I got a copy of Practical Anonymity by Peter Loshin a while back via O’Reilly, had a sell on it. I finished it about two weeks ago. For what it sounded like it would be, I’m disappointed. I was expecting something more along the lines of “How to be Invisible”. For what it was, it was pretty good.
On what planet is General Alexander worth $1,000,000.00 a month?
The news wires reported General Keith Alexander moved in to the private sector, and offering his services to finance companies for a million dollars a month. This is the person that took control as the director of the National Security Agency on August 1, 2005 and left in October 2013 (Wikipedia). Remember, that was after the Edward Snowden leaks came out.
Which really leads one to wonder were those really leaks, or was that a case of we know this is compromised lets make it public knowledge so we can hide the real data. Here is an interesting thought, is Snowden really still working for the U.S. Government?
If you’ve read the Cryptonomicon or seen the Sherlock episode “A Scandal in Belgravia“, you probably know what I mean. For those that need a quick refresher – let assets of lower value go, to hide the assets of higher value. Blow up planes with dead people on them, instead of letting real passenger jets get blown up. Let a German U-Boat sink a freighter or get past the blockade to keep them from realizing that the codes are broken.
The C-Levels at banks should be asking some hard questions if Gen. Alexander is showing up offering them service. Like what really happened on the Snowden watch. How does that failure make his people qualified for the private sector’s needs? Yes while Gen. Alexander may have some Government related attack sources, we already have that in the private sector with Infragard, and the different breach reports.
using 1000 mA to power Raspberry Pi and TL-WN722N
I’m working on a project using the Raspberry Pi. The requirement was that I use the TP-LINK TL-WN722N, actually I just needed a wireless adapter with an external antenna. When I found the TL-WN722N on Amazon, the reviews said people were having no problems plugging the device straight in to the Raspberry Pi.
While researching things today, I came across this penetration testing article by Cyber Arms. There, and several places on the Raspberry Pi forums it said that people needed to use 2.1 amp usb chargers. The others wouldn’t do what was needed with the Pi, and the wireless adapter plugged in. So I went out and got 3, 2.1 amp plugs, when I bought extra Raspberry Pi units.
I’ve done some testing with the power cables I got last time. the standard 5v, 1000 mA (1 amp) ones, and it ran the plug for the wireless keyboard remote (small keyobard) and the wireless adapter, with no problem.
Here is the one I got, it’s made in China, and sold via MCM. Sorry about the flash on the photo, but that was the best one I got after 10 tries.
I’ve been busy again:
I know I haven’t written here lately, and I’m not getting in the number of blog posts I want per week. However I’ve been busy with school and projects. I only have time right now, because I can only run 1 Raspberry Pi (of 6) at a time (right now), and the first one is going through Kali’s apt-get upgrade. Man talk about not the fastest. Going to clone that drive and copy to other flash drives.
Currently, I’m working on a project for my independent study at Eastern Michigan University. The project and documents have to be turned in by Monday night, so I’ll talk about that after I get the stuff done.
The Eastern Michigan Campus Crime Project turned out really well. My team and I presented on it at Circle City Con in Indianapolis. What I thought was going to be a simple 4 week project will probably take the rest of the year to complete. That’s with 4 of us working on it. There is some more interest on campus and suggestions on how to move this forward. I’ve got a really good team, and I’m really proud to have worked with them on the project.
I also dug out, and updated (slightly) my Human Trafficking talk. I’m a little wary of posting that one. Goes against my OPSEC views, but the presentation is important enough. I will say this, things have changed in a year+ since I stopped working on it. Got some good books to go with it too, I’ll get reviews of them up eventually.
There will be another book review up over the weekend (probably Sunday) as well.
Testing the right things
The company I’m contracted to did a Business Continuity / Disaster Recovery test recently. We were called the day before and told the building would be closed, and what we had to work from remote locations (read as home). The problem is, it was not an accurate test.
The C.I. Desk: FBI and CIA Counterintelligence As Seen From My Cubicle By Christopher Lynch
I’ve read a few other biographies and case histories from people that work at the CIA, but this one wasn’t as interesting as those. I understand that the book had to go through Pre-Publication review at both the FBI and the CIA, but what was left was mostly Mr. Lynch’s The C.I. Desk (Amazon Affiliate Link) was him complaining about each and every job he had (or at least that’s what stuck with me). I understand that things had to be taken out, and he would point out that parts were cut by the agencies, including one whole chapter. While there was some entertaining things in the book, and some insights, the part of the book I was most struck with was the Bureaucratic Behemoth that he felt he was fighting against.
Over all, I wasn’t impressed with this book. Mr. Lynch worked for Robert Hanssen, and worked with Aldrich Ames while they were active in spying against the US, but his unit’s didn’t track down the spies in the organizations, even though their job was supposed to be Counter Intelligence.
* Update 2024-10-05: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.
It’s All Source Intelligence, not just osint
I keep forgetting, that my university teaches All Source Intelligence Analysis, not just Open Source, but it is easy to forget when OSINT so prevalent. The school’s classes, and the IASA club does do others.
Yes we do lots of OSINT, and Social Media / Cyber Intelligence looking at the social media sites, ip address related tools, and the logs of the servers. However, we also use other for Cyber Intelligence to see what’s going on, on the servers. We use the logs, the open connections, what’s odd.
We do use tools to track wireless signals, mostly for wifi, but there are a few people at the school, in the IA program looking at more than just wifi. They even ran a Fox Hunt (hid a radio and had people go find it). We use packet captures on networks and on servers to see what is going on, on the wire.
We do Human Intelligence probably the most without realizing it. Any time we have to interact with someone, usually as a customer on the phone. We have to elicit the information needed from them. There is lots of cruft to discard to get the data we need, but we can’t fix their issues until we do. We don’t have to be help desk to get that level. Sure we’re not turning people, to help us spy on things, but it’s still getting the info, finding what is realization via analysis, and then having and end “product”.
I know I’ve used Google Earth to find information, by looking at the images, and building out from there. Where I want to live, aerial views of crime locations, working with a team to plot those locations.
Ok, so I can’t think of anything where MASINT comes in to play, at least not off the top of my head, but I’m sure there is something. I’m sure that mapping out nuclear bomb blast radius for Disaster Recovery at work does not count. Don’t ask, but like I said, I’m pretty sure it didn’t count. I didn’t do measurements and used someone else’s tools on the web which just overlaid on Google Maps. I don’t have a way to test and validate, well I guess I could doing OSINT at a library, and then mapping by hand once I understood the bomb blasts radius.
I must remember, the degree program taught me things that I don’t think about daily too.
Speaking at Circle City Con
I submitted two talks, to circle city con. Both were accepted.
One is a group presentation on EMU’s campus crime.
The other is my Intelligence Analysis 2 research project.
Another Tony Mendez book
So at some point, copy write / library of congress page says 2007, Tony and Jonna Mendez wrote a book for the “Scholastic Ultimate Spy Club”. It’s a basic little book written for kids, on the basics of tradecraft. The book title is “Gather Info, Getting the Scoop by Using Your Wits”. When I first saw it on Amazon, I was expecting an adult book on tradecraft, not a kids book.
Since the book arrived last week, without the spy glasses (mirrors on the inside), I kept asking why I paid that much for an out of print kids book. I however went through it in one sitting tonight, since it was 32 pages, and actually was happy with the purchase. The majority of the stuff in it I knew how to do already. Not surprising since this is written for kids. I did have some flash backs to my own mis-spent youth in the 80s and 90s.
The Visual sweep technique, while only one page was really useful. I’m going to put that in to more practice. Short version, stand in the door, look over the room left to right, and observe. Granted I do something like this already, maybe not always left to right, usually as a whole, but still nice to read.
Is it worth the price you’re going to pay for it if you order from a re-seller on Amazon? No, but I bought it because I want to have all of Mendez’s books, for a proper and complete collection. Although, if it had the glasses it would have been even better. There was even a page on OSINT.
“it’s working don’t touch it, it’s not broken”
A running theme I noticed as of late has been the “it’s not broken, because it’s working, so don’t touch it you’ll break it”. John Strand mentioned it, when talking about Windows XP hitting end of life, on Paul’s Security Weekly 367. Ben Ten and I talked a little about it today in regards to HeartBleed. Lastly I just got off a 4 year project that existed mainly because it wasn’t broke, so don’t fix it.
Here is the problem. IT / IT-Security sees something as “broken”, when it is at end of life / end of service. When we can’t get parts for it anymore, when patches aren’t being made, etc, we say we have to replace it. We say it’s “broken”, or at risk, etc. However that’s not how management sees it. They see it as a system that is still doing what it was purchased to do. It’s not broken, it’s just old but works fine.
IT / IT-Security doesn’t get to say when it’s broken, it’s the “business” that gets to say when it is broken. However it is usually our fault, as IT for not having a new system in place when it finally stops doing what it was purchased for. A good example is a publishing company I worked at. We had Reel to Reel microfilm duplicators, these were devices that the company making them went out of business. They ran NT4. The last I heard, they were still working like a champ, and the company still didn’t see a reason to invest in something new, because those were not broken, they were just old.
To a point it seems a little silly. Company’s get to write off new equipment via deprecation. Investing in what they need to have to do business makes good business sense. But we live in the cut to spending and the bottom line in the name of profit world, so we end up seeing the don’t fix it if it’s not broke attitude come out.
Like I said I just finished a 4 year migration project, I only worked on it the last 9 moths, but every single person I had to interact with, to migrate said the same thing. This solution works, migrating will cost us time and money, we’re not moving because doing so will stop the production lines of the product the company makes. The “business” backed those people, because without justification, they said things would stop. The stance the “business” took was, the old stuff is working today it is old, but not broken. Don’t fix it.
Preventive maintenance is like getting your teeth cleaned. You don’t do it because you like it, or can afford it. You do it because the cost of prevention is cheaper and less painless than the alternative. You don’t fix things when they’re broken, you fix them before they break so they don’t break. We need to learn to tell the business that in better terms than we have now in both IT and Cybersecurity.