Blog

  • Personal Cybersecurity 101

    Defense Secretary Chuck Hagel used his first visit to Asia to ask China to stop hacking into and spying on our networks. You don’t need the perspicacity of Nostradamus to see that: Spending on Cybersecurity over the next few years and decades by the defense department will skyrocket and rival every other division of the US DoD. It is also a harbinger of the risks and attacks to come.

    Today cyberattacks are what we use instead of misiles to slow down a country when they’re trying to make nuclear weapons. And that was 3 years ago.

    While governments may be rapidly building armies of cyber warriors, like the US Cyber Command in Maryland, individuals are relatively defenseless and most of us aren’t even aware of the risks of being attacked in cyberspace.

    To illustrate the risk, here’s how I’d target a specific individual:

    • Create a payload designed to infect their OS X or Windows workstation. The infection would log all keystrokes and send them periodically to my anonymous email address. It would also give me remote access on demand to their workstation to peruse and download files. 
    • Leave the infection lying around their home and place of work on USB thumb drives hoping they’ll install it.
    • Mail a thumb drive to them with the Google logo on it on an envelope that appears to come from Google with a nice letter explaining how they won something.
    • If that doesn’t work I’d crack their home WEP or WPA wifi encryption, gain access to their network and run a vulnerability scanner like OpenVAS on their workstation to find holes. Then I’d fire up Metasploit and exploit and access whatever I want to.
    • Gain access to all the target’s online and offline data.
    • I’m looking for as much personal data as I can find, specifically a social security number.
    • If I’m still unable to get access to that, I’d try social engineering. I’d send them a piece of mail with a bank letterhead and logo warning that an account is about to be suspended with an 800 number that is actually my number. Authenticating themselves when calling my number would require they provide their full social security number and other valuable data.

    The point here is that if someone who knows what they’re doing decides to target you, you’re in trouble. You can use stronger encryption on your home network, use strong passwords, install anti-virus and firewall software and so on. But at some point you’re going to slip-up and they’re going to gain access to sensitive data that lets them do a lot of damage in your life.

    Once you’ve taken the obvious precautions, here’s what I suggest to help protect yourself.

    • Sign up with a reputable identity monitoring or credit monitoring service. I particularly like the feature of receiving SMS alerts when a threat is detected.
    • Get a reputable credit card like Visa Signature that reverses fraud transactions no-questions-asked and immediately issues a new card. Use this for online purchases and keep a close eye on your account activity.
    • Only use your debit card to draw cash from trusted ATM machines. Never use it for online transactions.
    • Keep your cash in several savings accounts, monitor them carefully and make sure that all authentication to access those accounts is strong. Two factor authentication where you enter a password and then also have to enter a code sent to your phone is an excellent additional layer of security.
    • Pull your credit history yourself from time to time to monitor it.
    • Dont get social-engineered. If someone calls you up, says they’re from an institution you bank with or trust and starts trying to get information from you, ask them for their full name, position and a callback number. Then don’t call it back. Instead call the main switchboard of the institution and ask for that individual. If they don’t exist, try the callback number, if they answer, hang up and call the cops with the info.
    • Never use the same password across services or websites. If you do, when one website gets hacked, your username/email and password will get out and at some point a hacker will try that combo on all other major online services. You could choose a base password, and then add something to that password that uses some attribute of the website (like the domain name) and runs it through a formula you’ve memorized. For example, you could have a base password of ‘1c00ld01phin’ and take the first four letters of the domain name, rotate the letters by one and add the position of the first letter in the alphabet as digits to the end. So ebay.com would become ‘1c00l101phinfcbz5’. That’s a simplistic formula and you can beef it up by adding letters or digits at the beginning or at a specific position within your base password.
    • If you run a website or a server on the net, make sure all software on the system is up-to-date. Install OpenVAS or Nessus, learn how to use it and run a vulnerability scan on your own system every quarter. You can also find out what your home IP address is using whatsmyip.org and use the same tools to run a scan on your home IP address. You can also run the scan from your home network to any workstation or mobile device like an iPad or iPhone on your network to find out if your own machines have security holes.

    It’s surprisingly easy to hack into someone’s life. I’ve had websites hacked and my family has been hit with identity theft (drivers license stolen from mailbox) and it’s a real pain to dig yourself out. But with a little preparation you can minimize the risk and if it does strike, catch it early and recover quickly.

  • The Chinese Wall that Isn't

    I used to work at a Swiss bank. At investment banks they have a virtual Chinese wall that exists between folks who do deals and the trade floor for obvious reasons.

    At my bank, and this is back in 2000/2001, the people who did the deals and those who traded shared elevators, lunch rooms, pubs and so on. So you can imagine the level of cross pollination.

    The US government, just another organization, has been given the green light to dig through your data if you’re storing that data in the cloud with Google using, for example, Google Drive, Google Docs or GMail. We’re trusting that they’ll keep their perusals limited to national security concerns and not tax enforcement, criminal investigation, foreign intelligence gathering or background checks and won’t leak data to credit rating agencies or anyone else. The old virtual Chinese wall.

    The latest development with Google sets a precedent for other companies and their obligation to hand over data to government employees. That includes Dropbox, Intuit and their web based Quickbooks app, Facebook and so on. The trove of data the government now has access to makes the NSA’s traditional intelligence gathering look positively pedestrian. Oh for the good old days of Echelon.

    As Google’s executive chairman once said, “If you don’t have anything to hide, you have nothing to fear.”.

    This was where I was going to end this post. But lets take this idea a little further. Lets assume underpaid government employees are rifling through our data and habeas corpus is still as optional as extraordinary rendition. If you’re like me and are, at least in your own eyes, basically a good guy or girl, what’s the best thing you can do to prevent being falsely accused of something?

    In a future world where people who have the power to accuse and convict are reading your docs, you can encrypt, encapsulate, misdirect, protest and so on. Or another approach is to provide an overwhelming amount of data on who you are, what you’re up to, what your views are, who you associate with, what you buy and so on. Remove all ambiguity on whether you’re a good or bad person. Essentially open source your life to avoid accusation.

    I’m not sure what the right approach is, but as counterintuitive as it seems, I tend to favor the latter.

  • Finding Cheap Fast Internet in South Africa

    I’ve been in Cape Town for a little over two months now and will be here for a few more weeks. I’ve hunted around for fast Internet and tried a few options. Here’s what I’ve found and maybe it’ll help you.

    I’m specifically interested in international bandwidth to the USA and my benchmarks are based on buying 1.5 to 2 gigabyte movies from the iTunes store and downloading them or transferring big chunks of data from our Seattle data center via SCP [or what you might think of as SFTP].

    • Mweb home ADSL is generally slow for international bandwidth. You’re lucky if you get 200 kbps on the 1 megabit line. This is my absolute-in-case-of-emergency option I’m using at the place I’m staying because it is so slow. 
    • The 10 megabit business ADSL option that Mweb provides is nice and fast and you’ll get 3 to 6 megabits per second international bandwidth but it’s quite expensive. A friend has this at a building where I rent office space in Cape Town city bowl. As a side note: When the Seacom cable went down recently they didn’t slow down at all even though Mweb home subscribers were horribly slow because Mweb prioritizes their business customers much higher than home.
    • Vodacom’s little USB 3G pay as you go modem is very nice and fast at around 3 to 5 megabits international bandwidth, but it’s quite expensive. They charge per gig transferred and it’s something like $20 per gigabyte. I’ve run through my Vodacom little red USB modem and won’t be refilling it because it’s too pricey, although very reliable.
    • Vodacom’s portable hotspot option if you have a pay as you go sim card and a cellphone that supports portable hotspot also performs well and is also expensive for data transfer. This is currently my backup option to my Cell C modem. Whenever I use it, it’s wicked fast but I can see the dollar signs racking up.
    • The real winner in my opinion is Cell C’s 100 Gig USB pay as you go modem. It’s horribly unreliable but I get 6 megabits per second international bandwidth at times. More below:

    Cell C has a package called Giga100 which is R2499 or $270 for 100 gigabytes of transfer which is not limited to off-peak hours. You have to go into a Cell C store and they might not have stock, so call ahead. This option gives you a little white USB modem but you need to know how to use it to get fast speeds. Here’s how:

    • Get a USB extension cable as long as you can get. I use a 5 meter extension. 
    • Put the modem at the end of the extension preferably outside and make sure it isn’t raining.
    • Try to put the modem on a ledge so it’s hanging off with space underneath it for better signal. What also works is hanging it from the top of an umbrella.
    • Another trick that works is putting it into a small metal pot with the lid off. Believe it or not this can boost signal. I think some Russian posted a video proving this a while back on Youtube.
    • Even if your software is telling you you’re getting 5 bars of HSPA signal inside or outside, you’ll still notice a better transfer rate when it’s outside.
    • When connecting, here’s the process: Connect, start transfer, if it’s slow, disconnect and reconnect and start transfer. Repeat until you’re getting a fast transfer speed. Cell C seem to have 3 subnets they allocate IP addresses from. They start with 10.*.*.*, 41.*.*.* and 197.*.*.* and you’ll randomly get assigned an IP address from one of those. Sometimes I’ll connect and an entire subnet will be down. I’ll have no connectivity. So I’ll reconnect and get a different IP address and get wicked fast international transfer. So just keep trying.

    It’s 1:20pm on Wednesday and here’s my current transfer rate downloading a movie from iTunes:

    Screen Shot 2013-04-03 at 12.52.07 PM

    My theory is that Cell C has bought a large international pipe, but their engineers are wildly incompetent and their cellphone network is spotty. The result is that unless you know how to get a kick ass signal and land on a working subnet, you are not going to get a working connection. So the fat pipe that Cell C has is underutilized and those who manage to actually get a working connection enjoy an empty international super-highway.

    To summarize: If money is no object, just buy a Vodacom USB modem and pay an extra $20 to $30 in bandwidth charges for every movie you rent from Apple. If you want a deal and don’t mind hacking the system a little and putting in some effort, get a Cell C modem and pay $2.70 per gigabyte with (when it works) a kick ass connection.

    Disclaimer: If you do get a Cell C modem and it’s awful, don’t blame me.

     

  • A thought experiment on liberty and the survival of our species

    I came up with a thought experiment a few months ago and have been testing it on the smartest people I know.

    This thought experiment relies on you agreeing with three premises:

    1. Our knowledge of the natural universe will continue to increase.

    2. Our ability to share information among each other will continue to increase.

    3. Imagine everyone on the planet has a button in front of them that will destroy planet Earth and everyone on it. You can assume that we haven’t colonized space yet. You agree that a few thousand people will rush to press that button.

    I agree with these three premises. If you don’t, please post why in the comments.

    If you agree with these three points, it would seem we’re heading towards a world where it’s likely that our knowledge of the natural world will increase to a point where we know how to develop something that can kill all humans on planet Earth. It will also become feasible for individuals to implement that knowledge.

    If you agree that information sharing will become very efficient and information will be accessible to all, the knowledge of how to create the destructor-thing that kills all people on Earth will be shared among all very quickly and efficiently.

    We then have a situation where everyone on Earth has a button in front of them that can kill everything. And you’ve agreed a few thousand will rush to press the button – or implement the destructor-thing in this case.

    So it seems our self destruction is inevitable.

    As the conclusion to this thought experiment, I pose a question: How do we solve this problem. Specifically the problem of our inevitable self destruction through our increased knowledge of the natural universe, our ability to share information and the minority’s desire to implement self destruction. 

    Thinking about this yields some interesting opinions from friends and acquaintances. These are various conclusions from different people, so don’t misunderstand and combine them:

    • Secrets are necessary.
    • A Police State is inevitable.
    • Governments will use the fear of destruction among the populace to sieze vast amounts of power.
    • Individuals will sense the inadequacy of the government to protect us from this threat and will police themselves.
    • This knowledge already exists and is kept secret which is why we haven’t seen breakthroughs of the magnitude of E=mc²

    If you run across this article I’d love to hear your thoughts.

     

  • How Leaders Influence your Reality

    During the last several years I’ve had the opportunity to see great leaders in action and the misfortune to see great deceivers at work. Both have one characteristic in common. Many would call it charisma, but I’d like to expand on what I think that “charisma” thing is.

    Pause for a moment. Think about the fact that you’re giving me the opportunity to paint a reality for you. It’s my perception of reality, but by taking it on board and fully understanding the way I see things, you’re giving me the opportunity to mould and shape your reality. If you read this whole blog entry you’re going to have devoted a full 2 to 5 minutes of your conscious thought to my perception of reality. And whether you like it or not you’re going to take some of it on-board.

    Great leaders and great deceivers are given a constant flow of opportunities to project their perception of reality and their vision for a future reality on large numbers of people. They alter the way a large group of people see the the world and the way these people think the world should be.

    Ever wondered why Germany followed Hitler? Those screaming German speeches weren’t gibberish. They were rousing calls to arms with a believable and powerfully delivered rationale behind the call.

    These speeches, or put in different terms, these opportunities Hitler was presented with to impose his perception of reality and his vision for a future on large groups of people, allowed him to influence an entire nation to go to war and eventually carry out some of the most awful atrocities in history.

    So the lesson would appear to be “be careful who you lend your ear to”. But it’s a little more complex and more difficult that simply being careful. When others acknowledge someone as a leader, celebrity, genius, as talented and so on, it has a big influence on us as individuals and our default behavior as Cialdini writes in “Influence”, is to go along with the crowd.

    “You say his a violin virtuoso, well he must be”, “You say this is a ’82 bottle of Latour’, well it must be spectacular”.

    On a side-note, a friend once did an experiment where he sabotaged an already open bottle of excellent wine by decanting it and pouring in a very cheap wine. He watched the wine enthusiasts drink the sabotaged bottle and rave about how clearly excellent the wine is.

    Social proof is a powerful phenomenon and if a group of people or respected organization acknowledge someone, they’ve given them a platform for “reality influence” or to create a “reality distortion field” if you’re a Steve Jobs fan.

    If you’re a leader, I hope you’ve gained a greater understanding of how privileged you are to have the attention of groups of people. If you’re a listener, I hope you’ll learn from history and be careful who you grant access to your vulnerable and valuable attention.

     

  • An unpleasant Herman Miller experience in South Africa

    Update: HM’s Director of Comms was kind enough to post a response here (see below in comments), Elmarie responded in the comments, today the issue was resolved when the owner of the HM distributer in South Africa called Elmarie and apologized for the way things were handled and it sounds like they’ll be working together on getting a few more Aerons for the office. Nice to see a brand that has their ear to the ground and responds to consumer feedback within 24 hours.

    My good friend Elmarie ordered her first Herman Miller Aeron chair for her office. She responded to an ad placed in Gumtree by “All Office” who are the exclusive Herman Miller agents in South Africa.

    She was pretty excited when her Herman Miller Aeron Chair arrived, as were we all, but it turns out the price she was charged was not the advertised R6995 (approx $765.50) but instead she was charged R7974.30 (approx $872.68), over $100 more.

    She called “All Office” slightly irate and was told the price she was quoted was excluding VAT (South African sales tax). For my American friends/family and anyone in a non-VAT country, one of the first principles of the South African VAT act is that you include the tax in the price.

    What really soured this experience was the following: When chatting to a manager at “All Office” Elmarie was told that if she doesn’t want to be a “good citizen” and pay the full price, then he would take the balance out of the salary of the sales person who placed the Gumtree ad.

    So after hearing ads for the Herman Miller Aeron chair by Sit4Less on National Public Radio for the last year in the States – and thinking we’d get a few for our office in the USA, I’ve pretty much done an about-face on the brand and won’t be buying any Aeron’s any time soon.

    PS: I’d like to hear from Herman Miller in Germany about this. Elmarie has emailed them and is waiting to hear back.

  • Shoutout to Bluehost

    Bluehost reached out to me a few weeks ago to say “Hi, and by the way we love Wordfence”. I was doubly stoked because they have been my favorite WordPress host for some time now. To date I still haven’t found a single performance issue or vulnerability on their platform. Their stuff just works!

    So we’ve become friends and today they gave us a very nice mention on their blog.

    We’ve been crazy busy at Wordfence with a ton of new signups and I haven’t had time to set up a blog for www.wordfence.com, so in the mean time I thought I’d post my love for Bluehost here. Wordfence blog coming soon!!

    If you’re looking for a way to secure WordPress, get Wordfence here!

  • How to avoid being unhappy and how to find happiness.

    This started as a comment in reply to the sad posting on Hacker News that Linux Kernel contributor Andre Hedrick had taken his own life. I’ve seen a huge number of posts on HN during the last 2 to 3 years about depression and I worry that the Valley is an environment especially condusive to creating a very unhealthy mental state through creating unrealistic expectations and social disconnection. So here are my thoughts:

    I think that many more people are at risk of falling into depression than ever before, particularly in the Valley. One of the reasons is that we are constantly exposed to the achievements of our idols and the most capable people we know via social networks and social media and we benchmark ourselves against that.

    Until a decade ago your benchmark for “I’m awesome and I’m doing great” was your neighbors, your work colleagues and your friends. Now it’s the one in 100 friends or their friends who are mega-wealthy and fly to Belize for breakfast in their chartered jet and are back for lunch. If you’re not keeping up, you feel like you are somehow failing.

    In the valley this is massively compounded because you are constantly surrounded by the mega-successful and are occasionally included in their jaunts. As a young 20-something you start to think you’re a loser because you aren’t vesting Google stock options or enjoying the wealth from your first $10 million exit.

    If you want to be happy, do what you truly love, however humble it may be. It’s important that you’re also honest about what it is that you love. Don’t try to convince yourself that you enjoy being a “geek” and being surrounded by technology. If you enjoy the feel of cutting and shaping wood then go be a carpenter and be conformable in your own skin. If you like getting up at 3am, making bread and meeting your neighbors every morning then go be a baker and be happy.

    There are in my humble opinion very few people that are actually cut out to be true geeks and to derive pleasure from long periods of solutide with nothing but the glow of a monitor and what it contains to keep you company.

    Know yourself, know what makes you happy and take pleasure in the simple things in life, like the good, ordinary people who surround you every day.

    Update, response to comments and some additional data:

    Thanks for the comments and thanks Hacker News for taking an interest in this post. I’ve received many comments regarding clinical depression including from those with a family history of clinical depression. While it is tempting to simply answer by saying that this post is targeted at those who are simply “unhappy”, rather than suffering from a diagnosed condition of clinical depression, I find myself hesitating because I feel that often a diagnosis of a disorder leads to acceptance and complacency.

    One inspiring story that comes to mind is that of John Nash who Sylvia Nasar writes about Nash’s life in great detail in “A Beautiful Mind”. [Ignore the movie, it is unrelated to the book] In her detailed biography Nasar describes how after years of drug treatment, electroshock therapy and treatment with insulin-induced comas, Nash actually found a way to succesfully treat himself by going on a “diet of the mind” as he describes it.

    So if you are depressed, and even if you do suffer from clinical depression that a doctor has diagnosed and prescribed medication for, I encourage you not to give up and simply accept the prescribed treatment, but continue to look for ways to modify your behaviour, your environment, your diet and your situation to improve your prognosis.

    I’d like to remind you of one final thing. Humans evolved largely during the Paleolithic era into the species that we are today. This period covered 2.6 million years of our history. We have only been “modern humans” for the last 30,000 years, which is only 1.1% of the Paleolithic. We have only been using the Internet en-masse for roughly 20 years. So when you think of creative ways to change your environment, consider which environment your species spent most of it’s time adapting to.

    I wish you the very best of luck.

  • How to (really) choose WordPress Hosting

    I am the creator and maintainer of Wordfence, an anti-virus and security plugin for WordPress. We are still a young plugin, but already are about to pass 50,000 downloads.

    Often when our customers have a problem with Wordfence, they create a temporary admin account for me and I sign in to their (usually) hosted WordPress site to diagnose it. So I’ve experienced a large number of WordPress hosts over the last few months.

    Wordfence is a fairly complex plugin. It has an admin interface that provides real-time traffic views and these contact our API servers in real-time to do things like resolve the geolocation of IP addresses. Admin’s can also kick off a scan and watch it run and of course scheduled scans run in the background on a regular basis.

    The background scans have provided a fair amount of insight into which hosts have issues and which don’t: For example when a WordPress cron job or a Wordfence scan starts a scheduled event, it needs the server to be able to connect back to itself. A surprisingly large number of servers are unable to do this because they don’t know their own hostname or have some other problem.

    I’ve also seen a number of servers that have trouble making connections to external servers like our API server. Some have intermittent issues and some don’t make the connection at all.

    Perhaps the most frequent problem I’ve seen is too little memory for WordPress. This manifests in several ways:

    • The most common is that the php.ini memory_limit variable is set too low. 30 Megs is a common setting which is too low for a WordPress site running many plugins or one or two complex plugins or themes.
    • The next most common is the Apache RLimitMem setting is set too low and so Apache will prevent PHP from allocating more memory even if memory_limit is set to a high value. I’ve frequently seen RLimitMem settings that are low with a high php.ini memory_limit value – an obvious misconfiguration.
    • The most difficult to diagnose problem is where the host has configured PHP and Apache with high memory values, but there is a killer daemon running on the host that simply kills any process that grows beyond a certain size. This is rare, but it exists.
    To give you some perspective on how serious too little memory is, here is how it usually manifests itself: A customer installs plugins until they are right at the threshold of the maximum memory their host has provided. They then install one more plugin and it causes WordPress to “white screen” meaning that your WordPress site simply doesn’t load. This usually means the plugin needs to be uninstalled via FTP because the WordPress admin interface is no longer available.
    I’ve run across several hosts who limit the maximum running time of an Apache process to as little as 15 seconds. This is not enough for longer running WordPress cron jobs. We have coded a workaround in Wordfence for hosts like these, but this will still affect WordPress’s own scheduled jobs if they run longer than 15 seconds.

    Another problem I ran across 2 months ago is a very (very) large WordPress host who’s deployment system was corrupting WordPress core files. This means every new WordPress install started off as corrupt. We spotted this because Wordfence alerted that core files on a fresh install were different from the originals. We thought this was a bug, but it turns out their deployment system was corrupting a core file in a way that created subtle bugs in the editing interface of WordPress. They have undertaken to fix the issue and I haven’t confirmed if they have.

    And finally there’s performance. When I sign in to various hosts to diagnose issues I’ll sometimes experience a snappy interface and occasionally it’s just dog slow. The WordPress admin interface, which tends to consume more memory and CPU than a non-authenticated site visitor, just screams that the host is overselling their virtual servers because it takes a while to load.

    When we first created Wordfence we bought space on the top WordPress hosting providers and made sure our software ran on all of them. It’s now several months later and I’ve had the experience of working with many customer installations across many more hosts.

    When choosing a host, find out the following:

    • What is the real memory limit? [In php.ini, apache2.conf and any other limits]
    • What is the longest time a process can run before they kill it?
    • Install Wordfence on the new machine and verify core files are intact.
    • Make sure the interface is snappy and stays that way.
    • Make sure the host has been in business for a while and will be for the foreseeable future.

    The one host that in my experience stands out head and shoulders above others is Bluehost. They are one of the larger hosts and I’ve never had a problem with performance, memory, scheduled jobs or anything else on one of their WordPress installs. Starting today I’m recommending our clients head over there to get rock solid WordPress hosting.

  • What the film "Taken" is really about

    [If you haven’t seen “Taken”, please stop reading now because this contains spoilers. I’m sure you have though as the movie is 4 years old now]

    I watched “Taken” with Liam Neeson for the second time this evening. It’s an awesome, awesome film. It struck me that the movie is actually about something more than Liam Neeson giving baddies a well deserved ass kicking.

    Agent Bryan Mills (Liam Neeson) has lost his family because he spent all his time working for the CIA. His wife has remarried a very wealthy man. Mills shows up at his daughter’s  birthday party with a Karaoke machine as a gift for her 17th birthday. His daughter’s reaction is “cool.”. Her new father in law gives her a horse and she keeps repeating “I love you, I love you, I love you”.

    Then the scenes in Paris are about the European trade in sex slaves and sex slavery. His daughter is bought and sold by various traders until she ends up in the hands of a wealthy Sheik.

    Neeson rescues her and on her return to the USA they are standing outside of an airport and his daughter tells him “I love you” once and then disappears behind the glass of a limo belonging to her rich father-in-law and Neeson catches a cab home. Once again his daughter has been bought.

    There’s a final scene at the end to soften the message a bit where Neeson arranges singing lessons with a famous pop star and they all live happily ever after. But I have a sneaking suspicion that Luc Besson’s intent was to bring to light a deep issue in human relationships: That money buys love in many ways, some subtle and some less so.