mb16ac zenscreen to switch displaylink / alt-mode
# and i only use altmode

SUBSYSTEM=="usb", ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="0412", ATTR{authorized}="0"

and restarted udev. And now, that device (the DisplayLink one) is gone. As a side-affect I lose the auto-rotate (but that didn’t work anyway).

There have been a lot of very public hacks recently which made off with entire user databases. The most recent, Equifax, saw hundreds of millions of users have their personal financial information leak online. Ooops.

As an end user, you can use best practises (e.g. don’t share passwords across sites, use 2-factor, etc), and still not be able to protect against this.

Best practises on the server end are to salt+hash passwords, but ultimately they need a non-encrypted database at some time to do work. What could be a way of improving the risks?

Well, what if we were to insert many millions of rows of ‘fake’ users into our real databases? This would reduce the value to the criminal. We could also ‘honeypot’ some of the fake users, use that to increase the risk the criminals get caught. But, how would we make fake users? Add a ‘fake’ boolean column? well then our criminals would just remove them. Hmm.

What if we were to steal a page from the networking world. E.g. look at how SYN COOKIES work. We could take a crypto-hash of the user information (hash name, address, …) and some salt, and then encrypt it with a private key. We can later check it was ours with the public key. This means all usersĀ  (fake, real) have some column ‘hash’, and only the good user can tell if that means fake or real.

If we then added 100x fake:real ratio, it would dramatically lower the commercial value of the database, because the thief would get caught trying to check the names first.

What do you think? Hiding out in the open worked for (for a while) for Minister D. The advantage of adding a technique like this is its agnostic of the various other methods of security you use. If you never have data stolen, its irrelevant.


[ps a lot of people were asking ‘how do i subscribe to blogs’. The most convenient option I find to aggregate a lot of content is feedly. You make a page there, and it subscribes to all the content from various sources you consume. But you can use any RSS feeder from the main page here, or create an ‘account’ and get emailed.]

OK, I know a lot of you were super worried about my NVME purchase, that it didn’t fit in my carrier.

Some excellent suggestions involving power-tools and adhesives were carefully evaluated and vetted. But I have decided to go with a 4x carrier that supports 22110-length cards. It has an integral head-sink and auxiliary fan, which helps because SSD generate a lot of heat and this causes them to thermal throttle.

I should be able to sustain about ~100Gbps to the storage I have, enough for basic purposes I guess.

If you recall, these NVME I acquired are the long-type (22110), but they fit in this carrier.

Now, I hear a lot of you wondering, that card looks kind of naked. Where are the electronics? You expected a PCI-PCI bridge like a PLX right? Well, turns out my motherboard supports bifurcation, so we can make a x16 slot into 4×4 with the twist of a knob in the BIOS screen.