The weakest link

For all your firewalls, intrusion detection systems, passwords and password policies it just takes one uninformed and well intentioned employee to bring you down.

It’s called social engineering and it is the most effective “hacking” tool available. I had my first experience being on the receiving end of a concerted social engineering hack and emerged victorious.

Yesterday around 3:30 pm I was at my desk when the receptionist put through a call from one of our senior VP’s. I was rather distracted with a few things going on so I was caught a little off guard. The VP in question is someone I know fairly well and have a bit of a rapport with. He asked how my holiday weekend was and we exchanged brief pleasantries. Since I was rather busy I politely moved the conversation to the business at hand and asked him what I could do for him.

He told me he needed a copy of the company Global Address List in Excel format.

[pause]

For the record; this would be the contact information for every single employee in our company. About 800+ contacts. No small thing.

[/pause]

One thing that tends to set me apart from your average IT flunky is I am not afraid to ask blunt questions and I had one for Mr. Senior VP.

What on earth for? This was an odd request and it set off alarm bells immediately. I’m not about to hand off this proprietary information without following some type of protocol even if you ARE a senior VP.

He proceeded to explain to me that he was on the road and his daughter had accidentally taken his laptop to school and he needed employee contact info ASAP. It kind of made sense. We are going through a buy-out/merger. It’s not out of the realm of possibility that a senior VP would need this information as part of maybe planning our ultimate re-organization. Still….

He was on a cell phone so it disguised the voice somewhat. It did sound like the VP.

I suggested he access the corporate e-mail system via our web interface. There he would have access to all the contacts in the GAL. He said this was not acceptable and that he needed it in a form that could be printed out.

I continued asking questions like “what is this for?” “Is there another way?” “Can you come into the office and get this?” and one final question “Is this something you would prefer I stop asking questions about?” to which he replied “yes.”

At this point he tried to pull rank. He told me that in his position he should not have to explain himself to me. This is when I was sure there was a problem. Either the person I know is acting EXTREMELY suspicious and out of character or he was not who he claimed to be.

I generated the Excel spreadsheet by exporting the GAL to a file on my desktop. I had to make a decision quick. I asked him how he wanted this delivered to him and he said “e-mail it to my personal e-mail address” and proceeded to give me an address of files@somethingoranother.com…

My thought was that if he could access his personal e-mail then he could access his corporate e-mail and I told him I would send it there. He asked me to CC the funky e-mail address and I said I would not do that. At this point I told him outright that I wasn’t even sure I was dealing with a company employee and I implored him (just in case I was wrong) to please understand that I am only protecting the company. I basically told him I would e-mail the file to his corporate address and he could then forward it as he pleased.

He was not happy but relented and agreed to my solution. At this point I was a little flustered and after I sent the e-mail I went to my boss to explain what had happened in case I managed to piss off a senior VP. Not something you want to do when they are likely evaluating current and future company positions. I have denied the requests of senior management before, citing company policy. When you do that you are putting your job at risk. I knew I was right but I feared there might be repercussions.

5 minutes later I got an e-mail from the senior VP in question asking what the heck this was that I had sent to him. I explained it and told him he could delete the message.

Turns out whoever was on the phone was impersonating the VP and was totally pulling a scam.

Had I not been alert I could have easily handed off confidential employee information to god knows who.

Let’s be careful out there!

Considerations practical and personal

It sets off a nerve every time I hear someone rant about the loss of personal liberties when it comes to something like a law requiring drivers to wear safety belts. There is a long running debate in this country as to whether driving is a right or a privilege. Arguments for either side are both passionate and compelling.

Regardless of which camp you fall into, to say that the government has no right to tell you to wear a seat belt is short sighted and naive as is the belief that not wearing your seat belt harms no one but the person who chooses not to buckle up.

From the Arizona DPS:

The cost of unbuckled drivers and passengers goes beyond those killed and the loss to their families. We all pay for those who don’t buckle up ““ in higher taxes, higher health care and higher insurance costs.

On average, inpatient hospital care costs for an unbelted crash victim are 50 percent higher than those for a belted crash victim. Society bears 85 percent of those costs, not the individuals involved. Every American pays about $580 a year toward the cost of crashes. If everyone buckled up, this figure would drop significantly.

By reaching the goal of 90 percent seat belt use, and 25 percent reduction in child fatalities could save $8.8 billion annually.

Those are some pretty amazing numbers.

While it may be a valid concern that government is whittling away at our personal liberties, I think that fighting over whether or not you should wear seat belts is a wasted effort. There are certainly bigger fish to fry and since seat belts save lives and have the potential to save us some money I feel the law is justified.

Besides, I know from personal experience that you simply cannot count on your fellow driver to “do the right thing”, not when death is on the line.

Case in point:

It’s circa 1987 and a younger, more naive Jay Lee is driving his brand new Honda CRX to Temple, TX to visit family for the holidays.

At this stage of my life I’m young, I’m stupid (more so than now, I believe) and rather cocky in that young, invincible, live forever woo-hoo kinda way. Still, I don’t like getting hassled by the man and I know full well that the Texas Highway Patrol is out in force on the holiday weekend looking for speeders, drunk drivers and GASP!, those who may be driving sans seat belt so I buckle up. Not because I believe in the safety it provides, not because I give a tinkers damn about health costs or insurance rates. I buckle up because I don’t want to get a ticket.

The Honda CRX is sporty two-seater and I am enjoying the drive as I wind my way north and west away from Houston. I’m not speeding or, if I am, it’s a few miles over the limit but nothing extreme. I have a healthy fear/respect of law enforcement and don’t really want to be pulled over in a small Texas town.

At that time I was dating a woman named Shari and she was riding in the passenger seat with me for holiday family visit. I recall at some point she didn’t have her seat belt on. Maybe we had pulled out of a gas station and she forgot or she had to get something from the behind the seat I don’t remember exactly. I do remember reminding her to buckle up, which she did.

Shortly afterward, I drove into a curve and there was some road work. I noticed the loose gravel sign and thought to decelerate when it became very obvious that we had already driven into the loose gravel. I could feel the rear end fish-tailing and I struggled to control the car, but to no avail. The car went into a spin and proceeded to go backward across the highway and off the road and flipped onto it’s roof.

I remember us both hanging there, upside down, firmly strapped in place and looking at each other as we marvelled at our predicament and realized we were both unhurt. Something I am sure would not be true had we not been wearing seat belts.

So I owe my current well being not to my ability to make a choice to protect myself from physical harm, but rather to my desire to obey the law and not pay a fine. And am I ever grateful for that law? You bet your sweet bippy I am!

On top of that we had no health insurance. Had we been injured the tax payers of this great nation would have footed the bill for our medical treatment.

So yea, it’s personal for me. Buckle up!

MC Frontalot in the house

To make last night even MORE interesting we were being videotaped by a crew from Vaguely Qualified Productions for the documentary film Nerdcore Rising.

Kimmy Gatewood and Negin Farsad

Nerdcore Rising is about MC Frontalot and the evolotion of Nerdcore Hip Hop.

From the web site:

Nerdcore Rising is a documentary that will uncover the new wave of hip-hop called Nerdcore by following the godfather of the genre, MC Frontalot and his geeksta entourage on their first national tour. They will perform everywhere from gaming conventions to D&D tournaments. And, of course, we’ll get to meet nerdcore fans in all of their Magic-playing, pocket protector-wearing, Mensa-bragging, Jolt Cola drinking, internet-gaming glory.

You can see a trailer for the documentary here.

We were even joined in the studio by MC Frontalot himself where we witnessed some pretty awesome nerd core free-styling.

Barrett Canon, MC Frontalot and Dwight Silverman representin', yo!

Barrett Canon and MC Frontalot

Another successful fundraiser

Last night’s show was the last of three fundraising episodes for this fund drive. We were tasked with raising $1920 per show. To make the goal easier to speak to I just announced it as $2000 as a nice, round number.

During week 1 we raised nearly $2700 which was pretty awesome. Our listeners stepped up in a big way. We were joined by Renee Feltz of the KPFT News Department as the fund raising coordinator during the program. Her energy added greatly to the efforts.

During week 2 we fell short of the goal by about $500 so that was a little disappointing. Still, with the overage the first week we has some cushion and in terms of the overall goal we were right where we needed to be. Renee was out of town and Robb was absent as well. Dr. Simotas was our fundraiser coordinator and she did a good job. It was her first time to work with the Technology Bytes crew so it didn’t gel as well as I would have liked.

Last night we were re-joined by Renee Feltz and Robb Zipp in their usual roles and Dr. Simotas joined us in the studio. It was a winning line-up as we blew through the goal with 30 minutes left in the show. I think having a fully qualified ObGyn in the studio and on the air during a computer technology talk show pushed us over the edge. The final tally for last nights show was just over $2600.

Alexandra Simotas in the control room with phliKtid

Overall, we exceeded our goal and it was a successful fund drive for us.

Cult of the Mac – Finding love

So Apple computers has this interesting 24 hour time lapse movie on their site. The camera is in front of the 5th Ave store in New York. You can watch it here.

Pretty fascinating in a commercialized, Koyaanisqatsi sort of way.

There is a bit of an Easter Egg in there if you watch it, though.
If you watch the second 5:00 am segment you will see a young man hijack the cam to offer a marriage proposal. You can skip through and around the movie in 1 hour increments if you don’t want to watch the whole thing.

I love you

Will you marry me?

I didn’t get a frame grab of the card with her name on it…

Slitherin!

When I was a a kid I loved snakes. I had several as pets growing up. My mother was pretty tolerant of them as I recall. She said anything was better than the pet tarantula one of my older brothers came home with once.

I can recall hunting for snakes in the lots around my house and on camping trips. I caught Garter Snakes, Hognoses, Water Snakes, whatever I found. I even caught a Speckled King Snake at Astroworld under the Texas Cyclone.

My favorite pet snake was a Texas Rat Snake I named Smaug after the Dragon in The Hobbit. He was cool. When threatened, Rat Snakes will vibrate their tail really fast and when they are in some dry leaves is can sound just like a Rattlesnake. Smaug was a feisty fellow and would do the tail thing at the drop of a hat.

Today while returning from the store after running a quick errand I was flagged down by a woman on the side of the road who was pointing and yelling “SNAKE! SNAKE!” Sure enough, there was a huge snake making his way near the curb next to some apartments right off of Westheimer. Instinct took over and I parked the car and moved toward the reptile. He was obviously a Texas Rat Snake and about 4 feet long. I must have been quite a sight as I did my best impersonation of the Crocodile Hunter and grabbed the tail causing the snake to double back on itself as he attempted to plung his fangs into my arm. I was quick and avoided the bite. After a few more tail stops and near misses I had him coiled up on my food rattling his tail against the side of my shoe and poised to bite the living crap out of me.

I distracted him with one hand and quickly grabbed him with my other just behind the head so he couldn’t bite me. He coiled up around my arm and I got back in my car and drove home.

The whole experience brought back a flood of memories. There was a time when finding something like that Rat Snake would have made my entire year.

I let him go in the back yard. I figure he’s got a better chance there than he had near that apartment complex. I might have kept him but I think Cynthia would have had a heart attack.

I snapped a few pics. Click on the thumbnails to see Smaug II before I released him.

Texas Rat Snake Texas Rat Snake Texas Rat Snake

Glad to be of assistance

As you might imagine, I have answered a LOT of computer questions over the years as a result of my chosen path as demagogy-free radio talk show host and newspaper techno-pundit.

The questions come via e-mail, IM, the phone, in person and via third parties, friends and relatives. Everything from consumer advice to complex network troubleshooting. Sometimes I know the answer and sometimes I am quick with a well executed Google search and on certain occasions I just grunt my displeasure at being used in this manner and go back to what I was doing before I was so rudely interrupted.

Since all my Q&A’s I write for the Chronicle are archived in the Helpline Blog they are turning up in the search engines when people are looking for an answer to a problem. This means that I am answering questions now without actually interacting with the person experiencing the problem.

There’s no way to track this. I simply have no idea how much assistance (or damage) I am perpetrating. I do, however, have an inkling based on the steady stream of replies to one particular posting I made back on Sept. 9, 2005.

My screen is sideways

It was a Q&A I put together based on a real live helpdesk issue that I solved with one of my users in the course of my workday. In terms of publishing it was kind of a “throw down” posting in that I did not see this as something that affected very many people and would possibly be more filler than anything or perhaps just demonstrate a quirky computer factoid.

I was wrong.

This week I have received three comments thanking me for that one single answer and I have received around 28 since it was posted. And since I rarely hear from people I have successfully helped the true number of people this has helped may never be fully known.

I can only imagine how many people have been suffering with a monitor turned on it’s side looking for a solution.

I’m glad I could help.

QR Code Business Card