The Charity Snail Mail Burden

If you have ever donated to a charity, you likely received something in the mail from them down the road. A thank you note (and request for more money), a new fundraising initiative where they would like you to donate again, or general information (and request for more money). What happens when you donate to a dozen or more charities over the years? The amount of snail mail you get from those charities, and many others you have never donated to, gets out of hand. At the start of 2015, I decided to keep all of the snail mail I received from charities for the entire year. How much would it be? What kind of ‘gifts’ would add up over the year?

Before the fun bits and pictures, a quick background on this. Charities have three primary categories for spending money: administrative (e.g. salaries, office supplies), fundraising, and program expenses (i.e. what their cause is). Charities are rated based on that breakdown, among other things, by the excellent CharityNavigator web site (a 501c3 not-for-profit themselves). As an example, let’s look at the breakdown for Paralyzed Veterans of America, who spends almost two thirds of the money it brings in trying to raise more money. They only spend 33% of their money on the intended cause; helping paralyzed military veterans. That is an absolutely horrible ratio and not a charity anyone should support. They are essentially in the business of raising money. All of the snail mail you get from charities falls under that ‘fundraising’ category. If a given charity sends what seems to be an obnoxious amount, that is money they could be better spent on the program expenses.

20160103_141807  20160103_141953
20160103_143928  20160103_144238

In one year, I ended up receiving 351 pieces of mail from charities, that weighed 26.6 pounds. It’s hard to say if this is truly a lot, and what led to this. I donated to 32 different charities in 2014, some in a manner that would not have led to any snail mail (e.g. “would you like to donate a dollar to..” during grocery store checkout). A few were local charities that do not maintain mail lists and would not have generated any mail. Other bigger charities though, certainly took the opportunity to solicit me for additional money. And at least one of those charities sold or shared my information with other charities that I never donated to, and in some cases would not. To offer a bit of perspective, the 26.6 pounds of charity mail can be contrasted with the 10.8 pounds of ‘commercial’ snail mail I received.

20160103_202512  20160103_203008

Back to charities! Who were the worst offenders? The top six charities by snail mail volume are as follows, with links to pictures of their offering, and what percentage of their money they spend on fundraising:

Charity Fundraising
Humane Society (31 pieces) 19.1%
World Wildlife Fund (21 pieces) 18.9%
American Red Cross (21 pieces) 6.0%
USO (16 pieces) 26.5%
JDRF (13 pieces) 12.8%
Doctors Without Borders (11 pieces) 10.3%

Note that I have donated to the top five charities on that list, but never donated to Doctors Without Borders. Considering that I received snail mail from around 75 different charities, almost three times as many as I donated to in 2014, that is certainly interesting. Also note that many charities were right on the heels of 11 pieces, but I had to pick an arbitrary amount to highlight above. Charities should note something very important! This level of snail mail is a waste of money, and does not encourage some contributors to keep donating. I understand that direct mail campaigns are a huge source of revenue, but finding a happy medium for the amount of requests versus the expected income would be appreciated. Someone donating $25 to a charity and receiving 30 pieces of mail, is watching $14.70 of that money go to postage alone (for charities that are paying full price, which some do). That money should be spent on program causes, not soliciting for more money that will likely be wasted.

Now the fun bits. Which charities sent me money? Yes… a long-standing gimmick of some charities is to send some level of money, typically under a dollar, and ask that you send them more back. They usually want 25 – 1000% more of course. This gimmick is frowned upon by many people, and for good reason. First, it is just that, a gimmick. Second, for charities that put a nickel, dime, or quarter in the envelope, they are quite literally throwing money away. Many people are tired of receiving the snail mail spam and quickly throw it away, coin or not. Even March of Dimes no longer sends a token dime in the mail. In 2015, Paralyzed Veterans of America sent $0.15 (3 nickels), FINCA sent $0.10 (2 nickels), Unicef sent $0.10 (2 nickels), Sierra Club sent $0.30 (6 nickels), National Law Enforcement Officers Memorial Fund sent $1.50 (6 quarters), Keepers of the Wild sent $0.50 (1 half dollar), Leukemia & Lymphoma Society sent $0.05 (1 nickel), and sent $0.05 (1 nickel). All said and done, I cleared $2.75!


Next, what is it about mailing address labels and charities? I mean seriously… almost every single one thinks that sending me such labels is a ‘gift’. Do these people not understand that the average adult in 2015 does not send that many written letters? Even people who send in checks to pay bills don’t generate too much snail mail. Yet, the National Wildlife Federation sent me enough address labels to mail a letter a day, every day of the year. Amnesty International sent 96 mailing labels in a single piece of snail mail… and sent three of those mails. USO sent 81 address labels in a single envelope. I didn’t have the patience to try to count them all individually, but I did take the time to count 154 sheets of address labels, weighing 558 grams, or 1.23 pounds.

20160103_labels1  20160103_labels2

Membership cards are another popular thing to send, because membership apparently has its privileges? By privileges, I mean it grants you absolutely nothing. Yet, dozens of charities want you to carry that card around… yet none of them send you a new, bigger wallet. National Wildlife Federation sent me four membership cards in a single year, and Sierra Club sent me six. I have not donated to either.


If that isn’t odd enough, the support stickers that are sent out are certainly interesting! In addition to the usual “Don’t give me a speeding ticket” stickers, that you receive from supporting law enforcement organizations, I received a NRA 2015 member sticker! Despite never donating to the NRA, or contacting them. It makes me wonder if that is how the NRA claims such high membership numbers. Is it based on who is on their mail list?


Moving on to stamps! Yes, postage stamps. A few charities will include a stamp in their offering, with the intent that you use it to mail them more money. While this is a variation of the ‘coin’ gimmick, the real tragedy is that some nonprofits have figured out the USPS offers special rates for charity-related mail, and others have not. The USO understands this, as their Self-addressed Stamped Envelopes (SASE) include five 1-cent stamps on them, while the Human Society of America sends a SASE with a forever stamp. Regardless, all of the stamps included, on an envelope or not, can be re-purposed since they have not been used to send mail yet! In 2015, I received two Forever stamps, one Postcard stamp, nine 10-cent stamps, one 4-cent stamp, seven 3-cent stamps, three 2-cent stamps, and 85 1-cent stamps. That is $3.39 in stamps! If they came in a sealed roll, I could return them to the post office for cash per old hacker legend. Alas, I can just tape them onto an envelope as needed, and they are still valid stamps.


To wrap this up, what else did I get? Nine calendars and 26 writing pads, apparently for the silly number of letters these charities think I write, that demand thousands of mailing address labels.

20160103_calendars  20160103_paper_pads

I also got card sets (again, maybe explains the address label flood?), magnets, random swag, calendars and paperwork, as well as X-mas specific gifts:

20160103_cards  20160103_magnets  20160103_paperwork  20160103_swag  20160103_xmas

And finally, two bits of pure amusement. First, ‘Doctors Without Borders’ seems to be fond of sending us Americans world maps. Yes, yes.. I know, Americans suck at Geography. But sending us world maps that we’re to hang up on our wall, of our first-world decorated establishments where style and the artist’s name matters more than actual living enjoyment? Please. But I get you, send the maps, rub it in that we’re a nation of stupid.


Second, all of this snail mail spam… can you opt out of it? Nope. At least, none of it includes any wording or forms or telephone numbers to remove yourself from the snail mail lists. For the charities that call as often as they send snail mail? If you complain enough, and trust me, ‘enough’ is relative… they will eventually opt you out. But then? They send you a not-so-form letter. In the case of March of Dimes, they write:

“… we are writing to you because of your request not to be contacted by telephone… please donate $25 to us”

I donated $5 to them on 2014-06-04, meaning it was “target of opportunity” (e.g. grocery store, or some case where someone asked me to donate). This was not a yearly contribution I make to half a dozen or more charities that I feel are making a difference. In the span of half a year, March of Dimes called me enough that I got fed up with them and specifically asked to be removed from their spam call list. They did as I asked! But then… reverted to snail mail to ask me for more money.

In summary, U.S.-based charities are living in the 80’s. They send pads of paper and mail address labels, on the heels of you telling them “quit harassing me”. They send stamps and currency in a desperate attempt to guilt you into donations. Some send you as many as 30 pieces of snail mail in a calendar year, on the back of a $50 donation given to a specific sub-group of their organization (e.g. in my case the Prairie Dog Coalition, a part of the Humane Society). If I want to find out if the Prairie Dog Coalition printed a new token adoption certificate, I e-mail the director. And Lindsey responds to me personally every single time. That is what I want to support… both prairie dogs in jeopardy, and the director of a non-profit group who takes the time to respond to my emails, helping me to support their cause in the specific way I want to. This is a model for how charities should work in 2015/2016. Instead, most are still stuck in the early ’80s, sending me dead trees that I don’t need or want.

If the director of a non-profit can’t reply to you, or even sign that Christmas card they sent, while asking for more money? That is bad. They should task their staff to send personal replies and sign such cards. It doesn’t matter what name ends up on it; it matters that someone on the other side appreciates my contribution, and takes the 30 seconds to read and reply to me or scribble their mark. In fact, I think that might be a great criteria for charities I support in 2016. No personal contact? Then maybe the charity is too big and has plenty of money coming in. Maybe they don’t need my donation. Instead, I can give to local charities, which I have started focusing on, where I can see exactly how my money is used, and even stop by and talk to the ‘director’ or staff when I want. I put that term in quotes because it is a misleading title for small local charities, for someone who is often knee-deep in mud or animal poo, doing their best to make the charity work. With that personal connection, especially when I find myself volunteering or visiting, then I feel very comfortable telling friends, family, or social media about their cause and encourage them to donate as well.


When Reality TV Rears Its Ugly Head

I really do love the show COPS. I’ve seen 99% of the episodes over 28 seasons, and there are ~ 25+ episodes per season. The show is absolutely real, but they certainly cherry pick the scenes, and the officers they follow. Further, the TV show is built on a premise of formula of one violent takedown, 1 drug bust, 1 family domestic (if memory serves, and is based on material that is heavily criticized). So tonight, watching the latest episode… cop in the car says: “There was an anonymous caller that just uh… told us there was a warrant suspect in the back yard… he’s known to run from us, he’s alluded capture before so.. we’re going to see if we can uh… take him into custody here…”

Yep, stop there. This is where the TV show, shows its hand so to speak, and demonstrates how it is not objective at all. Nothing about that one minute intro makes any logical sense. The responding officer wouldn’t say “anonymous caller”, as 911 dispatch takes the calls and knows who they are speaking to (even if anonymous, they know the address and name registered to a line with few exceptions). How many people stop to read the most-wanted posters that the local post office? You do? Great, they don’t show local warrant suspects. Those aren’t posted anywhere that I have seen, ever. Known to run from police? The cop knows exactly who they are dealing with then, which is a positive ID. Escaped before? Why… rare case the police stop pursuit during a chase… so, moving on!

The more compelling reason to watch this show? It is reality TV that demonstrates why no unarmed person should EVER be shot by a police officer, no exception. This show actually broadcasts cases where the officer screws up, does something that is against policy, or against training. But there is a struggle, and the outcome is beneficial to the public and police, so they air it. I generally don’t blame those officers one bit. They are a half-second too quick to use mace? Fine. But those are the scenes we see… the taser incidents we see, but rarely if ever in a position of dispute. So consider that police are a bit too eager to mace a suspect, or go hands-on (the real bit we should question), on national TV. Is it so wrong to consider that a police officer would step over the ethical line when no cameras around?

There is a movement to put body cameras on police, and I believe that should happen. If we had the budget, I’d want a COPS camera crew following every unit and publishing that material w/o police oversight. I think it would be very telling. Remember… this TV series shows us the BEST that police have to offer. It is filtered and approved at multiple levels, before it goes to TV.

Now, for your “meta” discussion… it’s 2015, and we’re still seeing violent take-downs of suspects over flakes of marijuana. They are offered deals in the field to admit to their crime, or arrested for having personal-use volumes (by Colorado law), which are illegal in other states. Why is the TV show COPS still showing us these ‘dramatic’ scenes where police officers use physical force over the presence of personal-use levels of marijuana, and someone that is nervous in the face of police, especially when they are minority?

This episode? The suspect says they won’t answer questions until they get an attorney. The cop keeps asking questions… ON NATIONAL TV. Was the officer not trained on Miranda? I’d say YES, since the same cop was reading the Miranda warning from a card they kept in their pocket. If a cop pulled a card to read me my rights? Part of me would appreciate it, as they are doing it to make sure they are read correctly. Part of me would be scared, because they are a professional LEO supposedly… and haven’t memorized the relatively short Miranda warning. If they can’t remember those few sentences, why are they enforcing the law?

Again, I am a fan of the show in many ways. It reminds our society that police activity is not safe, and that law enforcement puts themselves into situations that endangers their lives every single day. But when a heavily edited TV show that has served as propaganda since seasons one, shows police clearly stepping over the lines? The producers need to consider what the fuck they are broadcasting to the world. They are either proper journalists (no..), or sloppy (yes..), and need to quit their jobs.

Shan Yu had a point.

BOOK: Have you ever read the works of Shan Yu?
SIMON: Shan Yu, the psychotic dictator?
BOOK: Yep. Fancied himself quite the warrior poet. Wrote volumes on war, torture… the limits of human endurance.
SIMON: That’s nice…
BOOK: He said “live with a man 40 years, share his house, his meals, speak on every subject. Then tie him up and hold him over the volcano’s edge. And on that day you will finally meet the man.”
SIMON: What if you don’t live near a volcano?
BOOK: I expect he was being poetical.

I am a sucker for a movie or TV show that presents a compelling scene or story, that conveys a complicated topic most humans will never experience, or likely never fully grasp with any bit of reality. I am a bigger sucker when such a scene or story starts taking on a small shred of reality, in a different context, that I can piece together.

While I can’t compare my point to being held over a volcano’s edge, I feel that slowly meeting and getting to know someone over 20 years and watching a variety of mental toils take effect, may come in a distant second. In addition to compassion fatigue, spending decades in an industry you believe in that keeps failing, no matter how hard you try to improve, wears a person down in many ways. Some of them often destructive to themselves and those around them.

We’ve reached a point in InfoSec where there are hundreds, maybe thousands of veterans that are reaching a critical mass. The number of disillusioned professionals that cannot tolerate their beloved industry is incredible. Some I know have sworn off the industry, vowing to work outside their niche market, and forsake the rest of the industry. This is great for them, bad for the industry who could desperately use their experience and knowledge, and absolutely fair to both. I won’t get into the debate of “oh but there is a next generation“, and just say that a community who loses a significant portion of their elders will suffer tremendously, even if they don’t realize it until many decades later.

if Shan Yu were on social media, I think he would be fascinated watching the story unfold, and amazed at how much he could learn about people during their industry-induced downward spirals.


Studies, articles, and social media activism are just a start.

I would imagine everyone reading this, who partakes of social media to any degree, is getting worn down with the social media activists. Like everything, there are some that are effecting change and doing great work. They use the media to spread the message while helping to enact change in other ways. Basically, doing more than just ‘awareness‘. You can Tweet and Facebook and Tumblr all day long about “help our vets”, and the sentiment is great. But until you turn that effort toward people who can effect change (e.g. politicians), it’s not likely to actually help a veteran. Oh, and you do occasionally promote charities that help the veterans and donate yourself… right?

Yesterday, “Spouse-gate” happened at the ASIS / ISC2 Congress event. In a nutshell, a female InfoSec professional is a speaker at the conference, and her InfoSec professional husband joined her as a regular attendee, but via her “plus one” that the conference provides for. Each “plus one” in the eyes of ISC2 is the spouse, which by definition is the husband or wife. So imagine his surprise when he goes to the registration desk and finds the staff “utterly confused how [he] could be a spouse and asks [him] four times how [he’s] a spouse“. Did the meaning of spouse change sufficiently in the past years, that it is only applied to females? He explains several times that his wife is speaking, and he is her “plus one”, and they finally understand. Next, they give him a con swag bag and information regarding ‘spouse events’ which include shopping trips. The bag included two bottles of hand lotion, an empty photo album, shopping coupons, a magazine, and the business card for Jay Claxton, the Director of Loss Prevention at Marriott Vacation Club International.

I think it safe to say that the conference bag for spouses is a clear case of misogyny. Now, why am I posting about this? Peruse the bag contents and scroll down…


I have been an outspoken critic of ISC2 for many years. In the last couple of years, I have toned down that criticism considerably, for various reasons. The biggest reason is that one of the board members, Wim Remes reached out to me and prompted many discussions over a year. He made an effort to get my feedback on how ISC2 could improve in their process, public perception, and get back on track (my words) with their intended purpose of making the security industry better. When someone in a position to effect change reaches out and demonstrates they want to make things better, it is time to help them rather than continue to criticize the organization. In that time, Wim has done an incredible job working to change the organization from the inside. Sorry for the diversion, but I feel it is important to give credit to those working very hard toward bettering our industry.

At some point in the last year or two, ISC2 has taken on a very public “pro-woman” stance (scroll through their Twitter feed). They have collectively called for more equality in the workforce in our industry. In fact, within one hour of ‘Spouse-gate’ starting, ISC2 was Tweeting about women remaining underrepresented in InfoSec. It’s hard to understand how an organization can promote a great cause while also devolving to the base levels of misogyny that are a root cause of the inequality.


Social media activism can do great things. But many of the great things that can be done get lost in the noise of people blindly re-posting feel-good messages that ultimately do very little to do actual good, and concretely support the cause. If organizations like ISC2 want to help effect real change, they need to “be the change that [they] wish to see in the world.” In short, more doing and less grandstanding.


Compassion Fatigue in an industry largely devoid of compassion.

A few days ago, Bruce Schneier actually wrote a slightly interesting piece for Fusion. I say that with surprise because most of his articles are engaging and well-written, but he rarely shares new ideas or concepts. Most of my professional circle is already very familiar with a given topic, and Schneier largely enjoys a reputation for his insight because he has a considerable following and they read about it there first. In this case, it wasn’t so much that Schneier’s piece was new information (he did quote and cite a 1989 reference on the topic that was new to me), it was that he flirted with a much more interesting topic that is somewhat aligned with his point.

In ‘Living in Code Yellow’, Schneier quotes a handgun expert who described a specific mind-set. From his article:

In 1989, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the “combat mind-set.” Here is his summary:
In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.

Reading on, Schneier brings up the psychological toll that such a mindset can have, and that concept should not be new to anyone that has been in InfoSec for a few years.

Cooper talked about remaining in Code Yellow over time, but he didn’t write about its psychological toll. It’s significant. Our brains can’t be on that alert level constantly. We need downtime.

While not new a concept, this one flirts with another type of psychological toll that some in the industry are not familiar with, based on my conversations over the last year. It only took a few minutes of Twitter discussion for others to recognize the same thing. While the point I want to bring up is similar to a degree, I want to stress that is also significantly different based on profession. I am not comparing InfoSec people to the people that typically face this condition. That said, quoting Wikipedia’s entry on ‘Compassion Fatigue‘:

Compassion fatigue, also known as secondary traumatic stress (STS), is a condition characterized by a gradual lessening of compassion over time. It is common among individuals that work directly with trauma victims such as, therapists (paid and unpaid) nurses, psychologists, first responders, health unit coordinators and anyone who helps out others.

This is another important aspect for some InfoSec professionals, but clearly not all (or most?) of them. Personally, I feel this is a condition that can manifest in people who truly care about their work, and as the article says, people who “help out others”. Many in our industry technically help, to some degree, but are driven by profit and fame. I do not think they suffer from, or will ever suffer from such a condition. On the other hand, there are certainly many InfoSec professionals who strive to help their clients, the public, and anyone they can. Money is a nice perk, but they are likely the ones that would do it even if it meant a paltry salary. Unfortunately, I think that many of them are newer to the industry as it speaks directly to compassion fatigue and the effects it can have on an individual. From Wikipedia again:

Sufferers can exhibit several symptoms including hopelessness, a decrease in experiences of pleasure, constant stress and anxiety, sleeplessness or nightmares, and a pervasive negative attitude. This can have detrimental effects on individuals, both professionally and personally, including a decrease in productivity, the inability to focus, and the development of new feelings of incompetency and self-doubt.

First, I don’t think our industry suffers from the last detrimental effect. It is brimming with egotistical idiots that never have those feelings, even if they should. Second, while I doubt anyone in our industry will suffer nightmares, the rest can and likely hold true to varying degrees. More specifically, hopelessness and a negative attitude. I will be the first to admit that I fall into this category when it comes to InfoSec. I have a serious level of apathy and disillusionment with the effectiveness of our industry. I have several draft blog posts on this topic and may finish one some day. All of the evidence is right there, showing we fail over and over in the bigger picture. Those who argue otherwise are idealists or new to the industry. Either they haven’t seen the evidence, or they refuse to believe it. It is easy to miss when you live the life. But there is a steady level of ‘systematic desensitization’ as @VRHax calls it, and that is spot on. For anecdotal comparison, think back to the frog in boiling water story, even if not true. It happens to us all, even if we aren’t fully cognizant of it.

While compassion fatigue can have a much more serious toll on some of the professions listed above, I believe that it likely has an interesting way to manifest for our industry. Rather than lose the desire to help, or feel it is hopeless, I think that it slowly wears down an individual in a different way. They lose that desire to help out of a truly noble cause, and inch toward doing it only for the salary and lifestyle that many of us enjoy. As such, they become hopeless as far as original intent, don’t enjoy their work as much, develop a base level of stress, and grow an increasingly negative attitude, yet do it because it pays well.

Unfortunately, when you join the industry, you aren’t warned about this to any degree.

If you volunteer at an animal rescue / rehabilitation shop, you are likely to be warned of this during your orientation on day one. And for good reason! When you spend your time trying to help a sick or wounded animal, do everything in your power to help it, and it doesn’t make it… it is devastating. That warning is what prompted me to read more on the topic originally, and it took Schneier’s blog to make me realize just how true it was in our industry, one that largely helps out of selfish gain rather than altruistic desire. So I am grateful for his blog missing the mark as usual, but doing so in a way that prompted this blog and discussion. Is there a solution to this, for InfoSec professionals? Not that I can figure out. Many that see the problem still operate under this assumption that we can magically fix things, if only we could figure out! They rarely give merit to the possibility we are in an untenable position and there is no way to win. Perhaps they should watch Star Trek again and consider the value of the Kabayashi Maru challenge. In the mean time, I will offer you a simple but slightly twisted way to help deal with compassion fatigue in our industry; by going outside of it. Dare to face it in another world while you help others unrelated to technology. I’ve found great reward in doing it every week, even if I may ultimately face the same problem.



Smile! And your favorite charity benefits.

Recently, Amazon implemented a program called ‘Smile’ that allows you to select a charity who will get a small portion (0.5%) of your purchases. The beauty of this program is that you select your charity one time. Every visit to Amazon after that, they donate. Even better, if you forget to go to the ‘smile’ sub-domain, Amazon will usually remind you and give you a chance to one-click over.

When you consider that Amazon made $74.45 billion in revenue in 2013, this could potentially add up to serious money being donated to charities around the world. If 0.5% of all of their revenue in 2013 was donated, that would be $372,250,000. Yes, $372 million dollars. That is almost 2% of the estimated cost to end homelessness in the U.S. Not bad, that a single company has that capability and puts that power in the hands of their customers.

So click on once, choose your charity, and help contribute to your cause. Finally, spread the word. The more that opt in to this program, the more charities benefit.


BSidesLV, two boxes-of-shit up for charity auction…

For those not familiar, last year I created a new-and-improved Box-of-Shit that was put for charity auction at BSidesLV 2014. Wow, lot of dashes there, go Engrish! For those not familiar with the absolutely legendary boxes-of-shit, take a minute to familiarize yourself with it. The box last year was the center of a heated bidding war, with a BSidesLV security staff member proxying bids from another room, as a bidder was also teaching a class or robbing a casino or something like that. Anyway, Nate the Hero (official title) donated $1,000 to the charities selected by BSides (EFF, Securing Change, and HFC). Outstanding!

This year, I doubled down. There are TWO boxes of shit up for auction…

First, the important part. I humbly ask that you read and focus on this bit, because it is the entire point of my effort and goal in doing this. BSidesLV 2015 auctions will raise money for OWASP, Electronic Frontier Foundation (EFF), Hackers for Charity (HFC), and Hak4Kidz. Supporting charity is always a good thing, right?

Remember, InfoSec is considered a “zero unemployment” industry, and our average salaries are ridiculous. While we are quick to do the Facebook “like-activism” to support minimum wage increases, many of us spend $6 on a coffee every morning. If you make solid money in our field, and you cannot go out of pocket for 1% of your salary, you should probably skip the next version of “h4ck1ng f0r l33t kidz” and read a book on personal finances. Live a little… give up a shred of luxury, and donate to the greater good. If you win, you will get to read some personal thoughts I have on the matter, and receive a challenge of sorts.

So… there are two boxes this year! You can troll my Twitter feed for a few random pictures that barely tease what are in each. Even better, you can use this blog to see the teaser page that is accompanied with each box! I’ve been told that there will be remote bidding this year, which is very cool. For the next two days, I will also answer questions about each box, in a manner that does not reveal how awesome, or how lame a box is. Rest assured, more time and energy was spent on these two boxes than all other boxes/envelopes I have ever sent out, combined. Each box comes with a ~ 4 page personal letter for the winner, among other things. That has to be worth a postage stamp at the least.



Here you go! You get what the in-person bidders get, the same teaser PDF. If you are at keys, you can play 20 questions via Twitter, while they are throwing back a bud light and telling their new friends about how they found an unpatched WordPress CMS last week.

p.s. These are likely to be the last ever boxes I brew, for many reasons.
p.p.s. In the interest of exposure, I will spam this link several times the next couple of days. DEAL WITH IT


Twitter’s crowd-sourced blocking idea good, implementation bad…

Yesterday I saw a few mentions of Twitter’s new method for “crowd-sourcing” user blocks. The idea is that one person may have blocked dozens of trolls, and you want to do the same without having to dig through a lot of Tweets. I read about how it was implemented, sighed, and moved on. Last night, someone I respect for his technical prowess over the years said it was “well done”, and I disagreed. He said I should post a blog with my idea, so your wish is granted.


The Twitter blog that outlines the implementation says some users “need more sophisticated tools.” Sophisticated, not convoluted and annoying to implement. There is a big difference. From the blog:

To export or import a list of blocked accounts, navigate to your blocked accounts settings on Click on the advanced options drop-down menu and select the action you want to take.

To download a list of your blocked accounts, select the export option and confirm the accounts you want to export.

The blog doesn’t even explain the next part for some reason, and I am curious why. Could it because the process starts looking more hassle than benefit? The next step is to host that block list somewhere, advertise you did so, have another user download it, then they go to, and imports the list. Fast and easy right? Of course not; that is one of the most convoluted methods of using this type of feature. Your average Twitter user, especially the huge percent that only use it via mobile, simply will not go through this process (and cannot easily do it if they wanted to). Even sitting at my computer, having to do actions outside my Twitter client is annoying and this has too many steps.

How about integrate the functionality instead? Every client has a way to look up a user, or interact with them.


Just about anywhere on this context menu works nicely. “Add/Inherit @AlecMuffet’s blocks…” or “Block @AlecMuffet’s blocks…” or “Share @AlecMuffet’s blocks…”. One click and a confirmation box, and I could take any of his exported blocks and make them my own. That presents a smoother, more easily crowd-sourced model that is the intent here. If I have multiple accounts, it is three clicks as I choose which account (or all accounts) to add blocks to. Compare that 2 or 3-click method, with the one Twitter came up with. Designing the “User Experience” (UX) is an art, and not many companies do it well. It is often due to the disconnect between how the developers use a product or service and how their users or customers use it.


John Thomas Draper: Setting the Record Straight re: Cap’n Crunch Whistle

The tl;dr cliffnotes: John Draper was not the first to discover that a Cap’n Crunch whistle could be used for phreaking.

It is almost a ‘fact’ that John Draper, also known as Captain Crunch, discovered that a toy whistle in a box of cereal could be used to make free phone calls. I say ‘almost’ a fact, because so many people believe it, and so many people have written about it as if it were fact. Even recently, a magazine known for intelligent geeky facts parroted this falsehood:

Not long after Engressia shared this information with the other phreakers, John Draper discovered that a toy boatswain’s whistle that was included in boxes of Cap’n Crunch cereal in the late 1960s could blow a perfect 2600Hz tone.

Even going back to 1983, a book titled “Fighting Computer Crime” by Donn B. Parker carried the myth:

A young man just entering the U.S. Air Force to serve as a radio technician was fascinated with telephony and took courses on the subject at college and discovered the whistle that catapulted him to crime, infamy, and misfortune.

Google around for tales of Draper and the whistle will find a variety of sites that say he discovered it. These include the Snopes message board, a telephone tribute site, high school papers, and other archival sites. And this isn’t limited to more obscure sites, this ‘fact’ is still repeated by mainstream media articles.

While some in the industry have had doubts or heard tale that Draper did not discover the whistle’s significant tone, it wasn’t until last year that we finally got a definitive answer and story. Phil Lapsley wrote a book titled “Exploding the Phone” that gives an exhaustive history of phone phreaking and is a must read for anyone interested in the topic. Lapsley’s research put him in touch with many players of the time, and the real story emerged:

Page 155: Several years earlier a Los Angeles phone phreak named Sid Bernay had discovered you could generate a nice, clean 2,600 Hz tone simply by covering one of the holes in the plastic toy bosun whistle that was given away as a prize in boxes of Cap’n Crunch cereal. Armed with their Cap’n Crunch whistles Fettgather and Teresi and friends would cluster around pay phones at the airport and go nuts. [..] With Draper in the club the whistle trips expanded.

Page 166: (late summer of 1970) It was on one of those conference calls that John Draper discovered a new identity for himself. [..] One day Draper and Engressia were talking about using a Cap’n Crunch whistle to make their beloved 2,600 Hz tone, Engressia recalls, when Draper suddenly said, “You know, I think I’ll just call myself Captain Crunch. That’d be a good name.” Engressia immediately liked it. “It just fit him somehow,” he remembers. “It was just a good name for him. We called him ‘Captain’ a lot.” Captain Crunch was born.

Given that most of Draper’s modern reputation is based on his ‘discovery’ of the whistle, something he has done nothing to dispel or come clean about, I feel it is important to help set the record straight. While he may be an iconic figure in lore, even if undeserved, it is important to better understand what kind of person he was during this time.

Page 245: And as a rule universally agreed upon within their group, they avoided John Draper and his friends like the plague. “I tell you,” [David] Condon says, “Draper was the kiss of death. He was asking for it, he was looking for trouble.

Page 313: All this did not sit well with Steve Jobs and the other managers at Apple, who thought the Charley Board product was a bit too risky and, besides, they disliked Draper to begin with.

In addition to being disliked, Draper had a growing criminal record that included seven counts of violating 18 USC 1343 (Fraud by Wire, when he used a blue box to Australia, New York, and other places) in 1972, violating probation later in 1972, arrested in California in 1976, and indicted on three counts of 18 USC 1343 while on probation. To this day, Draper maintains it was a conspiracy:

Page 287: To this day, Draper maintains that he was framed. [..] “Well, it turns out that he had arranged with the FBI to tap that phone,” Draper says. “he told the FBI that I was going to be making a blue box call at that phone at that date and time.” The result was that the FBI now had a blue box call on tape with Draper’s voice on it. [..] You see, the informant that the Los Angeles office of the FBI sent up didn’t arrive in the Bay Area until Tuesday, February 24. The blue box telephone calls that Draper was eventually busted for occurred four days earlier, on Friday, February 20. And on that Friday the Los Angeles informant was still in Los Angeles, enjoying sunny southern California weather or breathing smog or whatever it is that LA phone phreak informants do when they’re off duty.

But this wasn’t the end of his crime. In New Jersey in 1977 he was arrested and charged with possession of a red box, which was later dropped. He was again arrested in 1977, this time in Pennsylvania, which led to him agreeing to a plea deal in 1978 to one count of possessing a device to steal telecom services. He was sentenced to 3 – 6 months in jail with credit for 1 month served. That charge and plea also meant he violated his federal probation for earlier crimes, sending him back to California to spend time in prison as well. During all of this time, two psychiatrists observed that Draper “tend[s] to pass himself off as the victim claiming that he has almost no control over all of the troubles that now beset him” and that he had “numerous paranoid delusions of being especially picked out for persecution because of his power and knowledge”. Both psychiatrists agreed that a jail would not be a good place for Draper, leading a judge to sentence him to a furlough program for one year. Finally, in 1987, he was caught forging tickets for the BART system which lead to a plea bargain, resulting in a misdemeanor.

I offer all of this up, courtesy of Exploding the Phone, as a reminder that many people in InfoSec consider him a hero of sorts, and feel that his history was beneficial to the world of phreaking. In reality, it was not. He was just another phreak at the time, did not discover the Cap’n Crunch whistle, was caught during his crimes several times, and then somehow became a telecom legend. To this day, Draper still tries to use his reputation to get handouts from the industry. If you want to support him, just be sure you understand who you are supporting, and why.


Anatomy of a NYT Piece on the Sony Hack and Attribution

There is a lot of back-and-forth over who hacked Sony Pictures Entertainment. For a not-so-brief summary, here is an extensive timeline to catch you up. I am going to drill down on a single point as it is both fascinating and disgusting. Using a single article that is heavily influencing people around the world, and helping to polarize the InfoSec community on who hacked Sony, I want to show you exactly what you are quoting and reading. Why? Because people don’t seem to be reading past the headline or first couple of paragraphs. What seems like a strong, definitive piece, falls apart and begins to contradict itself entirely halfway through the article. The New York Times piece in question is titled “U.S. Said to Find North Korea Ordered Cyberattack on Sony“.

Consider what the headline says. First, it says that North Korea ordered the attack on Sony. Second, it says the U.S. has found out, meaning there is some body of evidence that led to that conclusion. Seems simple enough. But where does this come from?

American officials have concluded that North Korea was “centrally involved” …
Senior administration officials, who would not speak on the record …
Officials said it was not clear how the White House would respond.
Other administration officials said a direct confrontation with the North would provide North Korea with the kind of dispute it covets.

So how many officials are we talking about here? American officials? Senior administration officials? “Other” administration officials? Not a single one on record, which is very curious given named sources are the backbone of solid reporting. Are these officials part of the military? Law enforcement agency? Or just policy wonks that may or may not be getting briefed by someone with a clue?

The administration’s sudden urgency came after a new threat was delivered this week to desktop computers at Sony’s offices, warning that if “The Interview” was released on Dec. 25, “the world will be full of fear.”

Wait, so the Sony network is still entirely compromised weeks after it was publicly disclosed? That is an interesting angle, why haven’t we seen articles covering that? The company brought in to do forensics, are they losing this battle? Or did they mean the message was emailed to Sony employees, and the wording is confusing since the initial attack included actually replacing the desktop background on thousands of Sony desktops? Or was this a reference to the attackers posting that message on a public website (Pastebin)?

“Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”

This comes from the latest Pastebin post, since removed. I think that is the simple, logical explanation.

While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with knowledge of the company’s computer systems, senior administration officials said.

Wait a minute, the title is definitive, the U.S. says North Korea did it. Now even more unnamed officials say Sony insiders may have helped them? If you follow the whole “this is an act of war” nonsense, then any American Sony employee just committed treason, right? If it was a Japanese Sony employee, then Japan is in league with North Korea? I mean, we have to be careful on our rhetoric of war and blame, as these little comments can mean big things.

North Korea’s computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.

So Newt Gingrich, Dave Aitel, and others are saying a North Korean attack on Japanese company Sony is an “act of war” against the U.S., but we openly admit that the U.S. government has been trying to penetrate North Korean computers for at least four years, and that isn’t an act of war? That doesn’t make sense. Either such intrusions are an act of war, or they aren’t. We can’t have this both ways.

It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “this was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”

So the definitive headline is now clouded by statements like these. We don’t know where the attacks originated, the tools were commonly available and had been seen in attacks years ago, but then the official says it is sophisticated? Not sure this ‘intelligence official’ has the same standards for the word ‘sophisticated’ as many in InfoSec.

But there is a long forensic trail involving the Sony hacking, several security researchers said. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributed to Iran — and another last year in South Korea aimed at banks and media companies.

Do we all know what a forensic trail is? This is a shaky list of circumstantial evidence at best. Given the use and history of the tools, making an assumption on who used it seems absurd.

But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggested that the same group or individuals might have been behind the Sony attack.

Again, do we not see how circumstantial this is? On one hand you claim the attackers are sophisticated, on the other you say they use a compromised computer for two years that would implicate them because of past attacks.

The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat, the security researchers said.

Definitive headline, yet more doubt on who attacked Sony.

The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, the national oil company, where hackers wiped off data on 30,000 of the company’s computers, replacing it with an image of a burning American flag.

A public tool from two years ago, and this is influencing attribution? Investigators should be logical and skeptical. Actual evidence should be the guiding factor in their investigation and determining attribution.

Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.

So we couldn’t positively attribute the attack two years ago that used those tools, and now we want to use that tenuous link claiming it is some kind of ‘proof’ North Korea was involved? This makes no sense.

“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a researcher at AlienVault, a cybersecurity consulting firm.

I have given many a buzz-quote to the media, and I understand how they can be taken out of context. This is a great example. Blasco sounds like a total idiot, but I have a strong feeling he isn’t. What does this quote mean exactly? Getting access to Sony’s network requires an attack. Subsequent actions are part of that attack, or the fallout. Or does he mean “had access” in the context of a legitimate trusted employee? InfoSec people: be careful when giving buzz-quotes to journalists.

The cost of the assault was small: The attackers used readily available tools to steal data and then wipe it off Sony’s machines.

Once again, “readily available tools”, yet we are attributing this to a nation-state attack? Read between the lines and we have no real attribution at this point, at least not demonstrated by anyone. I doubt Mandiant is sharing their results with anyone publicly, leaving the rest of this to guess-work.

Representative Mike Rogers, the Michigan Republican who leads the House Intelligence Committee, said the hackers had “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.

Ya think? That is hacker 101 shit right there Mr. Rogers. Sophisticated malware to allow such access has been around for more than 30 years, and is trivial to get from thousands of web sites.

The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.”

Well played North Korea.

All in all, we have an article with a definitive title, “citing” between one and dozens of unnamed officials, that may be guessing like most of the world, giving as much “evidence” that it wasn’t necessarily North Korea, and it is whipping up a frenzy causing politicians and InfoSec professionals calling this war. I’ve said it for a week, and I must say it again. How about we wait for actual evidence. A public report outlining all of the forensics available, that can be peer-reviewed to some capacity, before we go rattling our saber at a country that may not be involved. Sure, North Korea is wonky on their statements implying it was them, then “half-denying” it, whatever that means (curious no one ever links to these statements, or are these more “unnamed officials” from their government?).

Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn’t mean they actually did anything. Taking their implications or half-denials as fact isn’t prudent. I am not saying North Korea wasn’t involved. I am simply saying that this speculative circle-jerk is not helping anyone, and only serves to cause headache and grief. Level-heads must prevail. If you feel the need to comment on the matter, make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.