Archive for February, 2014

This will be another long post.

A couple of weeks ago, you may have read that the Syrian Electronic Army hacked into Forbes and posted a bunch of usernames and passwords. What you may not know is that Forbes has been fairly transparent in describing how it happened and how they plan to mitigate going forward. This is contained in a series of articles they posted on their website.

To make a long story short – they were phished.


From: How the Syrian Electronic Army Hacked Us: A Detailed Timeline of Events, all highlights are mine:

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

This is an effective strategy and it was part of a two pronged attack. Someone from Forbes got an email that is somewhat related to what they do, and they may have even received a link like this:

Hey, what do you think about this? Is it true?

If you hover your mouse (if reading this on a laptop or desktop) you will see that the displayed http link is not the same as where the link actually takes you.

The linked page asks the user to enter their credentials. Being prompted to enter your credentials at work is so common that many people don’t think twice about it. This person was doing their job and so far everything more-or-less fits with their general work flow. It’s not exactly congruent, but close enough.

Once inside, the hackers used another effective tactic – they moved laterally. They sent spam from the compromised account to other users in an attempt to gain access to important data. While the spam filter didn’t work the first time because it came from the outside, it definitely wouldn’t work when sent from the inside because most environments assume that the inside is secure. People inherently know that it isn’t, but it’s close enough.

Until it isn’t.

In an interview with the attackers, Forbes posted a follow up article by Kashmir Hill about why they attacked Forbes. According to a representative not involved in the attacks but close to those who were:

He says that Forbes editorial content on Syria made it a target, pointing to recent articles about a hacker who claimed to find porn on Syrian secret police’s computers and an article decrying the SEA’s hack of the Marines’ website. “This is pure propaganda,” he said. “This is a message, we will not tolerate lies.”

In other words, this was an episode of hacktivism and resembles that 2007 DDOS attacks on the government of Estonia by Russian youth angered by the Estonian government taking down a Russian World War II memorial.

I want to make three points about this incident:

  1. This was a well-executed social engineering attack.


    When I say “well-executed”, what I mean is that all the pieces of the puzzle were done with minimal suspicion.

    – The web page where the user entered their credentials looked like a valid login page
    – The phishing email didn’t contain suspicious language (i.e., grammatically correct)
    – The phishing email was relevant to the target
    – The landing page was hosted on a compromised server
    – The phishing email was sent from a compromised server that had not previously sent high volumes of abusive content

    In other words, there was great deal of care taken by the attacker to disguise their tracks, and it would be difficult for the average consumer of email to detect this without a high level of vigilance (i.e., working in the security industry, receive lots of education, etc.)

  2. People in the security industry are very smug about their own non-susceptibility to fall for scams relative to others, but shouldn’t be


    This is the point that prompted me to write this post. Forbes is not the first company to have something like this happen to them. People are targeted all the time. Yet there are people in the security industry – people I have personally talked to – who say that the people who clicked the link and entered their credentials are “idiots.” When I challenged them on this point, they dug in their heels and reiterated “Nope, they’re idiots.”

    The idea is that only an “idiot” would fall for something so obvious and do something so careless like entering their credentials on a web page that looks like their regular corporate login page.

    This strongly irritates me because the average consumer is not overly security aware but they do have a basic awareness. People know about bad passwords and poor security habits, they just don’t always follow them. In the Forbes case, the user was aware but made a poor judgment. The problem is that the average consumer does not have computer security awareness drilled into them over and over again to internalize these behaviors.

    What irritates me is that while we in the security industry complain about consumers’ poor security habits despite a lack of education, but what does it say about us when we ourselves have poor health habits? For example:

    * We all know too much sugar is bad for us. It makes us gain weight and is bad for our teeth. This is reinforced almost every day. How many of us eat too much sugar? And junk food in general?

    * We all know that an inactive lifestyle is very bad for us. Yet how many take steps to ensure we get our 10,000 walking steps per day? Or try to alleviate sitting for 6-8 hours per day like the typical office worker?

    * We all know that staring at computer screens is bad for our posture, our muscles, and our eyes. Yet we do it anyway in spite of health advice that tells us not to.

    * We all know that we consume too much energy in the first world. Yet how many of us make sacrifices to reduce our energy consumption without prompting from anyone?

    In other words, the average consumer makes mistakes in a very narrow set of circumstances. Yet the same people who call consumers “idiots” for making a bad choice in spite of their lack of knowledge make bad choices every single day in their own lives in spite of an abundance of knowledge.

    And that bothers me because it is a double-standard and we should know better.

  3. Criticizing others for falling for scams makes a Fundamental Attribution Error – not accounting for the situation

    From Wikipedia:

    ”The fundamental attribution error is people’s tendency to place an undue emphasis on internal characteristics to explain someone else’s behavior in a given situation, rather than considering external factors.

    For example, consider a situation where Alice, a driver, is about to pass through an intersection. Her light turns green and she begins to accelerate, but another car drives through the red light and crosses in front of her. The fundamental attribution error may lead her to think that the driver of the other car was an unskilled or reckless driver. This will be an error if the other driver had a good reason for running the light, such as rushing a patient to the hospital. If this is the case and Alice had been driving the other car, she would have understood that the situation called for speed at the cost of safety, but when seeing it from the outside she was inclined to believe that the behavior of the other driver reflected their fundamental nature (having poor driving skills or a reckless attitude).”


    Thus, from my point #1, this was a well-executed phishing attack. Saying other people are “idiots” fails to consider the circumstances in which this person clicked the link:

    – She was an editor who is asked to comment on articles like this regularly
    – She got an article and was asked to comment
    – She has to login to pages regularly
    – She doesn’t normally see spam in her inbox
    – She is used to obvious spam like “Get your free Viagra” or something similar

    Security professionals have what I call an “empathy gap” where they are unable to see the situation from the average user’s perspective. It is obvious to us but it is not obvious to others.

    However, in my own life, there are many things that are not obvious to me:

    – I don’t know exactly how my furnace heater works (I paid a professional $800 to fix it this morning)
    – I don’t know exactly how the plumbing in my house works
    – I don’t understand the medical billing system or what many of the words mean when a doctor explains to me what is wrong with me
    – I don’t fully understand exactly how all the parts of my car work together

    When I look at myself, I am an expert in almost nothing in life. Because of this, I need to empathize with the average computer user who has as little expertise as I do in almost everything as they do in my field. Were they really careless? Or am I misjudging them due to cognitive bias?


Anyhow, those are my thoughts on consumers getting hacked. I’m not picking on Forbes because it could happen to anyone. According to some sources, it has happened to every organization in the Fortune 500.

Read Full Post »

Tonight, the wife and I are headed out of town to visit her parents.

Last night, the heater furnace died.

This is a very inconvenient time for the heater to go down. It’s still winter and while we would turn down the heat while we are gone, we don’t want to have zero heat. That could cause some damage.

I don’t know what damage, exactly. But it’s a matter of risk tolerance. Because I don’t know, if something really bad happens in the week while we are gone and not around to keep tabs on everything, it will be a lot of money to fix. By contrast, fixing it now may be expensive but prevents future damage of unknown costs.

$800 later, the furnace is fixed.

Read Full Post »

Tomorrow, Feb 23, 2014, is the gold medal men’s hockey game between Canada and Sweden. The game is 4 am local time where I live and I plan to get up and watch it (whether or not I execute on that plan is still up in the air).

While I enjoy hockey, I am not the best analyst. But I think Canada will win for two reasons:

  1. Defense

    I watched the Canada/US game and Canada just has a big, pounding defensive style. They clog up their defensive zone and it’s tough for the opposition to get anything going. They get one shot on goal and then the puck is cleared (that’s how it was against the US, anyhow).

    Olympic hockey rinks are bigger than NHL rinks and that favors fast, passing teams which is what European teams like Sweden are known for. And this Olympic tournament has demonstrated that Sweden is a good team – they have skilled players and they good at streaking and passing.

    But Canada’s defense is suffocating. I think that gives them an advantage because the passing and fast skating is neutralized if you can’t get anything going.

  2. Personal Bias

    As I said, I am not the best analyst. Team Canada does have the best players in the world but the fact is I am Canadian and I want Canada to win. That probably shapes who I think will win more than I consciously realize.

Anyhow, that’s my rationale for the pick. But what I want to discuss is my goal of getting up at 4 am and watching the game.

Why am I doing this (trying to do this)?

I enjoy hockey but I’m not a huge fan (it’s my second favorite game to watch but my favorite to play). I don’t watch very many games anymore. When I was a kid I used to watch a lot but less so now.

Instead, the reason I will make the personal sacrifice of waking early is because I like the commitment that it demonstrates.

12 years ago, I was living in England. It was also the same year as the World Cup of Soccer and it was hosted in Japan and South Korea. I wasn’t a big soccer fan but all of my friends were. And, the big game in the opening round was England vs. Argentina!

In case you don’t know, at the time (not sure if still true), England had a huge rivalry against Argentina:

  • In 1982, Argentina invaded the Falkland Islands and England responded by going to war

  • In 1986, Argentinian soccer star Maradona scored a goal by swatting it into the net against England and it counted, and it was the decisive goal (the referees missed it)

  • In 1998, a 22-year-old David Beckham of the England team got kicked out of the game by drawing a red card; England eventually went on to lose in a shootout

So, when England drew Argentina, it was huge! A bunch of friends said they were going to get together at 7 am to watch the game as Japan was about 7 hours ahead of local time. I was like “7 am?” and my friends said “Yes! We’ll make breakfast!”

I was unemployed at the time, this was right after the dot com bust. So, at 6:30 in the morning I left my house and walked down to my friend’s place where a bunch of us watched the game and witness England defeat Argentina 1-0 after David Beckham scored on a penalty kick late in the first half.

Even though the game was super early, it was a lot of fun. I don’t remember much about the game but I do remember enjoying hanging out with everyone and the experience of getting up to watch a sporting event.

That’s why I plan to get up tomorrow. It’s a big sporting event, men’s Olympic hockey only happens once every four years and the next time they not even have NHL players in it. This could be the last time I see Canada win gold (or even play for gold).

But more especially, I want to recapture that experience.

So why not get up? Every time I’ve made such a commitment, I’ve enjoyed it.

Hopefully this time is no different.

Read Full Post »

Whenever I go traveling, I try to avoid bringing back too many doodads. I prefer for my memories to live on in pictures, video and my actual memories.

However, the one exception is artwork. These hang on the wall so they don’t take up that much room. I buy “touristy” stuff and I know it’s not precious artwork but I like it and to me, that’s what matters.

This past week I finally put up two pieces of artwork that had been hanging around a long time. The first is an oil painting that I picked up in Cambodia in April 2012. The oil painting is on a canvas (cloth) that you need to wrap around onto a wooden frame. I didn’t buy the frame (can’t take it with me) so I couldn’t put it up when I got home unless I made the frame.

Last weekend, I finally made the frame. I went down to Home Depot, bought some supplies, came home, charged up the battery in my drill to screw together pieces of wood, and created it. The picture only cost me around $25, as I recall. The frame materials cost around $5.I put the picture on and hung it on the wall. Here’s what it looks like:


Out of all the pictures that I have, this one is probably my favorite. I like the image of Buddha and I especially like all of the oil painting collage of color that goes into it. The picture only cost me around $25, as I recall. The frame materials cost around $5.

The second picture that I picked up I got in Ushuaia, the southern-most city in the world (there are towns that are further south but none of the qualify as a city) at the bottom of Argentina on the island of Tierra del Fuego. I bought this picture in a tourist shop in Ushuaia. However, it really needed a frame. The wife and I didn’t get one for it until October 2013, nine months after we got the picture. I didn’t put it up until this past week. This makes the time-to-acquire till the time-to-display was 14 months. Below is what it looks like:


The picture cost more ($40?) but the frame was ridiculously expensive, around $150. I figured that for that price, I better put it up.

After these two, I still have one more piece left and it will be my most ambitious project – the painting of a mural on the wall.

Read Full Post »

Well, here I am at 10:24 pm on a Sunday night. The wife had to work today and she worked a later shift – from 1:30 pm until 10 pm. The bridge is closed so she has to take another route home meaning she will be home around 10:45 pm.

Yet somehow, the cat Ruby, knows that she is getting home soon. On weekdays when the wife gets home by ~9:30pm, Ruby starts waiting by the door around 9:15. Tonight, she didn’t bother waiting until around 10 minutes ago (meaning she still has another 20 minute wait). That is, she correctly delayed the start of her waiting period.

I’m not sure how the cat figures this out. While the wife was gone last week out of town, she never waited at all. And now that the wife is coming home later, she waits later.

How is she figuring this out?


Read Full Post »

A few weeks ago the wife and I took part 1 of a stained-glass class and yesterday we completed part 2. We were there for about 4 hour each time (I’m a little slow) but in the end the product turned out pretty good:


I liked how it turned out. As I was creating it, I thought nearly the whole time “Man, this looks pretty bad.” But 5 minutes before I finished I said “Hey, this looks halfway decent!”

You may be curious what it takes to make something like this. Well, let me tell you:

  1. You pick out a pattern that is drawn on a piece of paper.
  2. You pick out large pieces of colored glass (red, blue, pink, gray, or pink).
  3. You cut out the patterns using scissors from the paper and glue them onto the glass.
  4. Using special tools, cut the glass out. Be careful not to do what I did and slice open your fingers with glass.
  5. Line up the pieces of glass on the pattern and shave down the corners and edges of the cut out pieces. Do this over and over and over again until they fit. This takes FOREVER!
  6. Continue shaving down the edges until they fit even better.
  7. Line the individual pieces with copper liner.
  8. Put goop on the glass pieces and solder the glass pieces together.
  9. Solder the other side of the glass pieces together.
  10. Solder on the edges.
  11. Wipe the goop off the glass.
  12. Put a chemical on the solder to give it a grayish, metallic look.


Read Full Post »

The wife and I do not let the cat sleep in the bedroom.


Because she’s too annoying. She’ll keep jumping on the bed every 1-2 hours and then walk across our pillows, waking us up. She just can’t sit still. The wife then has a bit of a freak-out moment (“Aaaah! Stop waking me up!”). I don’t know why the cat does this, it’s as if she’s saying “Hello, everyone! What’s going on now?”

However, this past week for a few days the wife was out of town. I decided to let the cat sleep in the bedroom. I was concerned she might be annoying.

She wasn’t.

She stayed on her chair the entire night. The only time she jumped on the bed to wake me up was a few minutes before my alarm went off so it didn’t make any difference to my night time slumber. She let me sleep through.

The wife came home and we let the cat sleep in the bedroom and sure enough, the cat was annoying. Multiple times.

What the heck?

The only difference is that the wife is now home. Somehow, I don’t know what, the wife brings out the cat’s naughty behavior. I need to stay home and see what the wife is teaching the cat.


Read Full Post »

Older Posts »