Anatomy of a NYT Piece on the Sony Hack and Attribution

There is a lot of back-and-forth over who hacked Sony Pictures Entertainment. For a not-so-brief summary, here is an extensive timeline to catch you up. I am going to drill down on a single point as it is both fascinating and disgusting. Using a single article that is heavily influencing people around the world, and helping to polarize the InfoSec community on who hacked Sony, I want to show you exactly what you are quoting and reading. Why? Because people don’t seem to be reading past the headline or first couple of paragraphs. What seems like a strong, definitive piece, falls apart and begins to contradict itself entirely halfway through the article. The New York Times piece in question is titled “U.S. Said to Find North Korea Ordered Cyberattack on Sony“.

Consider what the headline says. First, it says that North Korea ordered the attack on Sony. Second, it says the U.S. has found out, meaning there is some body of evidence that led to that conclusion. Seems simple enough. But where does this come from?

American officials have concluded that North Korea was “centrally involved” …
Senior administration officials, who would not speak on the record …
Officials said it was not clear how the White House would respond.
Other administration officials said a direct confrontation with the North would provide North Korea with the kind of dispute it covets.

So how many officials are we talking about here? American officials? Senior administration officials? “Other” administration officials? Not a single one on record, which is very curious given named sources are the backbone of solid reporting. Are these officials part of the military? Law enforcement agency? Or just policy wonks that may or may not be getting briefed by someone with a clue?

The administration’s sudden urgency came after a new threat was delivered this week to desktop computers at Sony’s offices, warning that if “The Interview” was released on Dec. 25, “the world will be full of fear.”

Wait, so the Sony network is still entirely compromised weeks after it was publicly disclosed? That is an interesting angle, why haven’t we seen articles covering that? The company brought in to do forensics, are they losing this battle? Or did they mean the message was emailed to Sony employees, and the wording is confusing since the initial attack included actually replacing the desktop background on thousands of Sony desktops? Or was this a reference to the attackers posting that message on a public website (Pastebin)?

“Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”

This comes from the latest Pastebin post, since removed. I think that is the simple, logical explanation.

While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with knowledge of the company’s computer systems, senior administration officials said.

Wait a minute, the title is definitive, the U.S. says North Korea did it. Now even more unnamed officials say Sony insiders may have helped them? If you follow the whole “this is an act of war” nonsense, then any American Sony employee just committed treason, right? If it was a Japanese Sony employee, then Japan is in league with North Korea? I mean, we have to be careful on our rhetoric of war and blame, as these little comments can mean big things.

North Korea’s computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.

So Newt Gingrich, Dave Aitel, and others are saying a North Korean attack on Japanese company Sony is an “act of war” against the U.S., but we openly admit that the U.S. government has been trying to penetrate North Korean computers for at least four years, and that isn’t an act of war? That doesn’t make sense. Either such intrusions are an act of war, or they aren’t. We can’t have this both ways.

It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “this was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”

So the definitive headline is now clouded by statements like these. We don’t know where the attacks originated, the tools were commonly available and had been seen in attacks years ago, but then the official says it is sophisticated? Not sure this ‘intelligence official’ has the same standards for the word ‘sophisticated’ as many in InfoSec.

But there is a long forensic trail involving the Sony hacking, several security researchers said. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributed to Iran — and another last year in South Korea aimed at banks and media companies.

Do we all know what a forensic trail is? This is a shaky list of circumstantial evidence at best. Given the use and history of the tools, making an assumption on who used it seems absurd.

But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggested that the same group or individuals might have been behind the Sony attack.

Again, do we not see how circumstantial this is? On one hand you claim the attackers are sophisticated, on the other you say they use a compromised computer for two years that would implicate them because of past attacks.

The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat, the security researchers said.

Definitive headline, yet more doubt on who attacked Sony.

The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, the national oil company, where hackers wiped off data on 30,000 of the company’s computers, replacing it with an image of a burning American flag.

A public tool from two years ago, and this is influencing attribution? Investigators should be logical and skeptical. Actual evidence should be the guiding factor in their investigation and determining attribution.

Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.

So we couldn’t positively attribute the attack two years ago that used those tools, and now we want to use that tenuous link claiming it is some kind of ‘proof’ North Korea was involved? This makes no sense.

“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a researcher at AlienVault, a cybersecurity consulting firm.

I have given many a buzz-quote to the media, and I understand how they can be taken out of context. This is a great example. Blasco sounds like a total idiot, but I have a strong feeling he isn’t. What does this quote mean exactly? Getting access to Sony’s network requires an attack. Subsequent actions are part of that attack, or the fallout. Or does he mean “had access” in the context of a legitimate trusted employee? InfoSec people: be careful when giving buzz-quotes to journalists.

The cost of the assault was small: The attackers used readily available tools to steal data and then wipe it off Sony’s machines.

Once again, “readily available tools”, yet we are attributing this to a nation-state attack? Read between the lines and we have no real attribution at this point, at least not demonstrated by anyone. I doubt Mandiant is sharing their results with anyone publicly, leaving the rest of this to guess-work.

Representative Mike Rogers, the Michigan Republican who leads the House Intelligence Committee, said the hackers had “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.

Ya think? That is hacker 101 shit right there Mr. Rogers. Sophisticated malware to allow such access has been around for more than 30 years, and is trivial to get from thousands of web sites.

The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.”

Well played North Korea.

All in all, we have an article with a definitive title, “citing” between one and dozens of unnamed officials, that may be guessing like most of the world, giving as much “evidence” that it wasn’t necessarily North Korea, and it is whipping up a frenzy causing politicians and InfoSec professionals calling this war. I’ve said it for a week, and I must say it again. How about we wait for actual evidence. A public report outlining all of the forensics available, that can be peer-reviewed to some capacity, before we go rattling our saber at a country that may not be involved. Sure, North Korea is wonky on their statements implying it was them, then “half-denying” it, whatever that means (curious no one ever links to these statements, or are these more “unnamed officials” from their government?).

Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn’t mean they actually did anything. Taking their implications or half-denials as fact isn’t prudent. I am not saying North Korea wasn’t involved. I am simply saying that this speculative circle-jerk is not helping anyone, and only serves to cause headache and grief. Level-heads must prevail. If you feel the need to comment on the matter, make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.

e-MDs, Inc. Solution Series 7.2.1.634 Screen Lock Failure Information Disclosure

e-MDs, Inc. Solution Series integrated electronic health record and practice management software version 7.2.1.634 contains a flaw in the screen lock functionality. When a user locks the screen, under some circumstances, the screen will display the login box but fail to obscure any of the information displayed otherwise. As I discovered on March 21, 2014 at my doctor’s office, the screen not only displayed some of my information including name, account number, date of birth, phone number, and doctor notes, it also showed the same information for a second patient.

emds-solutions

BSidesLV, Charity, and a change of heart.

Read it all heathen! Teaser list of stuff in the charity box is included below.

As most reading this blog know, next week is the annual pilgrimage to Las Vegas to attend the ‘meta-con’. A mix of BSidesLV, BlackHat Briefings USA, DEFCON, and a number of other smaller sub-conferences, meet-ups, gatherings, and the ever present ‘hallway-con’. It is a week of chaos. Incredible opportunity always clashes with regrets, wishing you had checked out a talk, or met up with long-time friends, or run into new people you only know virtually. My first DEFCON was #2, twenty years ago, and it seems like both yesterday and a lifetime ago. I won’t go into a long analysis on how it is changed; just know it has changed drastically. Not saying for the better or worse either, because it is both.

Next week I am putting up an infamous attrition.org box-of-shit for charity at BSidesLV. I have done charity boxes at BSidesDEN in 2012 and 2014 that raised around $480 for the supported charities (usually EFF and/or HFC). Those were in addition to other charity auctions via eBay to support the Open Security Foundation, EFF, and the Concoctory.

You may notice a trend here. The last few years, I have made a big change to help support charities/NFP a lot more than I did before, including volunteering time as I can. Next week I will be working the registration desk at BSidesLV, and working as a volunteer for the Skytalks at DEFCON. Unrelated to security, I donate a fair amount of money and/or time to animal-related charities around the Denver area. I support a variety of humanitarian efforts to support research to cure ailments, fight hunger, and more.

Now, I want to do more, and I want more security professionals to do the same. As an industry, we make a ridiculous amount of money providing security services. As an industry, we fail miserably at doing so. Sure, we have our individual wins here and there chasing contracts. But as a whole? Digital security is at an all-time low. There is more computer crime, more breaches, published vulnerabilities are not dropping despite incentive not to disclose (if you even quote CVE and a ‘drop’ to me, get out of my industry), and a more fundamental lack of trust in anything related to computers. If we’re making stupid money providing inferior services while towing a favorable line, we need to look inward and re-examine our lives. It simply isn’t ethical to reap the rewards on the back of false promises. As an industry, we need to strive to do better (and we have proven we can’t), or start to give back to more worthwhile efforts.

I encourage you to consider this seriously. Look at how you can give back to the community in more ways than you are currently doing. Figure out more causes that could benefit from your time or financial support. Break away from the corporate high-dollar conferences run by non-security companies and support the home-grown community-driven conferences. Keep that in mind and bid generously on my two auctions.


box-teaser

Next week at BSidesLV, on Tuesday and Wednesday, you can participate in the silent charity auction and bid on this box-of-shit. Unlike previous boxes, I have worked to ensure this one is different, more interesting, and more valuable (which is subjective, I know). First, it has a limited edition attrition.org DEFCON 22 badge in the box. Only five were made this year! One is up for auction by itself right now, and it sets the stage for the box. Next, there is a hand-knit Lazlo hat made by J. Renee Worsing that comes with care instructions. Not only is the badge made by Make It Urz, there is an engraved Lazlo lapel pin in the box.

If you win this box, you are fully encouraged to embrace that badge. Walk around all of the conferences telling wild tales of your work with attrition.org. Spin stories about the other staff members, what you have endured, what para-military ops you have done on our behalf. This badge gives you creative license to social engineer anyone and everyone you meet. Flash that badge and you have a 0.3% chance of walking into any other party. Flash that badge at the 303 party and I will personally escort you in, even if the party isn’t open to the masses yet. Find me in a random bar, I will buy you a drink or three. ALL WEEK.

That is the tip of the iceberg! In addition to those fine items, the following is contained in the box. And yes, my wording is carefully chosen to keep you guessing, while being entirely accurate at the same time.

  • Collectible currency from 8 different countries.
  • A military challenge coin.
  • Certified piece of history circa 1989.
  • Original ‘FREE KEVIN’ bumper sticker.
  • Attrition.org bracelets.
  • A gift card. For a store, some amount more than a dollar.
  • DEFCOn 21 speaker badge.
  • Lockpicks.
  • A “pocket full of fun”. Make of that what you will.
  • Cold, hard cash.
  • Stickers, items from a jail, and “sparkle power”.

All of that is in addition to the usual box-of-shit stuff that is more questionable in value. This box was designed for fun, for you to enjoy as you open it up and dig through the contents. Nikita contributed a lot of the material found in this box, so you should buy her a booze next week. Not so much for the box, more for the amount of time, effort, and anguish she puts into making DEFCON happen. It isn’t entirely the ‘Jeff show’.

Remember that your money is going to worthwhile charities that help other people. None of this money goes to me. It will go to a fund that is divided up to support EFF, HFC, and Securing Change.

20140802_164721

Samsung Galaxy Phones Factory Reset Persistent Local Information Disclosure

A couple years back, I handed my Samsung Galaxy S1 down to a friend. When she got it she browsed the file system out of curiosity and noticed that it had retained private information; both from applications, as well as content I generated (e.g. pictures). While she promised to do a write-up of all the information left behind, she never did (flake!). This is obviously a problem for those who reset their phone thinking it is truly wiped clean, and then hand it off to a friend, sell it, or trade it in for credit.

The other day, a relative and I both upgraded our phones. Him from a Galaxy S2 to a S5, and me from a Galaxy S3 to a S5. So I figured why not check both out to see if they did the same. Cliff notes: The Samsung Galaxy S2 (model SGH-T989) ‘factory reset’ leaves a lot of personal information behind, while the Samsung Galaxy S3 (model SGH-T999) does not. It certainly does not delete your content.

Here is what I found left behind on the Galaxy S2. Directories for installed applications that did not get deleted, or deleted entirely:
\CamScanner
\foursquare
\gameloft
\Intsig
\Lazylist
\telenav
\data\flixster
\convertpad

files:
\telenav70\sdlogs\4\22\2014042208.txt
\telenav70\sdlogs\5\23\2014052320.txt
\Photo Editor\2014-03-30 19.11.22.jpg
(personal picture)
\lookout\log.txt
\Intsig\CamScanner\.log\log-2013-12-25_21-59-09.log
\DCIM\Camera
(55 personal pictures)
\contactBackup\contacts.csv
\contactBackup\contacts.pdf
(both contain full list of contacts: name and phone #. this is from an app that backed up contact info)
\Android\data\com.zynga.words\cache\FBImages
(three images, FB avatar pics of players)
\Android\data\com.facebook.katana\cache\.facebook_-372648771.jpg
(private image from FB)
\tmp_fsquare.jpg
\tmp_fsq
(a PNG thumbnail of avatar selected for the app)
tmp_fsquare

The Galaxy S3 (model SGH-T999) that I used pretty heavily, was much better after factory reset. I found the following left behind:

\Phone\Application\SMemo
(didn’t use this app despite installing it. files suggests private info may be available after reset)

All pictures, contact info, and information from applications is gone. So from the Galaxy S1 to the Galaxy S3, Samsung figured out the ‘Factory Wipe’ finally.

Screenshot_2014-07-03-20-26-56

Why I Love and Hate Presenting at Security Cons

Hate

I am not really a public speaker. I am nervous when I speak, even on topics I am very familiar with. Part of that is because I hold myself to a high standard for accuracy and ‘no bullshit’ given my history of calling others out on it. Just like I was right to do it to them, anyone in the audience is right to do it to me. My most recent talk has a ‘rule’ at the start that questions can wait until then end, but if I make a mistake speak up immediately. If you are right, I will correct it, apologize, and give you credit for holding me to such standards. If you are wrong, I will mock you. Seems fair! I hate dealing with AV, I don’t like dealing with cons and logistics and setup. This is partially due to past incidents where I am a registered speaker on schedule, and have to spend 15 minutes convincing the staff I am actually a speaker and have been attending that con for a decade just to get a badge (e.g. BlackHat). Every con does a different setup, where you aren’t sure if the speaker laptop will be ‘extending the monitor’ or ‘duplicating the monitor’. This matters for those of us using ‘presenter view’ in PowerPoint. I must have my speaker notes available in most talks as I tend to include dates, numbers, and details that I can’t otherwise remember.

Love

I also love presenting, because when I opt to do so, it is fairly interesting research or perspective. My talks are not technical, they won’t help you exploit a kernel or bypass memory protection. Instead, they are more in line with a historical and unique perspective in some cases (e.g. Anonymous, Cyberwar), or specialized to something I have focused on for two decades (vulnerability databases and related matters like statistics). I fully understand that some of my topics are not for everyone. Hell, they aren’t for most of the industry as far as a talk. While they likely use a vulnerability database, they certainly aren’t interested in the minutiae that goes with it. That doesn’t really matter to me. I’d rather have 20 people truly interested in the talk listening, rather than a ‘standing room only’ situation despite half the room not knowing the material past the first slide. For those handfuls of people out there, I know my presentations are improving on the common body of knowledge.

Hate, with a Twist

My most recent presentation, 112 years of vulnerabilities, has led me to develop a new kind of hate of presenting. The first time I gave the talk was in 2013 at BSidesDE. After the talk, I gave it twice more; once at a community college as a favor to a friend, and at a small boutique conference at a business school of a college. In doing the talk there, the conference organizer and a professor offered to try to get a copy of the ‘Repaired Security Bugs in Multics’ from 1973. What seemed like an impossible-to-find book ended up being a 7 page paper. But she managed to get a copy via inter-library request as a professor. With that simple gesture, the vulnerabilities in Multics I had cataloged jumped from 10 to 16. Thanks A.M.!

Six months later I get to spend some of my little free time going through more historic papers and find another dealing with Multics. Not only do I find more context around material in that presentation, I find that it is actually a lot more detailed and fascinating. The incident I describe actually happened twice, once in 1979 as I outline, and years before in 1974 with different results. The time spent digging into that came shortly after giving the talk to a security company on the east coast by request. Shortly after giving the talk, which extended to two hours with additional detail, Q&A, and a mix of discussion with them, I was approached about the electro-mechanical rotor cipher machines discussed. We got to talking for half an hour where he gave me pointers and information to later research. Before I left that day, he gave me two books on military cryptoanalysis from 1956 that were previously classified. Yep, just laying on his shelf, he had two tomes of incredible knowledge that might help me in cataloging the history of vulnerabilities. I’ve only had an hour or two to go through them so far. While I determined the first book had no usable information, the second is a treasure trove. A single appendix of that book appears to have information that will double the vulnerability entries I have on such machines and the compromise of their crypto systems. Thanks J.M.!

Every time I find such information, it makes me regret giving the talk. While the talks were given to show perspective and it was clear the history was incomplete, I hate that my audiences didn’t get all of the information. Doesn’t matter that I didn’t have the information originally, I feel that I should have taken more time to research all of this better. I’m both afraid and excited that every time I give this talk, someone else will come forward with a wealth of new knowledge. It is an absolute delight for the vulnerability historian in me, but an absolute dread for someone who can’t stand delivering less than a complete talk.

Moving Forward

Since the first time I delivered the talk, I have had several people tell me I should write a book on the vulnerability history I outline. There is certainly an abundance of material there, and boiling it down to a 45 minute talk has caused me to deliver the talk at a faster pace each time. Part of me wants to write such a book, and release it as a free e-book to the community. It would be fun doing so. On the other hand, it would also take months of dedicated research to finish a true preliminary overview of such history and time is a valuable commodity to say the least.

So to my previous attendees, I apologize. I certainly hope you enjoyed the talk, but I really hope you understand that this is work in progress. Work that I have been doing for a long time, and will continue to do. At some point, if I come up with a more complete work, I hope to be able to share all of it with you in some fashion.

You have a new security initiative? Great, here’s some advice…

I am getting frustrated with the never-ending stream of ‘new’ security initiatives being announced. Doesn’t matter if they are community driven, compliance-based, or ‘industry standards’. For twenty years, we’ve heard it over and over, yet things just aren’t changing.

Most of these initiatives flop. Some may make it months or even years, limping along with virtually no support. Even projects with hundreds of people involved or supporting represent such a tiny fraction on the InfoSec industry, let alone the general IT industry, to say nothing of the rest of the world. In a few cases, the ‘new’ idea might even make a slight improvement for 0.000001% of the world. At best…

Largely though, they are worthless. People sometimes even spend more time banging on the initiative war-drum than the end result. Worse, for every one announced that does any real and lasting good, another hundred end up wasting time and going nowhere.

So you want to announce a new initiative to save the world? Great! How about instead, skip the initiative name, the policy, the name, the graphics, and the rest of the things that take time from actually doing something. Don’t talk about the project day in and day out. Just do good.

If you really feel that a structured movement with lofty ambitions and a brand are required, then do good first. Show the world you are serious and capable. Announce your new initiative on the back of a big ‘win’ or change. That will demonstrate you have the drive and dedication. Come out of the gate on the back of something concrete, not fluffy bullet points that are indistinguishable from any for-profit security company or charlatan.

Yes, everyone knows you want to ‘help’ and ‘protect’ and ‘improve’ and ‘secure’. The exact same thing everyone else in the industry says, both good and bad. And like many of them, your new initiative may not deliver either.

Crossing the line on ‘appropriate’ response to a breach…

You have likely seen the news that eBay was compromised and disclosed on Wednesday the 21st, resulting in as many as 145 million customers being affected. eBay was quick to state that the criminals did not gain access to financial information, trying to allay customer concerns. Despite that, there are many aspects of the aftermath that concern people. Andy Greenberg at Wired and Madeline Bennett at The Inquirer are just two of many to write articles on “how not to handle a security breach”.

It didn’t take long for several US Attorney Generals and one official in the UK to start or express interest in a formal investigation. I think it is warranted given the slow response from eBay and given that there are no details about the incident available from the company. It took them several days to finally add a banner to their site warning users to change their password.

ebay-banner

What is disturbing is that four days later, I have not received an email from eBay warning me of this breach, while still receiving notices of random auctions ending that I am not watching. Getting notice of a breach for several days via the news, and not the company is bad form. In a comment made to BBC on Friday, the 23rd, eBay said:

EBay told the BBC that it was not aware of any technical problems with the password reset function on the site.
“The site is busy, but our secure password reset tool is working,” a spokesman said.

This caught my eye today as I read it just hours after seeing a Tweet from Kenn White in which he shows how ‘secure’ the password reset feature is:

ebay-passwd-snafu

Between the lack of response, slow action to get a visible password reset warning, not mandating that users change passwords, and not understanding what good password security is, I think it is time for the FTC to step in. Companies must be held accountable for the security of their customers.

Update #1: I received my breach notification letter and request to change password an hour ago, almost eight hours after posting this blog, four days after it hit the news.

Update #2: @miaubiz points out that the actual breach happened between late February and early March, leading to questions on why it took them so long to disclose.

Surprise! Guinea pigs… (the end of an era)

Almost 7 years ago (August 18, 2007), I returned from a business trip to find a guinea pig in my living room. My significant other at the time, Kay, had wanted to rescue a guinea pig or three. We had talked about it and I was willing, but wanted to talk about it more. She figured why wait. So upon returning home… surprise! Guinea pig. This turned into a steady stream of adoptions that led me to have a herd. This is an important distinction in the guinea pig world. One or two pigs can bond with their human if given a lot of attention. They will happily sit in their human’s lap and look forward to it every night. When you have more than two though, especially a lot more, they will revert to their more natural herd mentality. This is considered to be healthier by many people, but is not favorable to many owners. Why? Because pigs are prey animals, and you are perceived as a threat to them. You don’t get to bond with them and they do not enjoy being picked up. But, if healthier for the pigs, that is important so we had a herd. A few years later, Kay and I split and I decided to take the pigs. While they were her idea, it was clear that I was a better and more consistent provider for them. Even when given the opportunity to come over and help with cage cleaning, or even keep me company while I did it, she rarely showed. Eventually, she became a completely absentee parent, leaving me to care for the pigs. The following is a list of the guinea pigs adopted, in the order that they moved on. While I cared for all of them equally and to the best of my ability, two of the nine were ‘mine’ in some fashion.

The first was ‘Snickers’, aka A156576, a female Abyssinian adopted from the Boulder Valley Humane Society. One of my hesitations on adopting is because I had not taken the time to read up on them, but Kay had. Our first pig ended up not being the typical adoption. Only four years old, she had serious hair loss and complications due to a life of poor nutrition. Snickers reminded us that guinea pigs are frequently not cared for properly. I wrote a brief summary of her adoption and what was going through my head at the time. While she was not with us long, she opened the gates for more adoptions.

‘Pringle’, originally named Cerra aka A253868), a female American shorthair adopted from the Larimer Humane Society on March 9, 2008. Estimated to be around 4 years old, she was picked up and found to be extremely skinny (660 grams). She was surrendered to the shelter with no history other than “good with kids”. Based on her weight and appetite the first night, we’d guess she was not given hay or veggies very often. Once home, she took to most veggies instantly and slept by the hay bowl half of the night. By the next day she was energetic, standing on her rear feet wheeking happily for veggies and sleeping all over the cage. Better, she was already up to 730 grams. Her first vet appointment confirmed that she had mammary tumors which were removed successfully during surgery with a very fast recovery. After the surgery, she proved she was the perfect pig in temperament and demonstrated how pigs can recover from the worst of environments. Pringle passed on April 15, 2009 due to masses on several internal organs. She was also experiencing very minor weight loss and potentially had neurological issues (serious spasms when she slept sometimes). She went peacefully in her sleep, head on a pillow.

JuineaPig, originally Ginny aka A419947, was a female Abyssinian adopted from the Denver Dumb Friends League on December 29, 2007. When we went in, she was described as “problematic” and it took over 30 minutes for the staff to catch her because “she bites”. Given up for adoption for “recently starting to bite”, despite being almost two years old, once securely held she seemed to do fine. Due to her behavior, the DDFL had decided to pull her adoption information down and were going to declare her unsuitable for adoption. Once we gave the rundown of our current herd and ability to properly take care of her, they agreed that we could provide a good home for her. In the months after adoption, the only time she would bite is if she felt directly threatened, and even then, only warning nips. It was immediately clear that her previous owners had not given her any veggies as it took several months to get her to eat a wide variety. Since adoption, she was nothing but a sweet pig and clearly not a biter. JuineaPig passed on May 20, 2009 due to many internal complications including cancerous tumor, kidney issues, bladder stone, GI obstruction, and more. Her last two days were not very happy, but she fought as best she could.

snickerspringlejuineapig2

Figlet, originally Willow aka A762196, was a female Abyssinian (likely with a peruvian mix) adopted from the Humane Society of the Pike’s Peak Region on June 20, 2008. Originally down there to adopt another ‘female’, we found two large males with health problems. Despite correcting the shelter on the gender of the pigs, they didn’t appear to care or update the web page days later. Figlet was in a large cage by herself (good), but with half of it covered in water-soaked litter and no water in her bottle. Almost unable to hold her, we managed to get her in the carrier and bring her to the pig mansion. She integrated into the herd within hours (after quarantine) and did great. Clearly younger than advertised, Figlet was the most energetic and spastic pig we had. Even six months after adoption, she was almost impossible to hold for more than a few seconds as she tried to escape and find her own footing. Fearless doesn’t begin to describe her. Figlet passed on Oct 15, 2009 due to complications during surgery to remove a mass causing Hyperthyroidism, a rare condition in guinea pigs. A full write-up of diagnosing and treating her was created to share information about this rare condition in pigs. Figlet was ‘my’ pig and I spent a lot of time trying to figure out what was wrong, and went to great lengths to try to help her live a happy life. After losing her, that convinced me that I was not going to rescue any more pigs myself; rather, I would continue to support shelters and rescues.

Nugget, originally Nibbles, was a female American shorthair adopted from the Denver Dumb Friends League on November 2, 2007. They believed her to be about four years old but we suspected she was a bit younger. She was our first shorthair guinea pig with a great personality and strong love for hay and veggies. The DDFL said she was “surrendered because the previous owners couldn’t afford to maintain her” which is sad, as a pig is relatively cheap to house and feed. Nugget was hands-down the most mellow guinea pig and frequently ends up being a vet buddy when one of the other pigs needs to see the doc. Nugget passed on Oct 31, 2010 from natural causes. She was a senior piggy and lived a glorious three years with me. While I can accept that logically she had already moved on and was not aware of her surroundings or had any real mental faculty, the last 45 minutes of her life were spent in my lap at 3AM having spasms. That is very hard to deal with.

OLYMPUS DIGITAL CAMERAnugget

Zesty, unnamed aka A089150, was a female Abyssinian adopted from the Denver Municipal Animal Shelter (DAS) by Kay on September 7, 2007, one of three guinea pigs brought in that were apparently found near an auto repair shop, left to fend for themselves. The only female of the bunch, she was described by the staff as an ‘escape artist’ and estimated to be approximately one year old. We feared she was pregnant due to being housed with the two males she was found with, which was another reminder that despite the good intentions of shelters, guinea pigs simply aren’t well known. We soon learned that she was indeed an escape artist but fortunately not pregnant. She became the queen of the herd, and was certainly the most feisty guinea pig we had. Zesty passed on June 3, 2012 from natural causes. Based on her life history, she lived a long time all things considered.

Biscuit was a female Abyssinian adopted the same day as Zesty to provide companionship to the feisty beast. Oh, and she was ridiculously cute and mangled. Our third guinea pig at the time and first baby, adopted at only 5 weeks old, Biscuit knew no fear since she grew up in a happy home full of daily vegetable platters, endless hay, and a huge play pen to run around in. She was definitely the most tranquil pig, and knew absolutely no hardship in her life like the rest had. Biscuit passed on September 28, 2012. Sweetest of the herd, she lived a wonderful life.

zestybiscuit

Waffle was a female Abyssinian personal adoption taken in on November 16, 2007. She was ‘my’ second pig, adopted selfishly. Part of regrets that we got her from a pet store, but I wanted one guinea pig that we knew the absolute history on and who should have no health problems as compared to the hit-or-miss you get with shelter rescues. Despite that desire, she lived her life with some respiratory issues. It never affected her, but hearing her ‘hoot’ as if congested was a constant reminder of her being in the herd. Ultimately, she lived over 6 years and her frequent breathing issues had nothing to do with her passing. Waffle was the most distinct color we had seen, a great blend of white, grey, and black, giving a ‘peppered’ appearance. Her black feet were also quite distinct and made her stand out in the herd (and a pain to trim the black nails as we couldn’t see the quick). Approximately five weeks old when adopted, she seemed to live for fresh hay more than anything else. When she wasn’t bouncing around her home she would lay in one of the hay lofts for easy access to her precious hay. Waffle reached end of life on May 9, 2014 (today) due to an intestinal tumor.

At this point, it left me with a single pig (Tater) that had grown up in a herd and knew nothing else. When Biscuit passed, Tater did not handle it well. That point moved from three pigs to two, which is decidedly not a herd. After three weeks, Tater finally settled down and accepted the situation and fell back into a happy routine with Waffle. With Waffle’s passing today, I fear for the worst; that Tater will realize Waffle is gone (she hasn’t as of writing this blog) and freak out. Today, she has gotten a series of extra veggies, a cob of corn, and fresh hay. I have checked on her periodically to ensure she is doing alright. In the morning, I will be taking her to Cavy Care, the only all-guinea pig rescue in Colorado. I have visited the sanctuary several times over the years and love what they do. They treat their guinea pigs exceptionally well and screen adoptions to ensure it will work. Unlike pet stores who will sell pigs to anyone, even if it is not ideal for the animal, Cavy Care will make sure the would-be owners understand what they are getting into. Tater will be given a new friend, also a senior female piggy, to live with. While it isn’t the herd, she will have companionship like she has had for the last two years. As a now senior pig, it is hard to tell when she will move on. In the last few months, she has lost over 100 grams which is considerable for a pig, and a sign that health issues are happening. I hate to take a pig to a rescue that is already over-burdened, but they understand my choice, and Tater will come with a donation and all of my supplies to help the shelter. So more about Tater…

Tater is a female Peruvian Abyssinian Silky (longhair) personal adoption taken in on April 11, 2008. The runt of a five-pig litter, she was taken from a family that had pigs living in poor conditions and mostly neglected as they “didn’t have time for them any more”. If left in those conditions, she certainly would have been housed with mom, dad, and any brothers in her litter leading to a very early pregnancy. Said to be four weeks old, we believe she was much closer to two weeks old when we got her. It only took her a few days to become extremely lively, eat any veggie she was given, and develop a great personality. She integrated faster than any other pig had, likely due to being around many other pigs early on. She received hair cuts every couple of months as her coat was too long and bulky, dragging the cage and getting mucked up. While she whines during the trimming, she becomes considerably more energetic and seems much happier afterwards.

waffletater

For the last four to five years, I have been the only provider for my pigs. While Kay started the adoption spree, they lived a majority of their lives under my care. In that time I learned a lot about them. Everything from behavior quirks, to proper care, to treating odd conditions. I drove hours to ensure they received the best care possible. Every week for five years, I bought $20 – $40 of vegetables for them, special ordered Timothy Gold hay, and gave them a steady stream of chewable houses and items to keep them stimulated. I cleaned their cages every week when the herd was big, using bleach and vinegar to scrub down the ‘trays‘, washed their bedding, rotated their hay, and more. I adjusted my lifestyle and social availability to guarantee they got their vegetables about the same time every night. When traveling, they had in-home sitting most of the time, or twice-daily visits if not. When the air conditioning went out, I made sure someone was here to fix it within hours, as pigs can overheat easily. The temperature in my place very rarely crossed 76 degrees for their benefit. Every month or three, they got weighed to better determine they were healthy, as significant weight change is one of two ways to diagnose problems (the other being behavioral changes). I learned of common pig problems like cysts and little growths that can be removed, as well as common problems with senior female piggies like tumors, ovarian cysts, and unknown masses. When someone in a herd wheeks, I can identify it generally as it reflects on their emotional state. I have had to separate Zesty from the herd from going on a three-hour dominance mounting spree, ‘terrorizing’ the other pigs in her way. I have almost gotten kicked out of pet stores when I overheard a sales person spewing bullshit about guinea pigs. I have sighed casually and spouted back more disturbing facts than “you know some people eat guinea pigs?” to assholes trying to shock me (they were a lot more shocked than I was). Yes, I have read more books about guinea pigs than you have, about their history and indigenous lifestyle.

This is an end of an era in my life. Not having a huge guinea pig mansion in my living room, a few feet from where I spend a considerable amount of my life. Not hearing the happy wheeking, the frenzied wheeking as a pig tries to mount another, and the general chatter of guinea pigs day in and day out. Quarantining a newly adopted pig for 30 days before integrating into the herd. Bathing a guinea pig in some cases, no easy feat. No more setting up a play pen in the living room so they could run full speed, at least while they were young. No more watching Zesty jump over the guinea pig fence, and then laughing as Nugget observed Zesty and followed suit. I remember having to buy a new set of fences that were much taller to thwart the escape artists. Biscuit running in circles in the living room, entirely too fast for my camera to capture. The many nights I would take Figlet out of the cage and put her on the kitchen counter as I prepared veggies, giving her first shot to enjoy them without contest. The elaborate veggie platters I would make for the herd. Buying wheat grass for them to enjoy, because that was like crack to them. Cutting Tater’s hair, leaving a little sprout on her forehead because it amused me.

Despite the emotional turmoil in taking care of these critters, they were definitely worth it. If you have a bad day, you can look in the habitat and see the adorable guinea pig living their life. They have their own drama and dynamics, but ultimately it gives you perspective on your own drama. Picking up a guinea pig and getting nothing but an abject reaction reminds you they keep it real.

herd

You keep using that word… (a note on “bullying”)

As a tech editor who apparently hit the glass ceiling, perhaps my only value to the industry is reminding people what words mean. Usually that is done for the author before something is published but it is clear the industry could gain some value this time. With the terms “bully” and “bullying” being thrown around more liberally recently, it is important to remember what it really means. Like most words in the English language, that answer varies greatly. Not only with historical changes, but with social changes as words are used, reused, and co-opted. Let’s start with what Google tells us!

According to stopbullying.gov, the definition is:

Bullying is unwanted, aggressive behavior among school aged children that involves a real or perceived power imbalance. The behavior is repeated, or has the potential to be repeated, over time. Bullying includes actions such as making threats, spreading rumors, attacking someone physically or verbally, and excluding someone from a group on purpose.

Some readers are certainly homing in on this definition while glossing over an important qualifier. We are not “school-aged children” despite often acting like it on Twitter. This definition is custom-written to be suitable to kids in school that face bullies. Next up, Wikipedia defines it as:

Bullying is the use of force, threat, or coercion to abuse, intimidate, or aggressively impose domination over others. The behavior is often repeated and habitual. One essential prerequisite is the perception, by the bully or by others, of an imbalance of social or physical power.

Those same readers may now be homing in on this definition based on the last line, but it is important to note that is a two-way street. If we can arbitrarily call it “bullying” solely based on one side’s perception, then we’re all equally guilty of bullying. If I call you a jerk, and you call me an ass in return, we are both potentially guilty of it. In reality, I think we can all agree that is a bit absurd. I think if you drop that last line and focus on the first two lines the definition is pretty good, especially given the next choice. According to the dictionary:

  • 1 (archaic): sweetheart or a fine chap
  • 2a : a blustering browbeating person; especially one habitually cruel to others who are weaker
  • 2b : pimp
  • 3 : a hired ruffian
  • bully verb
  • : to frighten, hurt, or threaten (a smaller or weaker person)
  • : to act like a bully toward (someone) to cause (someone) to do something by making threats or insults or by using force
  • transitive verb
  • 1 : to treat abusively
  • 2 : to affect by means of force or coercion

We can certainly agree that the archaic definition isn’t what anyone means when using the term. Similarly, a pimp or hired ruffian is probably just as archaic and not intended. Focusing on the rest you have a variety of definitions that range from “treat abusively” to the more dominant that includes the purpose of the activity. The words threat, force, and coercion appear more than once in the definitions above and are the crux of what bullying is about. Everyone who is now equating the term “bullying” with anything less than a malicious, sustained campaigns of hatefulness with the intent of coercing/threatening is the worst sort of cowardice and dishonesty. They are doing a disservice to society and themselves.

Someone stating their opinion is just that. Calling someone a name or insulting them over appearance or action makes them an ass, nothing more. They aren’t trying to coerce you, they aren’t trying to force you to do something, and they aren’t threatening you. In this country they are simply exercising their first-amendment rights. As such, you have the right not to listen to them. If someone on Twitter is saying something you don’t like, stop following them. If they are including you in the messages, block them. Add their Twitter ID to a filter so it helps ensure you don’t read anything to, from, or about them. Remember, it is a push medium that you opt into. By using the service, by following people, by subscribing to lists, or by searching for specific words, you are specifically choosing to read it.

Cliff notes for the rest of you. Simple name calling or stating opinion on Twitter is not bullying, even if it is mean and you don’t like it. Those using the term in such a fashion are the real bullies here; they are capitalizing on a social stigma and social movement to brand what has been our way of life for hundreds of years as some new form of persecution. You are trying to use social pressure to coerce us into changing our behavior. Worse, by equating simple insults and jabs as bullying, you make it harder for those who have truly been bullied to be believed. Sorry, I won’t cave into bullies, something your crowd keeps telling us to do ironically enough.

To finish this post, I want to answer a question put forth by someone crying “bully”:

Can my daughter take criticism? Yes but not publicly. You got to have a pretty tough skin to be able to take criticism publicly. Most of us don’t have that tough skin. I think that’s good because that usually goes hand in hand with compassion. If I had to choose only one thing missing in this InfoSec community, it would be compassion. The nonconstructive criticism is so public and so vicious that you end up missing that one nice person who is trying to offer the constructive criticism that could really make a difference. And that’s sad. That person who is trying to help gets lumped in with the naysayers, and no one benefits. Is this really the InfoSec community you want?

Yes! That is exactly what I want the industry to be. More importantly, that is exactly the type of industry our society needs. There are two aspects to this, and one of them is so entirely simple, but seems to be missed time after time.

First, the InfoSec industry has two fundamental sides; those who break things (attack), and those who fix things (defend). The entire attack (a.k.a red-teaming, tiger teaming, vulnerability assessment, or offense) side of it is built itself on the act of tearing others down. When you perform a penetration test, you are showing how the programmers and/or IT staff have failed in some way. In some cases, you are taking years of their work and shitting all over it in a PDF or by PowerPoint with pretty colors. That million lines of code to perform incredibly complex actions to make a seamless experience for their paying customers? You tell them it is Swiss cheese, that it shouldn’t be on a production network, and that they must go back and make it better while flippantly giving them the oh-so-helpful remediation instructions of “sanitize user input“. You get paid, handsomely even, to do just that day in and day out. Did you develop software that makes that process easier? Then you are facilitating colleagues so they can more easily tear down the work of other people. This is a simple fact and how our industry operates. You are offering what you think to be constructive criticism. The developers and admins receiving the report do not think it is constructive. You are a “naysayer” and yet both sides benefit ultimately. The notion that “no one benefits” is absurd.

Second, the more emotional answer. Our industry, and society at large, need more people that are not afraid to speak their mind, tell the truth, and demand better from everyone. That is how things get fixed, and that is how we improve as a society. Your friend being a douche-nozzle? Do you think they intend to act that way? No, so you tell them in whatever terms are needed so they stop acting like one. Your customer running insecure software that would allow little Bobby Tables to expose all of their client data? You tell them so they can fix it. Your report can soften the blow a bit, but ultimately you are telling them they have failed in a spectacular fashion. This isn’t some circle-jerk hug fest. This is an industry largely based on critique, which is a vehicle to improve.

When your day job is based on leveling criticism at other people, it is your responsibility to be able to take criticism. If you release software to the world, you are a vendor so to speak. Someone reporting a vulnerability in your software is not them “picking on you”. That is them making a sincere effort to help you improve your software, just as you are trying to help your customers (or students) improve. If you don’t understand how these are fundamentally the same, then you don’t belong in this industry. That is not a threat, force, or coercion. That is a fact.

(Courtesy of memegenerator.net)

(Courtesy of memegenerator.net)