Bartender, gimme an Amazon over Ice 9

What sort of world do we live in where Amazon, founded as an online alternative to brick and mortar bookstores, has opened its own brick and mortar bookstores after putting them all out of business? The ambitions of this juggernaut have turned to another mountain yet unclimbed: internet connectivity. Amazon Sidewalk, a mesh-network service, will go live in just a few days. It provides an alternate pathway for Amazon devices within proximity of one another to gain access to the internet in case of a local connection problem.

The merest mention of Amazon has the possibility of political undertones. A dubious path towards unionization, and poor warehouse conditions, contrast with Amazon’s decent environmental record, and recent stance in favor of marijuana legalization. With its near total domination of the cloud computing marketplace, coupled with strong IOT device offerings, Amazon has technology in it’s blood. 

As a shameless critic of Amazon, I cannot understate the effectiveness of this company. There’s a reason Amazon has done so well on so many fronts: I mean, clearly they’re doing something right. Amazon Sidewalk should be no exception, and on June 7th 2021, unless you opt out, your Amazon devices will be automatically enrolled in this mesh-network. So what is a mesh-network? In simple terms, it’s something like Apple’s Airdrop, only instead of sending memes to your fellow bus travelers, you’re getting a pathway to the internet through their device via a close range, vendor specific connection. Sidewalk turns devices into wifi extenders, providing no connection themselves, only forwarding you down the pipe.

Amazon Sidewalk is a fantastic idea, at least on paper. Security systems, perimeter lights, even voice activated devices like Echo are vital to some people. These devices must always be connected to the internet in order to fully function. After all, if your internet is down, how will your security system send a digital alert to your device if an alarm is tripped? Might not seem like a big deal sitting at your computer drinking coffee, but what if you were out of town? I’d like to know that there’s a backup in place for my security system in case the internet goes down.

Never fear, Amazon Sidewalk is here! Your neighbor, who just so happens to have a Ring doorbell (also owned by Amazon) has an internet connection. With Sidewalk, your devices can reach the glorious interwebs through the Ring doorbell’s short range connection. As per Sidewalk’s terms, a percentage of each device’s available bandwidth is reserved and dedicated to receiving connection requests from fellow Amazon products.

Sidewalk faces a number of issues in its life cycle. There may be legal ramifications to using an internet service provider’s connection as an independent connection source. Think stealing power from your neighbor. Free lights for you, they’re stuck with the bill. Sidewalk expands the attack surface of IOT devices and home networks, and finally, this service is opt-out. This creates a perfect storm for attackers with the combination of misconfigured IOT devices, and poorly secured home wireless networks which can be accessed via something as innocent as a security camera.

I’m a practical guy, and I don’t want to be an opponent to progress. Sidewalk is a fantastic idea, but I’d harbor some apprehension at these services even without Amazon’s name in the picture. The idea that your device can be accessed by another device in an informalized manner has poor security undertones.

With more companies diversifying into tech, the future is increasingly unclear as to the cyber threat landscape. Cyber attacks have been well documented, inhibiting blue collar workers as much as their white collar counterparts. The Colonial Pipeline incident, and the recent attack on JBS meat packers are only 2 of a great many examples. Amazon, the online retailer and technology company, also maintains an incredibly far reaching and efficient package delivery service. If Amazon is wound into every aspect of our lives (remember the physical stores too), without proper vendor diversity, we risk the population falling sick to one disease due to lack of variation and resilience.

We live in a world with inconsistent technological adoption. Technology transcends industries and lives, but it does not yet encapsulate them. There are workarounds, hold outs, late adapters and infinite configurations of technologies and systems in our very real world that need patching, translating, or modification to sync up. Soon, technology may become so seamless within our lives there is no way to avoid coming into contact with a particular product or brand. Thankfully, we’re not there yet.

In my opinion, we as a society have already placed too many eggs in Amazon’s basket. If every Amazon device is connected to other nearby Amazon devices, a single security incident could wreck all associated infrastructure from top to bottom simultaneously. Imagine a driver, maybe a few years in the future. He wears augmented reality contact lenses and carries a cell phone. His electric truck is controlled by an inhouse operating system and also connects to the internet. He delivers a variety of products using a map app, coordinating with his coworkers through yet another app. All of the products, in every aspect from production, to software, to connectivity are controlled by Amazon. And what if none of this will work properly because it got infected via a compromised Echo in a suburban cul-de-sac somewhere in America?

What’s next?  Will Amazon make smart earbuds, phones, start a cellphone service, or be an internet service provider? These aren’t crazy questions. Amazon, and by Amazon I mean Jeff Bezos, can literally do whatever they/he want.

There have been several notable AWS blackouts over the years. Usually they involve one particular AWS region and are not widespread. These blackouts don’t last long, and have not adversely affected digital  life as we know it for longer than an afternoon. So far that is... There’s a timer on this situation, and Sidewalk is a notch towards its completion. Nothing is too big to fail. More disturbing still, Amazon’s official reaction to the most recent blackout was tepid and uninspiring to say the least. Whether this was a cyber attack, a mistake, or some kind of failure, technical or otherwise, is unknown. All we got was a very corporate ‘We are working toward resolution.’ I think Kurt Vonnegut would have something to say about this. After all, just 1 piece of Ice 9 into the ocean, the whole world freezes. Let’s hope nobody's preparing to hold Amazon hostage with a piece of digital Ice 9.

With so many devices involved in this Sidewalk technology, and due to the sheer size of Amazon, security is paramount. Lack of vigilance in configuration and patching, coupled with future compatibility issues open up a swath of potential issues to contend with for security workers. Also, Sidewalk increases the attack surface for a small, and questionable gain. If any other company created Sidewalk, maybe it wouldn’t be news-worthy. However, anything Amazon does is newsworthy. I say, political opinions aside, never trust one company for everything. The question remains: am I disabling Sidewalk on my personal Amazon devices? Easy answer: I’d be sure to opt-out, if only I owned anything from Amazon.

Atomic Habits Part 2

Anybody looking to make a change of any kind in their life should consider reading Atomic Habits by James Clear. I know I know...a self-help book? Really? I personally hate self-help books, or at least the idea of them. Conventional wisdom dictates self-help books don’t work, they’re cheesy, and they’re all the same.

“If you believe in yourself, anything is possible.”

“Keep your chin up!”

“Stay true to your inner child.”

Ugh, wake me when it’s over.

Cliches and expressions can be profound, but words they remain. A person most likely in need of self-help will, in my opinion, resist logic to their own detriment. Plenty of us have struggled with depression before. Sure, you could get out of bed early, make the bed, work out, eat a grain bowl, and meditate...but you won’t. There are so many reasons for the struggles we face in life, and words simply don’t accomplish anything on their own.

Atomic Habits differs drastically from this tired trope by focusing on attainable actions, more specifically, change as a result of innumerable small actions over time. Coinciding with my decision to pursue cybersecurity, I began doing pushups every day, if I can remember that is. In the beginning, I only did 5.

5 pushups is next to nothing, but it was an attainable goal, and one I had no real reason not to meet. Now I’m up to 14, about to increase to 15 per day. Even at 15 pushups per day, if the process becomes painful, or annoying, I’ll be tempted to stop, so I don’t raise my number very quickly. However, over time, my number still rose. Eventually, I hope to do 100 per day. Atomic Habits changed my life, and I thoroughly recommend it.

Another interesting aspect of Atomic Habits is that each line is wonderfully motivating in and of itself, plus it’s a decent read. I love the phenomenon of saying or thinking something only to have it validated by an independent or unknown source. One of my favorite tidbits of information is that taxi drivers’ brains are of frequent study because driving a taxi requires a lot of calculations when it comes to pathing through a city. The hippocampus of a cab driver is more developed than other people’s of a similar age. I’m sure this was even more pronounced before the days of GPS and turn-by-turn directions.

It’s incredible to think about developing my cybersecurity hippocampus in the ways I did while cooking, like the cabbies do for directions. Already, my pathing is developing simply by thinking/learning about security daily. I was also told this profession will make you paranoid, and that’s certainly becoming the norm for me.

Credit card came in the mail? Who’s scamming me?

Mailman forgot the apartment building code? Sounds fishy...

Heck, I even make my wife whisper passwords in case somebody is listening in!

I just figured out the physical networking layout of my new home. It took a bit of trial and error, but I managed to identify the inputs and outputs properly, and relocated my modem/router successfully. Again, it’s a small accomplishment, one I could’ve done even without cybersecurity training. Still, my process for completing this task was elevated due to my continued learning of cybersecurity and networking. It gave all the training and learning much needed purpose and gravity, even if that just meant adding labels to the cables before disconnecting them.

Weeks ago, I managed to score an interview with a company after completing an exercise and emailing it in. Similarly to some nights during bootcamp, I stayed up until 2 am or later, researching and hunting for flags in a vulnerable website’s source code, and writing an incident response to a fictional Simpsons themed network breach (damn Frank Grimes!). It’s so fun doing cybersec and I’ll be jumping for joy when I land that fabled first position. Until then, I’ll be studying in my own way.

I used to get so hung up on each failure or difficult topic. I thought that if I didn’t know how to solve one particular problem, the cybersecurity gods would condemn me to vocational limbo for eternity. After reading Atomic Habits, I know that by doing a little bit of learning in each of my areas every day, I can make progress over the long haul. My Python in particular has elevated to a new level and there’s an interview coming up where they’re looking for somebody who knows the language. Fingers crossed!

Despite the pandemic’s persistence, things are looking up for me. I’ve finally finished the principle writing and editing of my novel and am on track to be done by the end of 2021. I get my 2nd vaccine next weekend and have just moved into my first house. Calls from recruiters are slowly becoming more frequent and I’m truly at peace with my career transition. Like me, my wife used to be a chef. She changed her life through a bootcamp and is employed as a jr. web developer. She read Atomic Habits too and that was back when she literally never read books. I told her to try it; one page per day. Now, she reads more than me.

Cocky

I’m on the 5 yard line, about to cross the plane of the end zone on a breakaway catch. Every wide receiver’s dream; the defense is in shambles, the crowd’s roaring, confidence is off the charts. For me, that last crucial 5 yards harbors the possibility of great peril. I’m feeling cocky, as if I’ve already succeeded. That couldn’t be farther from the truth.

I have excellent news: I’ve received the CompTIA Security+ certification. I’m certainly relieved to have passed. In that cold, sterile exam room, clicking ‘finish’ on the computer screen felt like I was pulling the string of my own guillotine...until I saw the score. Within days of receiving the certification, I witnessed a Linkedin post from a fellow entry level cybersecurity analyst job seeker/career changer, a true peer. The post was written by a man who’d surrendered himself to mediocrity and shame, lamenting the fact that he’d failed Sec+ and offering condolences to their friends and mentors about their failure.

Is this the feeling of distinction I’ve been seeking? Validation for my efforts? This poor person is so similar in situation to me and were it for a few wrong answers, I could be in their company. I won’t lie: I loved the sudden uptick in Linkedin notifications and connections I experienced due to my celebratory Sec+ Linkedin post. It was a terribly tough test for me and I trust anybody taking this cert to treat it seriously and follow the training: read each question multiple times, come back to difficult ones, and pick the BEST answer. I’m not your average optimist encouraging career changers blindly. Everybody needs somebody to be empathetic to their struggles. Commiseration is valuable in the right circumstances and for the right people. My heart goes out to this guy. You’ll get em next time.

I’ve cooked for hundreds of thousands of people over my cooking career. I’ve worked 16 hour days standing the whole time, processed cases of meats and vegetables in the blink of an eye, made gallons of sauce and executed a multitude of dishes under a myriad of differing conditions with consistent quality. This transition is harder. That final 5 yards on my breakaway...I should be dancing already! But I’m the kind of person who doesn’t dance until they’re in the end zone.

Cybersecurity is more than an industry to me. I’m in a strange and scary land where I haven't quite figured out my bearings. My steps are those of a baby but each one I take is without fear or hesitancy. I have a couple interviews coming up which is very exciting. I’m getting much more into hacking via late night Hack The Box sessions with a friend. It’s daunting working with a tier 2 (probably tier 3 without the pandemic) SOC analyst. He’s at the point of doing write ups and can easily crack low level boxes without any external help. 

I try not to bask in the negatives. So what I wasted some time trying to get https to run on burp suite when it was unnecessary in the challenge I was working on? I also learned that metasploit and searchsploit are very different, I learned about the tiered success metrics of user vs. root 'pwnership' that attackers strive for. There’s the ltrace command and ssh verbose mode for troubleshooting and writing alias entries in my shell config. My self-learning as of late is different from bootcamp. I’m staying late after school, learning from an upperclassman, having my mind blown but understanding it every step of the way. I don’t have my head in the clouds and will not be cocky as I scan the ground in front of me on that last crucial 5 yard dash.

Plates”R”Us

Welcome to the introduction to this blog post. In an effort to write about cybersecurity at a technical level, I have devised a scenario in which I will role play as the head of the security department at a mid-sized company that sells plates and other ceramic dishes. I wanted to simulate a non-technical company that still has an IT department. With that in mind, below is a warning regarding potential phishing risks posed by the pandemic.

This document is meant to be read by the entire staff, IT personnel included. The wording must be clear and without jargon. Still it must delve into the technical aspects of what makes something like phishing or social engineering so dangerous.

One particular area of general interest to me in the cybersecurity landscape is the way information is disseminated to the end user. If an alert is too wordy or obnoxiously, it can frustrate or confuse the user. We need to be clear when securing, whatever the form. I hope you enjoy my writing and as always, feedback is welcome.

Hello Plates”R”Us Team,

The pandemic has changed everything about our lives, including how we work. However, one issue you might not be aware of is the pandemic’s power to bolster the antics of hackers and other malicious actors. These users want to steal money and/or private information and the pandemic provides an excellent opportunity to do so.

Increased levels of remote work has pushed our technical infrastructure to its limits, expanding our attack surface: the opportunity of potential attack for cyber criminals. Even disregarding the pandemic, the digital attack surface has exploded in recent years.

The so-called “Internet of Things” or IOT continues to grow. It may come as a surprise, but that smart fridge or electronic doorbell in your home has an internet connection and can provide attackers an odd entrance into your network. The lesson here is that if a doorbell can be a security risk, imagine the issues raised by entire organizations working remotely.

Here are some alarming facts to consider:

-According to ReedSmith back in March of 2020, as the full scope of the pandemic initially began to hit home, scamming rose by over 400%

-Palo Alto says that as of August 2020, over 1,700 covid related domains are registered every day

-To quote the FCC’s website, “Anyone calling or texting and asking you to pay for a vaccine is a scammer.” To reiterate the importance of this statement, it appears first on the page https://www.fcc.gov/covid-scams.

    Text messages can be particularly nasty. While you should exercise caution opening any file or link from an untrusted source as a general good habit, on a computer screen compared to a phone screen are entirely different levels of familiarity. After clicking a link from a text on impulse, the suspicious site name can get lost in the two inch long address bar. Mobile formatting is often iffy and it’s tempting to ignore a strange looking page, or file, brushing the oddities off as poor programming.

To lend believably to their phishing attempts, malicious users utilize relevancy and humanistic appeals to achieve emotional responses in their victims. While events like elections, natural disasters or local sporting events have always been ideal for attackers to exploit, the unifyingly captivating nature of the pandemic is uniquely enticing to attackers.

Practice skepticism and avoid sensationalism during the pandemic. Beware any solicitations for donations. We encourage helping the less fortunate, but make sure to vet the organization properly on your own instead of trusting a stray text or email. Look for spelling mistakes, missing images/graphics and eye-catching phrasing designed to lower your guard.

Hearing that restrictions are lifting, cases are falling, or vaccines are available in your area is what each of us dreams of hearing on a daily basis. If it sounds too good to be true, it just might be. Remember to be suspicious and verify integrity with the security team before proceeding with an untrusted link or file.

.pdfs and .docs are prime targets for attackers to lace with their malicious code. Don’t give them an opening. Security is not an assignment to be completed once and move on, nor is it just a department that exists at Plates”R”Us: it is a mandate and a mindset that we all must contribute to and uphold. 

Thousands receive the vaccine every day both here in the US and worldwide, but the pandemic is far from over. The restrictions put in place for our health and safety may last long into 2021, perhaps even into 2022. When we return to the offices is a question Plates”R”Us isn’t prepared to answer yet. Work as we know it has changed definitively and it’s our goal to maintain its security. You can do your part. Be suspicious and escalate anything out of the ordinary to the security team.

Thank you,

Cyberman128

Optimism

Months ago, then presidential candidate Joe Biden warned of a ‘dark winter’ ahead for Americans. The east coast of The United States where I live has been hit with winter storms and polar vortexes not dissimilar from those I experienced while living in the midwest. The virus is still raging, the distribution of the vaccine has been frustratingly slow, and job growth has been stagnant. However, twinges of optimism have sprouted in my subconscious.

As of February 1st, I’m officially done with my cybersecurity bootcamp. This is an enormous accomplishment that I’m not taking lightly despite the fact that I can’t celebrate it in person with my loved ones out of fear of the virus. It’s the first step in proving my legitimacy, professionality and skills to potential employers. It’s a marker of just how far I’ve come since taking the plunge into cybersecurity back in August, which seems an eternity away from the present.

I started applying to jobs over a month ago. While I still haven’t found ultimate success, I’m starting to feel hopeful. Fate has a funny way of showing itself. I was sitting on the couch in my parent’s living room, waiting for them to wake up and start their day when I got a call from a mystery number. Normally, I wouldn’t hesitate to ignore the likely robocall, but that morning, something changed my mind. It wasn’t anything concrete that made me pick up the phone; just a feeling.

After a fifteen minute chat with a recruiter for a firm I applied to weeks prior, my blood was pulsing, my brain crackling with activity. Nothing like an unscheduled professional conversation to shake you up in the morning! Still, I handled it well, and was even offered a chance to interview. The only issue was...the job was a couple of states away. A bummer to be sure, but one I’m happy to report.

I want more bummers. Bummers eventually turn into successes. With each failure, I grow a little bit more. Nothing about February has felt different than January. The winter blues is at its worst right this very moment. But every day it stays miserable outside, we get closer to spring. Bad days will change to good ones and this virus will be conquered, one way or the other.

My next big project is to get Security +. I’m confident I can be certified within a couple of weeks. I also want to focus on writing about cybersecurity at a technical level. Stay tuned folks. Good things are coming!

Practically Perfect

I have some exciting news: I’ve just sent out my first cybersecurity analyst job application. It’s the first of many, and I’ve got a long road ahead, but it’s a good start. Since my last post, I’ve been focusing my efforts towards areas which I’ll be able to discuss during an interview.

As a tech hobbyist who’s transitioning into the professional sphere, the hardest thing about learning how to code and administer systems is the lack of gravity and sense of realism. Everything, from bird’s eye view topics to specific commands feels obtuse and awkward. In my mind, it’s like comparing recipe analysis and testing against making a dish in a kitchen to order for a paying, and expectant customer.

In an effort to produce practical and tangible projects tailored to me I’ve created a word counter/analyzer program in Python to assist me in writing and editing my novel. There are 3 separate versions of this personal project on my Github. The first iteration reads a file line by line and adds each unique word into a list. Each subsequent instance of a word increments that word’s count by 1. Pretty simple.

Version 2 is a Frankenstein that I hate, but created out of necessity. I’m writing my novel on Google Drive which contains approximately 600 words per page of solid text. It takes approximately 600 characters to create approximately 100 words or 3600 characters per page. Enter the desired number of pages to analyze via good old input() and the program will multiply the number of pages by 3600 characters. Lame but semi functional.

Version 3 takes the concept a step further. I’ve written code that combines different versions of words together into single entries with counters. For the purposes of my creative writing process, ‘neglect’ and ‘neglected’ are the same word. For this iteration of the program, I’ve focused on ‘ed’ ‘ly’ and ‘ing’ suffixes. Some of the more interesting issues I ran into are the removal of filler words, ignoring exceptions, and the proper formatting of modified conjugations.

I couldn’t care less about filler words. Nobody cares if you use the word ‘and’ two sentences in a row. I created a simple filler word list containing words like ‘the’ ‘and’’ ‘of’. If any word in my individual words list matches an element of the filler words list, it’s disregarded and not entered into the results dictionary.

‘Word’ and ‘wording’ can both be counted by the root ‘word.’ It was simple to modify my individual words list to keep track of all instances and conjugations of ‘word’ by deleting the tailing ‘ing’ but what about ‘case’ versus ‘casing’? By removing the ‘ing’ I’m left with ‘cas.’ This necessitated adding an “e” to the end of the words once stripped of their suffix. ‘Casing’ becomes ‘cas’ becomes ‘case.’

What about a word like ‘family’? The program is going to pick up on the ‘ly’, drop it and then leave me with ‘fami’. Not good. So far my only solution involves adding an exceptions list that houses any words that naturally end with the pre-selected suffixes. Inelegant, but it’ll do for now. I haven’t even thought about words like ‘fittingly’. Perhaps there are some language modules for me to use... Those issues are cans of worms I’d prefer to open at another time.

My three progressive versions of word analyzer bear a striking resemblance to my work on my final class project, an automatic Linux log parsing program. We decided to call it mAUTHra after Godzilla’s nemesis.

Version 3 of word analyzer, which features the suffix adjuster functionality is an absolute mess like log viewer 3, the immediate precursor to the first real draft of mAUTHRa’s main file. My head instructor spent a little quality time with my group and taught me the ins and outs of the previously hieroglyphic-esque line: if __name__ == “__main__”:

Coding 2 projects at the same time has shown me the beginnings of my working process through the similarities I’ve noticed. The most obvious thing I’ve picked up on is my tendency to increment functionality in a series of 3 drafts before moving onto the next phase.

After ironing out the dings and dents of word analyzer, I will add modular functionality by creating a main program that imports the modules pertaining to specific functionality. Much of this coding I’ve been writing has been done on my brand new Raspberry Pi 400 which I got for Christmas.

This is my introduction to the Raspberry Pi technology, and I’m to understand working with the 400 is a cakewalk compared to the previous iterations. It’s got a built-in keyboard/case with usb ports, a display port and a modern desktop environment. For a n00b like me, even the simple functionalities of the RPi were fun to figure out. There’s no power button!

I had a bug where I couldn’t log into via the visual interface, so I had to go into my router’s settings to find the ip and ssh into the Pi. Once I had root access, subsequent logins with the visual interface were successful. Strange.

Initially I was outputting the Pi to my main monitor with my pc running on my secondary monitor. However, the way I have my monitors oriented and how my desk is laid out meant I was using the left keyboard for the right monitor and right keyboard for left monitor! Obnoxious to say the least. SSH was fine, but a quick google and I was able to remote access into the Pi using xrdp protocol.

Aside from the coding, I’ve built a basic website on the Pi although I’d like to work on my complex projects in the future. I plan on using the Pi as a playground to continue to develop both my personal writing analyzer program and a finalized version of mAUTHra, my class project. I foresee myself developing a lot more functionality with mAUTHra going forward. In particular, I hope to format information display better, including some form of data visualization, as well as the option to select a couple test cases rather than all, or just one at a time.

I’ve even gone back to the roots, working more on Bandit CTF from OverTheWire and preparing to take the Security+ in February by reviewing the basics of cybersecurity. I’m also going to commit to applying to at least one job a day, although I hope to do much more than that. Stay tuned folks and if you’re hiring, hi how are ya?! I’m practically perfect.

Newsy

    The past couple weeks have been busy, both for me and cybersecurity. Above all else, I’m happy to share that I had my first tech interview for a threat analyst position, which was an excellent learning experience. Hacking is once again in the news. Something big has happened when my parents email me about it two days after the story breaks.

    FireEye, a major security company has been stripped of its ‘crown jewels.’ Cutting edge red team tools are now in the hands of an unknown nation state adversary. Less than a week later, the Solar Winds supply chain attack surfaces.  Are there additional incidents still to come?

    This mystery attacker just pulled a heist and in my opinion, they will cash out these spoils in a future series of targeted attacks. There are no 0-day exploits present so this won’t be another WannaCry, but the infamous incident is already a common source of comparison to the FireEye event. Taking the situation at face value, a major cybersecurity firm, one that’s had a hand in the identification of specific foreign threat actors in the past and is at the heart of our national cybersecurity culture, just got owned.

    This isn’t the only cybersecurity news story non-techy people have been exposed to recently. Another perfect example is the exciting news regarding the Zodiac Killer’s broken cipher. Hopefully, this breakthrough can lead to the information that reveals the killer’s identity. I was exposed to the story of Zodiac via the eponymous 2007 film

    This timeless, chilling masterpiece chronicles the antics of the nefarious Zodiac Killer who terrorized Northern California in the late 60s and early 70s. When I first saw this film, I felt I was viewing a period piece or a dramatized version of what really happened. Either way, the subject matter felt frozen in time. A famously unsolved case that captivated the nation; end of story.

    Just kidding because here we are in 2020 with loads of time on our hands. In the early days of December, a team of 3 brilliant minds put together the elusive solution to the Zodiac Killer’s cipher text. Their names are David Oranchak from USA, Same Blake from Australia, and Jarl Van Eycke from Belgium. Before their breakthrough discovery, the group theorized that the killer may have modified or rearranged the code after converting the original message.

    Van Eycke generated over 650,000 permutations of the shuffled cipher which were passed into a program called AZDecrypt. That’s when they caught their first lucky break. The phrase ‘or the gas chamber’ was noticeable in one of the countless possible translations AZDecrypt spit out.

    The cipher was originally sent to the police in the weeks after a man claiming to be the Zodiac Killer called into a morning talk program and spoke with lawyer Melvin Belli. He mentioned his desire not to end up in the gas chamber. Other completed phrases appeared in the wash of randomly generated text, but ‘gas chamber’ is what caught David Oranchak’s eye. Using this crib or partially completed segment of the cipher, the team was able to crack the code. It was even verified by the FBI! 

    What else happened? It’s not earth-shatteringly important, but my beloved Adobe Flash is finally entering end-of-life status. Millennials like me will probably associate the once popular and powerful framework with the endless iterations of ‘free flash games’ websites. I spent too much of my time running through Madness Interactive, Line Rider and who could forget Slime Soccer. I shed a virtual tear as I clicked the uninstall button.

    Anybody who’s ever played a video game with any kind of hacking section will appreciate the last piece of news I wish to discuss. British white hat ios hacker Ian Beer published a paper detailing an iPhone attack that is disturbingly simple to understand. Hold a button to hack the terminal, it’s almost that easy.

    During his 6 month quarantine, Beer discovered a way to use Apple Wireless Direct Link (AWDL), the technology that makes services like Air Drop possible, to gain access to an iPhone within close proximity to the attacker device. Making this attack more dastardly still, the attacker can force the victim’s iPhone to turn on it’s AWDL even if it was off.

    What’s significant is not the attack itself. It was patched by Apple earlier this year. It’s the simplicity. This video shows how easy it is to grab a photo from the victim’s device. Ian even has the decency to use stuffed animals in his video, demonstrating the intellectual level at which this attack exists. Its technicals are way above my head, but the video speaks volumes.

    These stories are interesting enough to make headlines but it’s their flavor that piques the interest. The FireEye team is doing a tremendous job staying calm and staying positive in the wake of this disaster, emphasizing that this is an opportunity to collaborate and learn. The mere facts that nobody is panicking, and the language used in FireEye’s official PR is inclusive and positive, ripples across the industry.

    I’ve heard the excitement that cybersecurity professionals exhibit when recollecting their experiences during a large scale attack. This is what we prepare for and after it’s all over we’ll be stronger and smarter for next time. As a total noob, I’m amazed at the speed at which FireEye is able to release counter-measures to the stolen tools and the sophistication of the information they disseminate post-incident. 

    Zodiac’s cipher has been cracked, and Adobe Flash is no more. Plus a world class white hat hacker can demonstrate to the world just how scary a cyber attack can be to anybody with a little time and curiosity. Ian Beer writes:

The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine.

Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.

    I’m in agreement, and I absolutely love his straightforward phrasing. I write too much when there are no requirements but I’ve been having fun, what can I say! If you’ve made it this far, I thank you for supporting me. Please leave a comment with any suggestions or thoughts and stay safe and healthy out there.

Emboldened

    Even the most amateur writers know that the first draft of any document rarely looks like the final version. As a writer, I’d kill to have the ability to write something once and be done with it. I’m on the 5th or 6th run through of my novel at the moment. So much editing I’ve lost track. Somebody should’ve told that to George Lucas.

    We all remember how fantastic the original Star Wars trilogy is and if you’re like me, you remember the disappointment of Episode 1. Meesa Jar Jar Binks! Woopsie, there goes the franchise’s credibility. How much was Jar Jar Binks’ character, and the overall story for that matter, discussed and revised by writers? Apparently not at all. Legend has it The Phantom Menace’s story is shockingly close to Lucas’ first draft and was barely revised before it was made into a film.

They said Lucas could do no wrong after the original trilogy. The Phantom Menace was one of the most anticipated movies ever, in its day. Its mere existence threatened and discredited the entire franchise. I believe the absence of one woman played a big part of this folly. Her name is Marcia Lucas, the forgotten genius behind Star Wars.

    She and George met in an editing room and were an item for almost 15 years afterwards. Coincidentally this is the period of time that episodes 4, 5 and 6 were released. Marcia Lucas not only won an Oscar for her editing of A New Hope, but she edited work on early Scorcese work notably Taxi Driver. She concluded marriage with George Lucas after helping him edit and release Return of the Jedi.

    What’s even more significant about this brilliant editor is the weight her input carried with her powerful husband. Sure Star Wars wouldn’t exist without George Lucas, but it wouldn’t have been any good without Marcia. Her input and no-nonsense retooling of George’s weaker ideas polished Star Wars into the gem it is. From engineering the significant death of Obi Wan Kenobi aboard the Death Star to completely overhauling the originally bland trench run sequence, her influence runs deep to the Star Wars core.

    Like George Lucas, I too bounce ideas off my wife. She has the strength and confidence to tell me when an idea is good, bad or merely satisfactory. When writing my novel, I use bold to highlight sections of my work that need or attention. Exactly like comment denotation in programming. I’m most familiar with Python, so I (and the computer running the program) know to disregard anything after a #.

    All programming languages are different, but the need for comments exists in nearly every environment. We’ve managed to come to a consensus on that, and a simple Google search will tell us how to comment in a language we are unfamiliar with.

    Cave peoples left artifacts behind; links to our shared past in the form of primitive cave paintings and trinkets. I like to think of these as comments. When I began exploring programming (from an extremely high level) I was amazed by the prevalence of commenting in programming. I mistakenly believed that in IT, there is a correct way and an incorrect way to do everything. This is a personal business. People, not computers make things happen.

    The tech community is very open and welcoming of newcomers, a fact that reinforces the collaborative themes I’ve discussed. The concept of importing modules in Python also comes to mind. We don’t have to create the world before beginning a project, we can borrow what somebody more experienced already made and modify it to suit our needs. 

    If Marcia Lucas heard George, twinkle in his eyes, explaining the concept of Jar Jar Binks over coffee and toast in the morning, she’d probably have rolled her eyes. It was Lucas’ brashness that led to a less than perfect project. If he’d used his resources better and maybe left a comment or 2, things would be different.

Atomic Habits Part 1

    I have a problem, and it’s complicated. At the midpoint of my cybersecurity bootcamp, we were given an achievement “test”. My wonderful professor told us not to worry, and focus on showing that we know the material instead of pushing to get the best grade possible. It takes a lot of courage to admit how difficult the test was for me. Nearly every second I had outside of work was spent working on the dozen or so problems. The Python section was particularly taxing. During a subsequent office hour with a TA, I was told that the 15 lines of code I wrote for a problem were eclipsed by one of my fellow students’ 3 lines.

    At the recommendation of a network operations manager I’ve been in contact with, I’ve been reading a book called Atomic Habits by James Clear. I’m reading this book in an effort to change my habits for the better, specifically relating to my new career in technology. In the chapter titled: The Law Of Least Effort, a particular example caught my attention.

    To increase the rate at which citizens filled out a particular tax form, the British government changed its strategy in a tiny but impactful way. Instead of sending out a URL to a webpage that contained a download link to the form, a link directly to the form itself was sent out. Response rates immediately rose almost 4 percent. This example ties in perfectly with my issue of complication.

    In kitchens, the desire to take the easy way and cut corners is constant. Cooks stress about time management. Utilizing the wrong strategy will not only slow things down, it may reverse any gains made from doing the right thing previously. You have to clean up your mess before starting again. So where is the balance, and why do more experienced cooks and chefs often appear slower than their younger colleagues?

    As a chef, I drilled this point into bewildered cooks, praying they’d take my advice to heart: the method that takes the longest, is the most annoying, and generates the most dirty dishes is usually the best method. If you skip a step, or try and save 5 seconds, it could cost you 5 minutes.

    Don’t bring the mess to the garbage can, bring the garbage can to the mess. Do things right the first time. Swap your containers so the edges don’t get crusty. Rest the spoon you stir the soup with on a tray instead of the counter. As a butcher, I’d go through three or four containers when most cooks would try and get away with just 1.

    Tech is a whole ‘nother ball game. Screw up? Hit the undo button. Don’t know how to do something? Google it. 10 lines of code? How about 1? Each line, each process, costs computing resources and computing takes time and electricity. Why be fancy? Just do it. Keep it simple stupid. Even the great Bill Gates has my back on this. He famously stated he preferred giving tough assignments to lazy programmers who will find the easiest way to get the job done.

    Edabit has been a godsent. I try and hit the Python challenges at least a few times a week, and recently I’ve noticed a change. I’m starting to see through the ifs, elses and parentheses. No matter what subject, I find a way to relate it to cooking. More dishes in the kitchen equals less lines at the console. I’m changing. Day by day I’m changing. It’s simple really.

End of the Line: A Fated Journey

    Although I wouldn’t categorize myself as a spiritual person, I believe in fate. I met my wife under a very specific and difficult to predict set of circumstances. The window of time where our relationship could begin and eventually blossom was so thin, I consider it a miracle that it even happened. It was like the universe aligned specifically for our union.

    After 9 years working in kitchens, on November 9th, 2020 I completed my last professional cooking shift. The grandiose exit I hoped to make was obviously cut short due to the pandemic. I imagined a sea of industry colleagues clustered about me in a collective wash of happiness. Instead I clocked out of my hum-drum job and made for the exit with a quick wave and a nod at my 20-something coworkers, most of whom I barely knew.

    I’m not sad. Fate has a gleeful way of rearing its head. Again, I’m not spiritual. I rely on fact based evidence in my daily life, however, when I checked my emails that afternoon, a sense of calm settled over me. My career services representative had sent out a mass email to the students in my cohort, making first contact with us. The email was basic and introductory in nature, but to me it was more significant. Its presence solidified my transition.

    My last day of cooking and my official beginning of job hunting coincide. With my extra time freed up from not cooking, I plan on continuing with this blog, learning cybersecurity, editing my novel and above all else: focusing on getting my cybersecurity career of the ground. Hopefully I have a little more time to cook for myself and my wife too!

YumTech

    About nine months before the pandemic hit and I made the decision to change career paths, my wife and I almost moved across the country to California to take private up chef positions. Private chef is a job that is known to provoke scorn from many a seasoned chef, but the financial rewards are undeniable. I’m not an expert on private chefdom; not by a long shot. However it’s a fairly obvious statement to stay that LA is the king of private chefs. The celebrity factor, plus the overwhelming focus on healthy and natural foods allows for a thriving private chef industry to exist. Chefs and cooks of all backgrounds take advantage of this excellent opportunity to replace the drudgery of restaurant life with the relative stability of being a private chef.     It was on this strange journey out west that I realized the true power of food to those who are unskilled at cooking. Private chefs do not come cheap. A trip to a nice restaurant might cost over $100 per person, however that’s peanuts compared to the persistent costs of even a reasonably priced private chef. There’s also the quality to consider. A good restaurant provides table service, atmosphere, and a guided experience from a server whose only goal is to make the dining experience magical. There’s a menu of different options to choose from, many of which may be unique to that restaurant, or incredibly difficult to produce in a home kitchen.     So why even waste money on a private chef? Some stranger bustling around your kitchen, serving literal home-cooked food for premium prices doesn’t sound like a deal to me. However, I’m not the target market. If you’re a celebrity actor, stressed executive, or high powered worker who makes difficult decisions on a minute by minute basis, cooking wholesome, nutritious, and delicious meals may not be a possibility. Cooking nice food for somebody indirectly relieves stress, and allows them to produce better work.     Enter the IT connection. When I came up with this blog post, I was operating under the conventional wisdom that human beings have evolutionary “expensive” brains. Translation: our caloric intake is disproportionately routed to our brains as compared to similar animals/primates. Article1 Article2 While these two articles I found on google cast doubt on this theory, I think the idea that brainpower requires significant calorie consumption is still important.     Programmers love food. I’m picturing a stereotypical, junk-food obsessed nerd slaving into the wee hours of the morning in front of a computer screen surrounded by energy drink cans and chip bags. Consider the high caloric value of junk food. IT work (or in my case IT training) is incredibly mentally draining. It’s not that the material isn’t fun to learn (quite the opposite), but it is quite dry to quote a friend of mine. I can’t imagine anybody in the IT field, no matter how much they love their job, pining to get back to the terminal after a nice long weekend off.     In this pandemic, chefs and restaurants have been hit hard due to the fact that they do not fit under the umbrella of necessity. I agree 100%. You can eat canned tuna and Oreos every day. You’ll survive sure, but, if this pandemic went on forever, could you even call a world without high-quality food made with love even worth living in? An old chef of mine, after throwing away several containers of food that had been pushed to the back of the cooler and spoiled, remarked that restaurants are not good for the environment. I countered with ‘but they are good for the human environment.’     As I slowly start my IT career, I’ve come to appreciate food to a greater degree. When I’m in the middle of reviewing, or taking a class and my wife makes me food, you better believe I’m excited. I’m also relieved I don’t have to cook for myself and can fully concentrate on my work. I miss cooking greatly. However, when this pandemic is over, somebody else will be doing it for me, and I’m grateful for that future.

The Ultimate Penetration Tester

    If being a video game designer is the creme de la creme of teenage boyhood job aspiration, then penetration tester is the dream job for cybersecurity transplants such as myself. During an introductory meeting I attended as part of my LSU cybersecurity boot camp, the program directory joked that ninety percent of the people she’d met who expressed an interest in cybersecurity mentioned their desired job to be penetration tester. It’s the sexy job; one that daring and creative individuals have.

    Penetration testing requires a cunning and adaptive mind, and that’s just if you’re sitting in front of a computer screen. Imagine being a physical pen tester. Like IRL. This profession involves a combination of physical and digital intrusion testing including, but not limited to: confidence scams, lock picking, and transferring unauthorized executable files to a victim’s system via a simple USB drive. Getting caught by your target company’s staff or security team is a constant threat.

    I can’t count the number of stories, podcasts, and youtube videos I’ve intaken that contain tales of slick, white-hat burglars and con men doing security audits for a variety of businesses. While being a digital penetration tester, whose role consists of auditing a company’s computer system for vulnerabilities, is a highly specialized, technical position requiring years of training, I have a feeling that the best physical penetration testers are born, not made.

    The more I learned about penetration testing, the more I thought of one of my favorite television characters. The one and only Ricky, straight outta Sunnyvale Trailer Park. Some of Ricky’s best moments on Trailer Park Boys have occurred whilst he’s at the mercy of law enforcement and caught in a compromising situation.

    There’s the time when Ricky is pulled over by a police officer, stolen goods clearly visible in his car. With a simple “Hey don’t you know Jim or Jim knows you?” he’s connected with the police officer via a fraudulent name drop. He used a common name, and committed to its usage, adding believability. Not only does Ricky not have to produce documentation for the stolen articles, but he even scores a free cigarette from the cop.

    My favorite Ricky moment by far is when he steals furniture from an office. He and his buddies walk into an office building during business hours, and begin to remove the furniture. After their actions are questioned when they attempt to remove the center table of a meeting currently in progress, Ricky acts annoyed at the accusations.

    He claims new items are coming in ten minutes after they leave with the furniture and they need to make room for it. After another simple name drop, combined with Ricky’s undeniable confidence and a little acting, he’s propelled to victory. The office workers even help him carry the tables and chairs outside.

    I know it’s just a show. Ricky doesn’t really exist. However, if the fictional Ricky stayed in school and stayed off drugs, he could have been an ace penetration tester. Even after 9 years in the culinary industry, I still get nervous thinking about going into a strange kitchen for the first time. It’s a tightly controlled environment with its own lexicon, landscape, and rules. Acclimatizing yourself to the ranks and systems of a kitchen environment is a slow process.

    I’m a fairly confident person. However just because I won’t lose any sleep if I have an interview the next day, doesn’t mean I’m not anxious about it. Throughout middle school, high school and even early college, I struggled in social situations. My friend group was small, and I had anxiety about my social standing amongst my peers. Whenever I think about security audits, I’ll do my best to bring out my inner Ricky.