innismir.net

Been quiet over here recently, but I’ve been busy in other areas, so let’s do a quick update of what the hell has been going on:

First off, QuahogCon was a blast. My presentation went rather well, despite some technical difficulties with the lack of Internet access and the fact that I was not able to raise the local IRLP repeater from inside the building. I’ve started tweaking it a bit and submitted an abstract to The Next HOPE‘s CFP.

You can download the QuahogCon version of the slide deck here:

• Why you should be an Amateur PPT (8.0MB)
• Why you should be an Amateur PDF (7.0MB)

Also, available over at QuahogCon’s site is the audio of the presentation.

Next, over the past month, I re-launched Mayhemic Labs a group of very talented folks. We have started doing a few projects, the coolest one (in my not so humble opinion) is ICanStalkU, a site that rips through public photo sites looking for latitude and longitude EXIF tags. You can read more about the project at the site’s how and why pages.

So, despite the lack of activity on here, I have been keeping busy. Of course, I am always mumbling to myself on Twitter.

As some of you know, Brady has recently celebrated his 1st birthday. It’s been a long year and as it’s worn on, my commute (two hours each way end to end) has often left me frustrated due to the lack of time with my son. More and more often, I have wondered, despite loving my current job and the people that I work with, if it was worth the time it was taking away from my family. Yesterday, as I had to telecommute due to the epic flooding that shut down Route 140 I was able to play with my son before getting him ready for bed. It was during this I had a moment of clarity: It wasn’t worth it.

After putting him to bed and discussing it with my wife, I started weighing my options to figure out a way to allow me to work near my family, make my own hours, and hopefully live comfortably. After thinking about it more and more, I came to the realization that InfoSec lifestyle wasn’t cutting it anymore and that I was essentially fighting a losing battle. I’ve always been a bit of a chaotic neutral person and thusly I came to the conclusion that the best way to get what I want is to switch sides and move over to the darker realms of the Internet. As in my old job I monitored them daily, it was easy to reach out to my former adversaries and start inquiring about positions within their organization. They were very receptive and were happy to get someone with my portfolio, so I was able to negotiate a tidy signing bonus as long as relocation costs.

Yes, you read that right, relocation. We are all moving to Estonia. This may seem like a big move, but I have always wanted to set out and blaze a new trail beyond my comfort zone, so this was right up my alley. With Brady just picking up Portuguese and English, adding Estonian on top of that will do wonders for his development. Finding a new house would be a worry, but thankfully Peeter, my new boss, has an associate, Mikhail, that was able to get me a a killer deal on some waterfront property in Hiiumaa. He was even able to get the seller to go way below their asking price! Plus, they have a very decentralized structure are fans of working from home, so I should be able to get away with only showing up to meetings a couple times a month off-island. This is an ideal situation and everyone in the Jackson household is excited.

I know this might come to a shock to some of my InfoSec friends and it may seem like I’m abandoning them for “the other team” — and I’m sorry if you feel this way. This was the best option available to me to continue working in the field I love that will allow me to be close to my family. I sincerely hope that despite now me being an adversary, we can still remain cordial and reasonable to each other and can remain friends. Of course, trusted friends should feel free to contact me if you are interested in joining me on this great adventure, as we are currently looking for people who have experience in the field and like to work in the trenches.

I’ll be chronicling the move and the adventure of emigrating int he upcoming weeks, this should be interesting on so many levels. I need to start researching how one gets an Amateur Radio license in Estonia.

Andrew Hay has been doing a series of interviews with the various unsung heroes of the security industry calling it the “Security D-List”. I’m pleased to say that if anyone asks, I can now say where I rate.

Bored at lunch and sketched this out…

“Son, we live in a world that has firewalls, and those firewalls have to be administered by people with a clue. Who’s gonna do it? You? I have a greater responsibility than you could possibly fathom. You weep for your Internet access, and you curse the security admins. You have that luxury. You have the luxury of not knowing what I know. That the firewall rule set, while convoluted and not perfect, probably saved data. And my existence, while grotesque and incomprehensible to you, saves data. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that firewall, you need me on that firewall. We use words like “high availability”, “cloud”, “ISO 27001 compliance.” We use these words as the backbone of a life spent defending something. You use them as marketing fodder. I have neither the time nor the inclination to explain myself to a man who surfs and e-mails under the blanket of the very security that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way, Otherwise, I suggest you install an IDS console, and stand a post. Either way, I don’t give a damn what you think you are entitled to.”

“Did you block Facebook access from the company?”

“I did the job I…”

“Did you block Facebook access from the company?“

“You’re Goddamned right I did!“

Not up to the same level of Hoff’s creativity, but I found it amusing…

So, a quick post about two things:

1st, I did a presentation to the Boston Chapter of the Association of Government Accountants for their monthly meeting as part of my day job. I’d like to think I did fairly well and there certainly was a fair amount of discussion afterward. In case any of them find their way here in an attempt to find my slide decks, I am happy to oblige:

• Information Security and You PPT (1.4MB)
• Information Security and You PDF (1.8MB)

2nd, I have been selected to speak at QuaghogCon in Providence, RI the weekend of April 24th and 25th. I’ll be departing from my usual “Information Security” speaking groove and instead will be evangelizing Amateur Radio. Sadly, this means I’ll be missing out on B-Sides Boston, but that’s the way the cookie crumbles. Registration is open now and I’ve heard rumors that attendance will be capped at 150, so even if you don’t want to hear me speak, buy a ticket; there are going to be some awesome presentations.

I was very lucky this summer because the Security Office got some funding for training and footed the bill for another SANS course. I opted to go for SANS SEC504: Hacker Techniques, Exploits & Incident Handling. I did a “At Home” course this time, which met three times a week online and was taught Ed Skoudis and John Strand. While I did like the self paced learning that I had for SEC503, but it was very cool to be taught by the folks that you always heard on and about PSW. Plus, I was able to make snide remarks in the chat window.

As much as I still wonder about certifications in general, I am starting to really like SANS courses. The course wasted little time on the basics and quickly had us rolling up our sleeves mucking about in what I classify as “cool sh*t”. While I did have stretches where I was just nodding and going “yeah… yeah… know that… uh-huh…” I would occasionally see or hear something, go “Oooh!”, and make write down some notes. The course consisted of 5 books of material, ranging from incident planning and handling to how to exploit systems, and then culminated in a capture the flag contest. I am ashamed to say the CTF was designed well enough that I could barely establish a toehold on the first server, I guess my days of staying up for an entire weekend and dominating the CTF at Northeastern is far behind me.

Although the course itself wrapped up sometime in the summer, I finally took my certification test today and passed with flying colors. I am happy to report that I have even more alphabet soup after my name and I am now “Ben Jackson, GCIA, GCIH”

In the words of the late, great, Irving Snyder, WA1ETG SK, I have a “tale of woe.” As always, as an employee of the fantastic Commonwealth of Massachusetts, the opinions of this website are my own and not the view of my employer or anyone else.

Late in August, I was in a rush on a Wednesday and couldn’t change my five dollar bill for ones to pay for parking. With the MBTA, they have something called an “honor box” in which you pay your $4 parking fee into a small slot numbered with your space. “No worries…” I said to myself, “…since I am in a rush, I will eat the late fee and just pay them when I get a violation notice.” A brilliant plan, correct? It was, I’ve done it before. Also, since I knew I was likely going to face the same problem on Friday I was just going to pay $10 with the Friday violation notice. This plan crashed to earth when I got the Friday violation notice:

Can you spot the key difference between these two notices? According to the 8/21 notice, I have 8 outstanding violations. This is impressive, as with every violation notice previous to this, including the 8/19 notice, hasn’t included a peep about any kind of outstanding violations. So, I place an e-mail to LAZ Parking, as they suggested on their voice mail greeting, to ask them how the heck this happened. They politely provided me a spreadsheet showing that I hadn’t paid my violations numerous times since they took over.

Slight problem: I did pay them.

I’m no angel. According to the spreadsheet I had 16 violations since December 1st. However, I have been extremely thorough in paying my violations since the parking fee increase, specifically because I knew that $5/pop could add up quick. While I cannot specifically say “Oh, hey, I paid that violation on June 23rd.” (Because really, who remembers that?) There were two violations that I was sure I had paid. Also, apparently, I did possibly owe them $2.75 from a violation in December. I won’t even attempt to remember that.

So, I ask them how I can contest it? Well, simple, I just tell them which spot I parked in during those dates and they can check.

Slight problem: There is not assigned parking at the MBTA.

With the MBTA commuter rail, each spot is numbered and that’s the number you pay for. However, it’s first come first serve. Most days I usually get a spot in the between 50 and 100. But really, I now have to keep track of which spot I park in on a daily basis just in case LAZ says I didn’t pay? What? I explained this to the CSR and after following up a week later asking them if there was any movement on this she reiterated she needed the numbers.

This brings us to today.

I give up.

That’s it MBTA, you win. You’ve created a system where you can tell people they owe money and they have little to no recourse. You have a cash system, someone can have no proof they paid on random dates and in order to contest it, you make them jump through nearly impossible hoops. I give up. I am bending over and taking it.

So, now, in order to cover my ass:

• I will be paying my outstanding fee with a check, probably hand delivered, and I will get a receipt.
• Further violations will be paid with via a check, as suggested by LAZ, and I will be keeping the canceled checks on record.
• After I get the canceled check, I will be following up with LAZ to make sure they credited it to my account.

Plus, just to add insult into injury halfway through the back and forth with LAZ, I get this on my windshield:

A $15 ticket because I was parking in the lot with an “outstanding balance”

Thanks, MBTA.

Mark, K6HX writes another good article regarding the NSC and ARRL letters and does some math on what we might expect to see if we tried to find evidence on Ham Radio operation while mobile:

There are only about 660,000 or so hams licensed in the U.S. The vast majority of these do not operate mobile. The vast majority of those do probably spend most of their time listening. In such a case, we’d expect that the number of accidents caused to be much lower than those caused by cell phones, even if mobile operation was every bit as dangerous as using a cell phone. The overall instance of accidents may be only 0.1% or less of the levels we see from cell phones. One study estimated that 6000 accidents might have been caused by cell phones in California in 2001. Even if ham radio were as dangerous, we might expect to see only six accidents in the entire year from ham radio operation.

Now, the are some other variables at work that would be interesting to toss around:

• A lot of amateur radio operators are older, would cause the rates to trend upwards?
• Are amateur radio operators more distracted when we have to fiddle around, find a mic, adjust the radio, etc?
• Is a study done in 2001 going to accurately reflect numbers in 2009?

However, the kicker of this whole article is not the post by Mark, but a comment done by Schley Cox:

I operate mobile with amateur radio using Morse code. I copy in my head, my eyes never leave the road in front of me and my right hand (sending hand) is not more than 2 inches from the bottom of the steering wheel. I tune my radio by ear only. I work a narrow range of frequencies without ever looking at the radio. Compare all these situations with using a cell phone, or even a mobile radio using a microphone.

My right and left brain don’t have much to do with each other and it doesn’t seem distracting to me to both send and receive Morse code while driving on stretches of highway. If I need both hands on the wheel while sending I simply send AS and the other operator knows to wait for a while. I don’t have to explain to her (or him) why I am stopping sending.

I don’t operate at all on busy highways. Period. There’s not even time to send AS somewhere (like I-65) while careening between lanes at 80 mph trying to keep from getting rear ended by the rush behind.

Holy crap, where do I begin? Mark makes the statement in a later comment that “This is precisely the kind of argument that I think we should all view with skepticism.” and I wholeheartedly agree. I’m scared the Mr. Cox can think he can do CW in his head and fully concentrate on driving. I will give credit to him for at least realize that doing it on a busy highway is bad, but I hope he isn’t sharing the road with me while I commute. Mark is right to point out that distractions come in all different shapes and sizes while driving: people in the car, twiddling the A/C, and using a mobile phone. It’s foolhardy to think that we are somehow above all that.

Late in July, the ARRL wrote a letter to the National Safety Council regarding the operation of amateur radio while mobile. Joel Harrison, W5ZN, president of the ARRL wrote lobbied (lets not kid ourselves, that what the ARRL does) the NSC to help them ensure that Amateur Radio is not caught up in no-cell-phones-while-driving laws by waving the bloody shirt of public service.

Amateur radio operators provide essential emergency communications when regular communications channels are disrupted by disaster. Through formal agreements with federal agencies… Amateur Radio volunteers protect lives using their own equipment without compensation. The ability of Hams to communicate and help protect the lives of those in danger would be seriously hindered if… governments do not ensure that Amateur Radio operators can continue the use of their mobile radios while on the road.

Now, don’t get me wrong. I use my FT-7800 in my car on an almost daily basis. I am by no means innocent and I did write my representatives when Massachusetts tried to pass a cell phone ban in 2008. It’s my hobby, I enjoy it, and in the car is the only time I get the “play radio” for the most part. I enjoy talking to my friends via it. I try to be responsible, however, I think that if anyone tells you that they are 100% concentrated on driving while they are playing radio, they’re a bold-faced liar.

President Janet Froetscher of the NSC’s response is very political and does a great job at walking right down the middle by giving a response without giving a response. While everyone is touting the NSC’s statement saying that “NSC does not support legislative bans or prohibition on [amateur radio] use” and counting it as a victory, however, the letter from the NSC says some very different things:

We are not aware of evidence that using amateur radios while driving has significant crash risks. We also have no evidence that using two-way radios while driving poses significant crash risks. Until such a time as compelling, peer-reviewed scientific research is presented that denotes significant risks associated with the use of amatuer radios, two-way radios or other communication devices, the NSC does not support legislative bans or prohibition on their use.

Sounds like we’re in the clear, right? Well, kind of. Indeed, there is no evidence that using two-way radios while driving poses significant crash risks, but what evidence are we citing that shows there isn’t a link? From the ARRL policy statement on mobile operation:

is aware of no evidence that [mobile] operation contributes to driver inattention. Quite the contrary: Radio amateurs are public service-minded individuals who
utilize their radio-equipped motor vehicles to assist others, and they are focused on driving in the execution of that function.

Hmmm… That doesn’t sound like compelling, peer-reviewed scientific research to me. What did the ARRL present in their letter to the NSC?

As ARRL Chief Executive Officer David Sumner has observed based on more than 40 years of experience, “Simplex, two-way radio operation is simply different than duplex, cell phone use. Two-way radio operation in moving vehicles has been going on for decades without highway safety being an issue. The fact that cell phones have come along does not change that.”

This is, by definition, anecdotal evidence. Plus, would you really trust this if the National Association for Juggling president state that, after 40 years of experience, he observed that juggling is completely different from cell phone use and has been going on for decades without highway safety being an issue? I wouldn’t and neither should you. When I read this back in August, I did find this a bit amusing as the first thing that popped into my head is the final scene in the movie Thank You for Smoking. The protagonist, who used to lobby for the Tobacco industry, is talking to clients in a meeting regarding cell phone usage:

Gentlemen, practice these words in front of the mirror: Although we are constantly exploring the subject, currently there is no direct evidence that links cellphone usage to brain cancer.

Amateur Radio is in the same position. There is currently no direct evidence that links mobile operation with accidents. The kicker is that there is no evidence that mobile operation is safe either. From what I can tell, there have been no studies regarding the issue. I think that if the ARRL was really interested in safety concerns, they would commission a third party study on this. However, like any special interest group (again, this is exactly what they are and I have no problem with it) their primary interest is promoting their interests.

Froetscher also made a statement to the ARRL that I have not seen mentioned in any coverage of the letter either:

I appreciate your focus on the use of amateur radios for emergency communications during disasters. I encourage ARRL to adopt best practices for the safe operation of vehicles that confines use of amateur radios while driving only to disaster emergencies. You may want to consider documenting this through a formal policy for all of your members.

This is the political equivalent of the NSC saying “…and the horse you rode in on.” By the ARRL using Amateur Radio’s disaster communications as a shield to hide behind in order to avoid being banned under distracted driving laws, the NSC called them out on it. If we, as amateurs,  “provide essential emergency communications when regular communications channels are disrupted by disaster”, why is the ARRL telling its members to avoid using their radios while mobile unless there is an emergency? While the obvious answer is “because we want to play radio” I don’t think the ARRL is going to say that. So, instead, since the ARRL is touting the response, I look forward to them working with the NSC to re-draft their policy to limit mobile Amateur Radio use to only emergency and disaster situations.

I don’t know why this appealed to me, considering that I can’t stand these things on Facebook/e-Mail/etc, but since Andrew Hay did it, and since he started it, I felt like I should play along.

1. I was the host of a weekly “hacker” podcast for about a year. It was a lot of work, but I do miss it. It was fun to rant and rave for a few hours a week.
2. I did not go to any dances or proms in High School
3. I am a published author. Another one of those things that was a lot of work but it was a lot of fun at the same time.
4. My wife and I met on the Internet before it was “trendy”. For a long time we would skirt the question “How did you meet?” because of the looks we would get. During our wedding, the priest mentioned it in his sermon and we were sure that this was the first time a few people in the audience found out.
5. I flunked out of Computer Science in college (Calculus) and transferred to Computer Engineering Technology (“Computer Engineering lite” as I called it) which I graduated from.

I will not, however, “tag” anyone else. I can’t stand being “tagged” and therefore will not “tag” anyone myself.