What I am reading (or maybe watching) 10/18/2017

DefCon - ICS Village: Grid Insecurity and How to Really Fix This Shit -



I tried to see this talk while at DefCon, but the room they had listed on the schedule didn't seem to exist and myself and the guy with me spent 30 mins. looking for it.  That's when I learned the value of the DefCon app.

Wired - The Problem with #MeToo and Viral Outrage -

On its surface, #MeToo has the makings of an earnest and effective social movement. It’s galvanizing women and trans people everywhere to speak out about harassment and abuse. It’s causing everyone to weigh in on systemic sexism in our culture. In truth, however, #MeToo is a too-perfect meme. It harnesses social media’s mechanisms to drive users (that’s you and me) into escalating states of outrage while exhausting us to the point where we cannot meaningfully act.

...

 As a result, our “outrage” bar continues to move firmly up and to the right as our feeds become saturated by egregious stories. We become numb to tragedies because we’re unable to process the emotions they engender at the speed with which they arise. As Crockett writes, “Just as a habitual snacker eats without feeling hungry, a habitual online shamer might express outrage without actually feeling outraged.” We may also discover that, just as venting anger begets anger, expressing outrage leads us to feel the emotion more deeply and consistently. Neither of these changes is good for humans.

I think we are already seeing some of this outrage escalation.  Over the weekend I followed some of the #MeToo threads and it seemed like as soon as one woman related an experience, someone would pop up in here thread and one-up her. Then that would generate a new round of everyone condemning the antagonist in the second story until another more egregious violation was named.  It's exhausting and at some point it causes people to just start ignoring the issue.  Especially if it starts to make the issue seem so big that it can never be addressed.

Network Computing - From Law School Dropout to Senior Network Engineer -

NWC: What things have you seen changing in the field?

AA: Like people have been saying for a while, it's not enough just to know networking. To be really good at being a network engineer, you have to understand a little bit, or sometimes a lot, about the way other systems work -- storage, servers, virtualization. You don't have to be an expert in any of it, but in order to make the best decisions, you really have to know some of it. So I would encourage people to not just learn networking, but go over and bother the systems engineer every so often, things like that.

They keep saying that the job of the network engineer is going to be automated out, but I don't see that happening. I see the people who understand the fundamentals having to shift their focus, but you still need someone who understands how routing works and how it relates to the other systems it interacts with.

I follow Amy on twitter (@amyengineer) and her blog is pretty good too.  Give her stuff a look.

CISSP update

Still scheduled to take the exam 28 Oct.  Been taking practice exams and scoring in the mid 80s to low 90s.  Hopefully the CCCure is a somewhat accurate representation of my knowledge level.

Time to burn it all down and try this again - What I am reading 10/16/2017

The Register - WoW! Want to beat Microsoft's Windows security defenses? Poke some 32-bit software -

Two chaps claim to have discovered how to trivially circumvent Microsoft's Enhanced Mitigation Experience Toolkit (EMET) using Redmond's own compatibility tools.

...

Kemp said a definitive fix for the WoW64 flaw could be some time off, as patching the condition would be difficult.

"It appears that due to these limitations, enhancing EMET to overcome them is likely a non-trivial effort," the pair noted in their report.

This is potentially a huge deal, especially in the OT / SCADA world where applications where it seems software only gets updated on the 1st of never.

Bleeping Computer - TPM Chipsets Generate Insecure RSA Keys. Multiple Vendors Affected -

Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack.

...

TPMs are typically used in business laptops, routers, embedded and IoT devices. Known affected vendors include Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba, and other smaller Chromebook vendors.

...

Until motherboard vendors issue a new firmware update to include Infineon's TPM fix, the general recommendation is to move critical users and data handling operations to devices that have updated firmware or to devices not affected by this vulnerability.

Once users have received the firmware update, they should regenerate all TPM keys. This is done by changing all passwords for TPM-enabled apps.

Because it is hard to know what apps and OS features use the TPM, users can reset the TPM module by typing TPM.MSC in their Windows Search/Run field and resetting the TPM from there. More instructions are available in this Technet article.

UPDATE:  This was apparently announced last week and I missed it - I just saw it scroll thru my twitter feed this morning and the above article is dated today so....

Well that's two major security vulnerabilities to start the week.  At least it isn't three. Oh, wait...

Forbes - Update Every Device -- This KRACK Hack Kills Your Wi-Fi Privacy -

What's behind the vulnerability? It affects a core encryption protocol, Wi-Fi Protected Access 2 (WPA2), relied on by most Wi-Fi users to keep their web use hidden and secret from others. More specifically, the KRACK attack sees a hacker trick a victim into reinstalling an already-in-use key. Every key should be unique and not re-usable, but a flaw in WPA2 means a hacker can tweak and replay the "handshakes" carried out between Wi-Fi routers and devices connecting to them; during those handshakes, encryption keys made up of algorithmically-generated, one-time-use random numbers are created. It turns out that in WPA2, it's possible for an attacker to manipulate the handshakes so that the keys can be reused and messages silently intercepted.

...

 As for how widespread the issue was, it appears almost any device that uses Wi-Fi is affected. "The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others are all affected by some variant of the attacks," explained Vanhoef.

You had one job WPA2!  Seriously, this is a signifigant issue but fortunately it's scope is somewhat limited by the need for the attacker to be local.  Make sure to update all your devices - INCLUDING home routers, phones, TVs, game consoles etc.  shit maybe even your toothbrush.  And remember good data hygiene is more than just encryption.  Consider what you are saving and where and whether you need it and when connecting online give a lot of thought to where you are and what data you are passing back and forth.

On RPGs and Blade Runner 2049

Friday morning the boss came into the office raving about Blade Runner 2049.  "You have to see it this weekend, on the biggest screen you can."  Normally I ignore stuff like that, especially when it comes from a new boss that I don't know, but since I was a huge fan of the ORIGINAL Blade Runner and a fan of the four subsequent re-cuts I decided to go see it yesterday.

It was worth it.

There are a number of things I like about the film but the two that stand out are:

a) It preserves the universes established in the original film.  It's darker (figuratively not literally) and more dystopian now (and there is a big climate change narrative) but the universe established in 1982 is the same universe in the 2017 movie.

b) The story is the inverse of the story from the original film (and in my memory of the book closer to what Dick originally wrote), which nicely bookends the two films.

There are a couple others things but those are the main points.

One of the ancillary points I will mention is that Robin Wright does a great job as the M. Emmett Walsh analogue.

I also liked how the universe was consistent with the Kurt Russell film Soldier

There were also a few things that I didn't care for:

a) Jared Leto - the dude is just always creepy and I hate seeing him on screen.  Beyond that his character was just a waste.  A messiah whose immediate response to a problem was torture.  There is no real explanation of his motives beyond wanting to breed replicants.  It just felt kind of out of place.

b) I missed the Vangelis soundtrack.




I'll probably see this movie again.

So why you are asking did I title this "On RPGs and Blade Runner 2049" when all I have talked about is Blade Runner?

Well, because in my mind Blade Runner and RPGs are inextricably linked to the 1980s and Chris over at Carnifex.org has been talking about RPGs a lot lately.  Mainly discussing the strengths and weaknesses of various systems.  His group (which I have been a part of , and probably will be again when schedules sync up again) is currently playing D&D 5E.

I hate 5E.  Actually I hate most systems beyond 1E and I'll tell you why:

Lack of story and imagination.

I spent years in our high school gaming group being chastised for my lack of ability as a role player, and I will fess up to that.  I like the side conversations, drinking, eating pizza and joking that used to go with our games far too much to "immerse" myself in the character. But, I always tried to come up with a character that had an interesting story that at some point would add to the overall narrative.  Some reason to have a special skill that might not have been in the rules but which would be handy.

In 1E you had to do that, because the rules were so basic.  You want critical hits?  Dream up a way to do it yourself.  (Also I liked the race / class restrictions because if the GM made an exception for your character for whatever reason then it made your character even more special)

That isn't the case now.

In games today they attempt to define everything and reduce it to a die roll.  That sucks and it reduces the game from a large narrative to some die rolls like monopoly.

Die rolls destroy drama.

So what do the too have to do with each other?  I don't know, maybe I am high on 80's nostalgia but I kind of feel like the Blade Runner universe is a lot like 1E.  There are stories there waiting to be defined and I like that idea.  So much sci-fi now is just formulaic, (and maybe Blade Runner is too but it doesn't feel that way to me), just characters reduced to die rolls by the system in use. 

Of course I say this every year as winter sets it seems like the world is getting smaller and the sense of wonder is disappearing.  Don't get me wrong I still have fun on a day to day basis but we need re-invigoration.  Which makes this a good time to repost this:

(in some weird way this is probably why I like Googie Architecture so much too)

Just Registered For CISSP and OSCP Update

Still plugging away at OSCP, but I may have to put that on hold for awhile.  Scheduled my CISSP; mainly because it has become more of a professional liability not to have one.  I am the only FTE in my department without one and it is eroding some of my credibility.  The rest is being eroded by the fact that I am a dumbass.  I decided to address the facet that can be fixed by taking an exam.

OSCP Update

I missed a couple Sundays because I was out of town and had something else going on.  I don't remember what it was but it was important at the time.  I am continuing along.  Started on the labs getting ready to actually start attacking some of the networked machines.  The materials are good but I am finding myself doing a lot of side reading.  A lot of people have mentioned that before, but it is true, you do have to do additional research.

Fuck Me... R.I.P. Jerry Pournelle

Jerry Pournelle had a huge influence in my life. 

I read "The Mercenary" my sophomore year of high school and "Lucifer's Hammer" and "The Mote in God's Eye" soon after.  He along with Robert Heinlein were fundamental in forming my world view, my view on what it means to be a man (in the generic human sense) and my views on politics.  They helped me articulate ideas that had been building in my head for quite a while at that point and I think made me a better person through their writings. 

Jerry Pournelle passed today.  Normally it would be the thing to do to offer a prayer, but I am going to instead offer The Line Marine March as it appears in his Falkenberg's Legion Series. 

We've left blood in the dirt of twenty-five worlds,
We've built roads on a dozen more,
And all that we have at the end of our hitch
Buys a night with a second-class whore.
The Senate decrees, the Grand Admiral calls,
The orders come down from on high.
It's 'On Full Kits' and 'Sound Board Ships,'
We're sending you where you can die."
 
"The lands that we take, the Senate gives back,
Rather more often than not,
But the more that are killed, the less share the loot,
And we won't be back to this spot.
We'll break the hearts of your women and girls,
We may break your arse, as well,
Then the Line Marines with their banners unfurled
Will follow those banners to hell.
We know the devil, his pomps, and his works,
Ah, yes! We know them well!
When you've served out your hitch in the Line Marines,
You can bugger the Senate of Hell!"

"Then we'll drink with our comrades and throw down our packs,
We'll rest ten years on the flat of our backs,
Then it's 'On Full Kits' and out of your racks,
You must build a new road through Hell!
The Fleet is our country, we sleep with a rifle,
No man ever begot a son on his rifle,
They pay us in gin and curse when we sin,
There's not one that can stand us unless we're downwind,
We're shot when we lose and turned out when we win,
But we bury our comrades wherever they fall,
And there's none that can face us, though we've nothing at all."

I previously mentioned The Line Marine March  and the trouble it got me in in school, but I made my point at the time.  I also at various times had the pleasure of corresponding with Dr. Pournelle.  He was always gracious with me despite being far smarter and far more accomplished.  Again, R.I.P.