The Great Divorce (with apologies to CS Lewis)

Apart from the addictive nature of our new digital way of connecting, it does not seem to satisfy our deep-seated need for true human contact. Instead what it seems to have spawned is the illusion of social connection via a medium that has our dopamine receptors on perpetual high alert as we anticipate, like Pavlovian dogs, the next “ping” that promises to offer us the novelty and pleasure of a text, instant message, tweet, Facebook update or Instagram photograph.”

GENERATION Z: ONLINE AND AT RISK? By: KARDARAS, NICHOLAS, Scientific American Mind, 15552284, Sep/Oct2016, Vol. 27, Issue 5

What is Lent, Anyway?

In many Christian denominations, the practice of Lent is a 40-day period of preparation of the soul for Easter. This is commonly accomplished through times of fasting, prayer, and the denial of the self. You often hear people say they are giving up something or other for Lent, which is to say they are denying themselves something enjoyable so as to focus on more important matters.

fasnachtsLent starts on Ash Wednesday, which is preceded by a Tuesday. Well, duh, right? But this Tuesday is special. On this Tuesday before Lent starts, people have historically purged their kitchen and cupboards of fattening foods in preparation for Lent. This day is called Shrove (or Fat) Tuesday. In my geographic neck of the woods of South Central Pennsylvania, the Pennsylvania Dutch celebrate this by baking fasnachts, a powdered donut-like pastry made with potato dough. Once the cupboards are emptied of fattening treats, we arrive at the first day of Lent, Ash Wednesday, where many faithful celebrate by having their forehead marked with the sign of the cross in ash. This is often done with the declaration of “Memento, homo, quia pulvis es, et in pulverem reverteris” or in English “Remember, man, that thou art dust, and to dust thou shalt return.”

With ashen foreheads, we are welcomed to Lent. This is followed by discount fish sandwiches at fast food joints all over the US. This forty-day period of soul searching and self denial ultimately leads to Easter, the single most significant event in the Christian calendar. There is your history lesson for the day.

OK, so where are you going with this?

This year, I decided to celebrate Lent, by giving up Social Media. Yeah I hear you already – whoah whoah there, mister crazy person! Why would you do that? Why thank you for asking, let me explain.

I’m an avid reader, have been since I was a little tyke. Recently, I have been reading a few books that made me question my own technical reality. Those books are:

10reasons

Ten Arguments for Deleting Your Social Media Accounts Right Now, by Jaron Lanier. This book really set up my Lenten adventure by questioning the Wizard behind the curtain of the social media machine. In this work, Lanier provides ten arguments, in paragraph format, outlining the impact social media has on our society as a whole, and on us as individuals. It was a very impactful book for me – if Lanier is reading this, I thank you for challenging my world view. Though all of the arguments had an impact on me, I was especially challenged by Argument Six (Social media is destroying your capacity for empathy), Argument Nine (Social media is making politics impossible), and Argument Ten (Social media hates your soul). The research provided, and the down-to-earth approach Lanier takes in building his arguments, helped me question why I was using Social Media in the first place, and what impact it absolutely has had on my own life. This book is a fast read, but if you don’t have the time to read it, you can check out his Ted Talk on the topic here.

12Ways12 Ways Your Phone is Changing You, by Tony Reinke. I’ve been reading through this book for some time now, and truth be told have yet to finish it off. Some sections of the book ran slow for me, and other sections were challenging to the social and spiritual aspects of how my phone – and subsequent consumer mentality of all it offers – has been changing my world view. His chapter entitled “We ignore our flesh and blood” rang through in a Cats in the Cradle sort of way, challenging me to deliberately put down the phone and see the people in my proximity. The chapter entitled “We get lonely” helped me look inward, and acknowledge the connection between my “connected-ness” and the desperate loneliness I often carry like an albatross around my neck. The chapter entitled “We fear missing out” returned me to the exciting days of my undergrad Social Psychology class, and how we – like drooling Pavlonian pups – return again and again for that dopamine fix offered by our phones, and how we can have true anxiety when we try cutting back on our digital fix.

ClickHereClick Here to Kill Everybody, by Bruce Schneier. I’m currently reading through this one, a true work of art from a master pioneer in modern computing. Schneier’s writings are the perfect blend of deep technical expertise mixed with comprehensive research and incredibly applicable truth. Thus far, this book has challenged my world view in the realm of cybersecurity. Perhaps you, like me, consider cybersecurity and hacking to be something that happens to other people… some mildly entertaining story that has little to do with our own cozy life. Through our increasingly connected world, the connected stuff we own and use every day is being weaponized and used against us – including Social Media. We are absolutely in a state of open warfare, or to use Schneier’s terminology, un-peace. The truth that I have no idea how secure my internet-connected oven is right now was enough to challenge my world view. The undeclared cyberwar rages all around us, it’s only a matter of time until some new strain of ransomware attacks our home devices, demanding payment to turn off the oven / turn down the thermostat / unlock our Roku Television. You may recall an earlier blog post of mine on the topic, found here. The reality is that Social Media is being used as a weapon against us by people who either want to addict and monetize us (can I call that a best case?), or outright obliterate our way of living (worst case).

The Plan

Social_media_iconSo with all that reading, I decided to quit cold turkey from what Lanier calls “Bummer”. That is an acronym for Behaviors of Users Modified and Made into Empires for Rent, a term he uses quite frequently for specific types of Social Media that are deliberately targeting and modifying our human behavior. To say what I cut out would be a lengthy list, perhaps it’s easier to say that I left LinkedIn because I use it for my employment. Now that Easter is in the rear view mirror (and Memorial Day approaches… where does the time go?), I can share with you some of the impacts on me, personally. The first few days, I kept a detailed journal. After that first week or so, I randomly documented my thoughts, feelings, emotions, and so on. This blog post somewhat recreates that format. Enjoy.

Day Zero: Fat Tuesday

I uninstalled all Social Media links from all my web browser bookmarks, and deleted all Social Media applications from my iPad and iPhone. My rationale was that it’s easier to avoid something if it’s not there to stumble over or mindlessly click. The transition off Social Media (Lanier’s BUMMER) was greatly simplified, as our Verizon FIOS service went down the night before. The moment Verizon went down was somewhat comical, as my teenager and his friend stared around, lost and bewildered, for about an hour as their PUBG screens blinked LAG before disconnecting. Have you ever seen a teenager mope around the house, lost and disconnected? It’s a sad wistful wander, like a butterfly with a damaged wing.

teenager

Day One: Ash Wednesday

So it was that on Ash Wednesday, the first day of Lent, there was no Internet, Cable, or Land-line phone service. I used my 4G service to live chat with the overseas FIOS technician. I interrupted his help desk script by assuring him that I already verified power, rebooted the router, disconnected the UPS from the Fiber drop in my basement before rebooted that, and in general knew what I was talking about. The router occasionally gets an IP from the Provider Edge Router (PER), has brief Internet connectivity, then drops and no longer sends or receives routes. My Customer Edge Router (CER) can no longer talk to the PER, which typically indicates some sort of routing issue in the public cloud. Due to the snow & ice storms in the area, they can’t come out until Friday, which suits me fine. No Internet = No Social Media.

Zuckerburg MonsterThroughout my work day, I found myself periodically picking up my cell phone and reaching for a Social Media fix – which wasn’t there. I had wisely uninstalled / removed all BUMMERs from my device, thus preventing the ingrained habit of priming a dopamine fix. I had not realized how habitual it was to reach for social media throughout the day. Right now, as I type this on my desktop computer that has no Internet access or Social Media, it’s deathly quiet throughout the house. Eerily quiet… like the tense moments before a serial killer pops out from behind a curtain. I half expect a mutant Mark Zuckerberg to suddenly appear, armed with a Facebook-themed Android tablet and start clubbing me upside the head until I click LIKE on the latest political post. It’s somewhat frightening when you see your dependence on checking the latest Post or Tweet. The worn ruts of habit run so deep in the dirt road of life…

I also noticed something else that I’m not quite so proud of. I noticed that when it was bed-time for our babies, I typically would rush them off to bed as quickly as possible. The goal, I imagine, was to get them out of the way so that my path to “free time” or “down time” was clear. But the past few nights, I indulged my five-year old with the bed-time stories and snuggles he always asks for but rarely gets. The “way too late” excuses faded away in light of “they are only little for a very small season of life”.

smoke-hand-ian-cocklinAnd after my 8- and 10-year olds finished story time with my darling Pooky, I spent more time snuggling and rubbing their backs before bed, much to their delight. Those precious bonding moments that I shoved aside in the chasing after smoke… I have truly been missing out. I’ve come to realize that Social Media really is like chasing after smoke – having caught some in my cupped hands, I never realized that there was nothing really there. It was the pursuit, the chasing, that kept me going back again and again. Never was there some actual ownership or capturing of something substantial. I was like the parable in the Bible of the man who looks into a mirror, then immediately forgets what he saw as he turns away. And so I kept returning, again and again, to gaze at something that was gone the second I turned away. I was very much like Harry Potter in the second book the Chamber of Secrets. Harry comes across the very old diary of Tom Riddle, discarded in a toilet. And though there is nothing written in it, Harry inexplicably finds himself returning to the book, turning through the pages as if there were something rather fascinating written in it. I imagine the analogies here are endless, but you get the point.

Day Two Thoughts

730x469-PhoneAdditction-Header-KINGStill no Internet or television or telephone. I keep noticing that whenever there is a lull in my life – a normal period of inactivity or quiet – that I impulsively reach for my phone, then stare at it with a realization that it can’t give me what I think I need. I’m not quite sure what I need, perhaps I crave contact, or a feeling of belonging, or some kind of mindless activity. A longing to be moved or affected. It’s a strange feeling, it really does feel kind of like I’m going through withdrawal. Yeah, it’s real – I recently read a blog post from Scary Mommy that relates to this. As a Scary Daddy, I approve of her post.

Having taken the day off for a kid school function, I was more aware than usual (because I’m being deliberately self-aware) of those little pregnant moments where I tend to reach for a Social Media fix. When the ten-year old went in to the bathroom and I had to wait outside in the hall? I instinctively reached for my phone, then realized what I was doing, and put it back in my pocket. Later that evening, I went out for chicken wings with a dear friend, and once again I was aware of those little pregnant moments. While waiting for my buddy to arrive, I sat in the lobby of the chicken wing establishment. Once again, I reached for the phone, then put it back and instead watched the people around me. There was a chubby toddler, gleefully wobbling around the lobby on shaky legs, as the young mother hovered nervously behind, waiting to scoop him up from danger. All the different people with different paces, different faces. They were all here, all along, unseen as I typically looked down at my phone. How many of those un-noticed people were potential opportunities to love and serve? Were any of them lost or hurt, lonely or desperate for authentic communication? How many of those pregnant moments have I lost, while staring down at my phone? Each of those individual moments, throughout a normal day… a week… a month… a life… spent chasing after something that might… do  what? Entertain? A short burst of noise to fill the awkward silence of life?

It all adds up.

4479140_orig-768x413Day Three

The Fios dude arrived early, and told me my ONT is DOA. An ONT is nerd speak for the Verizon box mounted on the wall of the basement that converts their fiber over to something more home-friendly like Co-ax or Ethernet. You know what DOA is, right? The box is toast, a paperweight. The kids are hovering around like vultures near a wounded stray calf, waiting for ones and zeroes to once again start squirting through the house. Our Alexa hasn’t played Baby Shark in several days, the shark gods are not pleased. Netflix, Amazon Prime, PubG, the list goes on and on. it’s all waiting like an empty car on the side of the road for some gas. How will I now tackle this Lenten fast, with the availability of social media right up and in my face? Things just got real…

Onward and Upward

So I stopped logging my notes daily, and instead decided to wrap this up with some general thoughts. I started bringing this all together on Good Friday, the single most significant religious event in the Christian religion. And Good Friday kicks off Easter weekend, and then what? Lent is officially over. So here are a few thoughts on this whole event.

400px-GLaDOS_P2

Glados says “you’re welcome!”

I’ve noticed that no one on Social Media even noticed that I was gone. All of my virtual “friendships” were as real and impacting as… well, as something that was not real or impacting. How’s that for a lame analogy? I’ve also noted that I’m 2,000% happier. More importantly, the wife has noticed a visible change in my personality. After the first week or so, I stopped reaching for the phone all the time. I noticed and interacted with more people around me. For some reason, I also made an effort to connect more with the people around me. For example, at the grocery store, I have been making a conscious effort to look at the employee’s name tag who was ringing up my groceries, and say something like “thank you, Glados, for bagging my potato!” to acknowledge them as a person. It is always a little awkward. Real interpersonal communication often is. Through this experiment, I have also read a lot more books. In general, I have gone to bed a lot earlier, and wake up much more refreshed.

I’ve also noted that I’m still incredibly lonely for authentic relationships – but at least I understand why now. All the social media fluff that I filled my life and time up with was empty smoke… or to quote Kohelet, the author of Ecclesiastes, it was meaningless – a chasing after the wind. The reality is that for many years, I’ve been gorging daily on a steady diet of social media fluff, while wondering why I was still hungry inside.

There are so many examples of what social media is like. The biggest one that comes to mind is from the movie The Matrix. In a very real sense, we are all just a simple product to be harvested by the social media. We gleefully provide our experiences, photos, emails, clicks and likes as a type of virtual fruit. What we get in return is the illusion of a virtual world around us that simply isn’t reality. That alone would be frightening enough – but Lanier’s book helped me to see that in the beginning of social media, we were just a data feed to be harvested. Recently, something more nefarious has begun – now we are being actively manipulated by the social media machine to modify our behavior. To summarize Lanier, Social Media is making us all less human. To summarize Schneier, Social Media is being weaponized against us. Either scenario is troubling, but only if we take the time to let it trouble us. As a society, I don’t think we do that nearly enough.

At this point, I don’t know that I can ever go back to Social Media – certainly not the way it was before.

Happy Easter… and Memorial Day!

giphy

So I’m trying to put a bow on this blog. It’s a bit past Easter now, and I did get back on Social Media. I spend a few minutes here and there, mostly just to upload a few Spring pictures of the kids and family. I note that the social media machine had been trundling on, just as it always had, without me. I note that no one really even noticed I wasn’t there. And I realized that I no longer cared about going back – the frantic grip of FMO (what psychologists call Fear of Missing Out) has left me completely. I have found this entire process to be incredibly meaningful and helpful. You may still see me occasionally on Social Media – but it won’t be like it was before, because I’ve changed. Sometimes, seeing the wizard behind the curtain is enough to change us.

Advertisements

Spirit Hacking: The Power of the 8th Layer (Part Two)

Tags

, , , , , ,

I have to confess, this blog has been difficult to write. In the many weeks of writing this blog, there has been a continual struggle between two extremes – one side of me messily bleeding all over the place, the other side of me keeping it sterile and clinical, as if you were reading a bland ingredient list for catsup. I hope this (very long) blog entry captures some useful information, and gives a glimpse into the very personal aspects of this research in my own life. This blog entry has been a journey through my own personal valley of shadow.

StayOnTarget-PLATE-BLACK-750x750Stay On Target

Thanks, I needed that.

So in Part One of this blog, I talked about the convergence of Social Psychology (how people tend to act under particular external stimuli) and Hacking (manipulating something to get a new or different output). Social Engineering is this convergence – the art of manipulating humans (the 8th Layer of the OSI Model), typically for financial gain. Now I’d like to talk about another form of social engineering that is picking up visibility in the media – the manipulation of people (human hacking, if you will) in a spiritual setting.

Dragon’s Tongue

eragonIn the Inheritance book series, Paolini writes about Eragon, a boy who finds a dragon egg in the mountains near his home. With the hatching of the egg, Eragon sets out on a grand adventure to become a dragon rider with his beautiful dragon, Saphira. This series takes Joseph Campbell’s recipe for the Hero’s Journey all the way to the bank, following the adventure framework in the path of such greats as Lucas’ Star Wars and Baum’s The Wizard of Oz. But though I could ramble on about the key elements of Campbell’s framework, that’s not what this blog is about.

In the book series, Eragon learns that everything has their true name, which describes its very essence. When a person learns their true name, it gives them deeper understanding of what makes them tick – it summarizes their deepest desires, what motivates them, why they act the way they do. Knowing someones’ true name gives you complete power over them.

In the series… spoiler alert… the chief antagonist learns the true name of Eragon’s half-brother, Murtagh, and thus is able to control him completely. The book illustrates that knowing the full essence of a person – what makes them tick – is a powerful tool. And in the wrong hands, it can be disastrous. I won’t spoil the ending of that book series any more – go read it, it’s a pretty good series. Just don’t watch the movie – it’s a diabolical train wreck of a film that bares only a passing resemblance to the book.

The point is that knowing what makes you tick can be used by the wrong person to control you. Sadly, those in a position of authority can – and often do – use their understanding of others to control them. When that wrong person uses their position of authority to abuse others within a spiritual context, this is referred to as Spiritual Abuse.

Open Vulnerabilities within the Church

MCSE.png

those were the days…

When it comes to vulnerabilities, churches are the IIS server of the Social Engineering world. I can see the non-technical folks scratching their heads with that one, so I’ll elaborate. Back in the day, Microsoft had a web server called Internet Information Server (IIS). I remember learning the intricacies of this server back in the 90’s as part of my MCSE 4.0 certification, ah it seems like only yesterday… And the thing about IIS server is that it was very well known to be chocked full of vulnerabilities. Or to say it a different way, hackers knew with a very high degree of certainty that if they found an IIS box hosting a web page, they could hack into it rather easily.

Churches bear close similarities to the IIS server in that several of the core tenets or belief systems in churches are well known, and are able to be manipulated by bad guys. Things like forgiveness, believing the best in others, generosity, kindness, and meekness – these general characteristics are vulnerabilities that can easily be taken advantage of. And this is critical to understand – we can not always recognize the bad guys for what they are. The bad guys are most likely already inside our churches now – and because of the known vulnerabilities of a church, may be taking advantage of people to have free reign.

2018-10-14_19-53-39What I’m not saying is the church needs to stop being forgiving, or generous, or so on. What I’m saying is we need to see these characteristics as potential areas that will be methodically targeted and exploited by the bad guy. Knowledge of these vulnerabilities is the first step in guarding against exploitation of those vulnerabilities. That is probably a whole other blog post, maybe I’ll shelve this for now. For more on this topic, I highly recommend Jimmy Hinton’s podcast on how abusers prey on our belief system. Jimmy was instrumental in helping clean up the mess at my old church, I owe him a great debt of gratitude. But to stay on target, here is the key takeaway: bad guys will often target well meaning churches as a means to their own ends. This process almost always includes some form of Spiritual Abuse.

Spiritual Abuse, Defined

I will define Spiritual Abuse based on the (rather excellent) research of David J. Ward, as defined in “The Lived Experience of Spiritual Abuse:”

“A misuse of power in a spiritual context whereby spiritual authority is distorted to the detriment of those under its leadership.”

My darling Pooky could probably take that definition and perform some type of fantastic sentence diagram wizardry. Unfortunately, I’m nowhere as talented, so I’ll break that definition out into its individual components:

  1. Misuse of power
  2. A spiritual context
  3. Distorted spiritual authority
  4. Causing detriment (harmful)
  5. Under leadership

First and foremost, note that point 1, 3 and 5 are closely related. Spiritual Abuse relies on someone in a position of authority distorting that authority to harm those under their leadership authority. See the connection? Spiritual abuse relies on authority.

Point 2 identifies the context – it’s spiritual. In most cases, this takes place in a church or religious setting. It is worth noting that Ward’s research on this topic was conducted exclusively with victims from a Judeo-Christian background, and as such, this blog most directly applies to that context. It is also worth noting that my own personal experience in this area is also from that same context.

And Point 4 identifies the results – spiritual abuse causes harm to those who are abused.

This may be a difficult concept to grasp for those who have not been abused in such a way. Melanie Childers, in her article “Holy Havoc: Chaplains as First Responders in Healing Spiritual Abuse“, notes that spiritual abuse appears to resemble most closely those of violent domestic relationships, in that they both involve ongoing relationships of trust and intimacy that have been voluntarily chosen. And as a result of this violated trust and intimacy, people are harmed. There is detriment. There are lives left broken and shattered as a direct result of spiritual abuse.

Characteristics of Spiritual Abuse

storiesThere are clearly identified characteristics and patterns of spiritual abuse. Ward identifies the following:

  • Leadership Representing God
  • Spiritual Bullying
  • Acceptance via performance
  • Spiritual Neglect
  • The expanding external/internal tension
  • Manifestation of internal states

Representation

As I pointed out in the definition of Spiritual Abuse, the common theme is authority. A spiritual leader maintains their position of authority in large part from their position of spiritual leadership. While interviewing victims of spiritual abuse, Ward noted that abusive leaders usually treat their victims as children.

lamb.pngThis stands in stark contract to the mutual respect found among fellow believers who are on a lifelong journey into eternity. The model shifts towards treatment of the congregation as insolent children in need of constant correction. In my experience, the focus was most commonly present in the negative – we didn’t _____ enough, or weren’t as _____ as we should be, or were too easily ______, or we didn’t _____ well enough. The picture takes shape of a congregation full of bumbling spiritual toddlers, in need of a wise earthly father figure who is much closer to God.

This is a far cry from the Biblical example set forth that we are all on the same spiritual journey, and are to speak into each others’ lives in different ways. By contrast, there is no speaking into an abuser’s life – there is only acceptance and obedience to their direction. The direction is almost exclusively uni-directional. That is to say, because the leader is on a higher level than the rest, they are above reproach and do not receive correction, they only deliver it. And the less you know about them or their shortcomings, the better.

One practical example of this identifying uni-directional vulnerability. If your spiritual leader knows about your own proverbial flawed skeletons, but has not reciprocated, you are in a lopsided position of vulnerability that has the potential for abuse. There are numerous reports of this taking place in the realm of Scientology, whereas their leaders have enough dirt on the followers to keep them under control. On a more personal level, I remember on more than one occasion a pastor saying that it’s ok to disagree with them – you can come to them later, and apologize for being wrong. This kind of tongue-in-cheek statement reveals a perceived position of spiritual higher ground, while dissuading others from disagreement or speaking into their lives. To over-simplify, the leader will tell you what to believe – and you will (to borrow the line from the old hymn) trust and obey.

Bullying

Bully

This is an area where I struggle to keep it somewhat clinical. I’ve witnessed so many examples of spiritual bullying from the pulpit. It is worth noting that from my own experience, this has been almost exclusively uni-directional. That is to say, due to the one-sided nature of the pulpit, an individual is given the opportunity to speak to a wide forum of others – but rarely is feedback provided back towards the pulpit. And this lack of real-time feedback and accountability is frequently used to harass others. Here, social psychology is powerfully at play. How many of us would honestly stand up in middle of a sermon and call out the preacher for saying something that is abusive or aimed to harm / intimidate someone else? Can you imagine the myriad eyes of every other congregation upon you? Spiritual abusers take advantage of this social tension, in order to dominate.

Some practical examples of pulpit bullying include derogatory name calling of specific people (whether directly or indirectly named) or general types of people. This also includes weaponizing scripture by using partial truth to further a personal agenda. Here, I struggle to keep it somewhat clinical, and will provide a generic example. Quoting scriptures about forgiveness, with the goal to force congregants to overlook, ignore, or disregard the leader’s own sin, is manipulating the scriptures in an abusive manner.

There can be no question that God forgives sin – otherwise, we are all in deep trouble. However, coercing others (especially uni-directionally) to forgive and forget, without addressing the diverse emotional issues that require forgiveness, is flat out abuse.

forgiveness.png

*note* In my haste to get this post finally onto teh interwebz, I did a shoddy job in this section. My editor graciously recommended that I share this article on Forgiveness and Reconciliation that does a much better job than I, being a common layperson… Forgiveness is a complex process that ideally involves repentance and a change of behavior from the person who has caused the offense. Ideally both sides would come together to work through the offense together – in a proverbial sense, mending the broken fence. To be clear, the process of forgiveness does not require that the offender repent, or even acknowledge their wrong.

This entire forgiveness process (which can often, in the presence of abuse, take time) is very often overlooked or over-simplified by an abuser, in an attempt to jump to the end of the forgiveness process of letting go of the hurt from the offense. Without following the entire process through, you do not necessarily have true forgiveness – you have simply whitewashed the abuse. The abuser has in essence weaponized the concept of forgiveness – their goal is not to mend that which has been broken, it is to force compliance. The husband who tells his wife that she needs to forgive and forget his physical abuse is almost certainly on the fast track to abusing her again. And the pastor who coerces the congregation to forgive and forget the sins of that pastor is almost certainly on the fast track to more complex forms of sin. I’ll stop there.

halftruth

Performance

performBullying leads rather naturally into acceptance by performance. The pastor who insists that others disregard his affair because that was between him and God, is coercing your performance. And have no doubt – without your active bowing to their demands, there will be no acceptance. Those who do not perform according to the demands of the abuser are bullied into compliance. The message is clear – act a certain way, or face the consequences. Expect retaliation in the form of a sermon about gossip, or a Facebook post about God forgiving all sin, or any other form of passive aggressive bullying. Rarely will the abusive pastor come to you, one-on-one, and want to talk through (bi-directionally) such an issue. It is also worth noting that logically, it falls apart. If you don’t behave in accordance with the leader’s desires, you will potentially be labeled as being unforgiving, or unable to let go. But the leader is under no such compulsion to forgive or let go of your perceived unforgiveness. Or to say it differently, a higher standard is expected of the victim, that the leader does not himself (or herself) practice.

Neglect

neglect2This is one of the sadder aspects of Spiritual Abuse. Dr. Darrell Puls wrote an excellent article for the AACC (American Association of Christian Counselors) about the prevalence of narcissistic personality disorder among pastors. Shannon Thomas penned this fantastic quote on the topic: “Research shows that narcissists are drawn to certain professions and high on the list is Pastor. Many people go into ministry for all the right reasons, but some are drawn to the power, rather than being a servant leader.” This could make for an entire blog post in and of itself – but suffice to say, one of the primary traits of a narcissist is that they view others as an extension of themselves. Or to say it differently, you only exist in so much as you are useful to the narcissist pastor.

And therefore, if you do not serve a purpose, you are neglected. Practically, this could include being physically ignored, socially avoided, or spiritually neglected. If sermons are directed towards shaping the congregation’s outward actions to line up with the pastor’s personal desires (as being markedly distinct from your collective congregational internal spiritual growth), you could be suffering from spiritual neglect. The mark of a Christian leader is that of a loving shepherd who meekly serves the flock. Is your leader following (or actively striving towards) that example?

It is worth noting that most of the traits of spiritual abuse co-exist as a result of narcissistic pastors who abuse their position of authority in a quest for their own self fulfillment. Preston Ni wrote an excellent article on this topic in Psychology Today that could pretty much summarize and replace this entire blog. It highlights one of the most common bullying tactics, gaslighting… but I’ll let you read it there, before I get sidetracked. Good article, hats off to Preston Ni.

The Siamese Twins

Siamese_color_points_explainedI’m combining the last two traits, as I view them as a type of Siamese Twin: two different items that are so meshed together, they are almost one. This is where things start to really get real for the victim of spiritual abuse. Expanding external/internal tension refers to the conflict between what is inside our mind, and the actions that are conducted outside of our mind. Ward calls this the “dissonance between one’s inner and outer worlds.” I personally refer to this as the church smile, the mask of “everything is OK” that got strapped across my face each time I headed into the abusive environment. The popular Christian band Casting Crowns wrote a song called Stained Glass Masquerade that practically describes this dissonance. Suffice to say, this tension is real and will continue to grow and build, as it leads to a manifestation of internal states, the symptom or result of abuse. Ward calls this “the bio/psycho/spiritual repercussions of the abuse” which most commonly lead to some form of anxiety, physical illness, stress, anger, or depression.

Wrapping it Up

In the 90’s, my wife and I were in a campus bible study group that became a religious cult. Thankfully, we got out of that situation, and (rather foolishly) thought our adventures were over and the quiet life was at hand. We spent the past twelve years of our life in a Southern Baptist church that we thought was a good and safe place – only to find out it was just a crust of thin-ice over a deep murky pool, an elaborate system of lies protecting a pastor who was a convicted child molester.

broken.jpgI’m fully aware that I am damaged goods, a broken vessel. Shortly after we left our church home of twelve years, we found ourselves licking our wounds in the back row of a church we visited near our home. That Sunday, we heard a sermon from Pastor Matt Looloian that was like cool water to the parched soil of my heart. He was preaching on the account of David and Bathsheba, about how David used his position of power and authority over Bathsheba to rape her. God knew about David’s abuse, and brought perfect justice, balanced with perfect mercy. As is so often the case, the narrative focused on the abuser David, while his victim Bathsheba was just a sideline reference. She had lost everything as a result of the abuse committed against her. She didn’t ask for or deserve the abuse, she was just a convenient pre-meditated target for the abuser.

And this is the most important part to me – Matt wrapped up by saying that God can heal not only the effects of our own sin, but can heal the effects of sin committed against us. That was such a foreign concept to me – much of my life has involved blind acceptance of the pain from sins committed against me. Much like the snowman who gradually grows larger as a result of snowballs being chucked at it, I have been taking on this hurt and accepting it as a new part of myself. But I find incredible hope that I don’t have to live forever with the hurt and pain from abuse. That Sunday morning, God knew exactly what we needed to hear. And if Matt is reading this, I thank him for giving me – and hopefully all of you reading this, who have suffered spiritual abuse – hope.

It is my sincere hope that you find this lengthy blog informative and educational. If you are currently in an abusive church, or have come from one and are dealing with the deep feelings of betrayal and loneliness, you are not alone and there is hope. If none of this really applies to you, please consider this an educational blog that warns you of some of the exploitable vulnerabilities that exist within a religious institution. And as always, thank you for taking the time to read, to learn, to grow.

Resources

There are tons and tons of resources and articles out there on this topic, many of which I’ve used as research for this (extremely long) blog post. It is my hope that you find them helpful. They are dumped here, in no particular order.

Safe Sheep: Church Abuse Awareness on Facebook

Jimmy Hinton’s Speaking Out on Sex Abuse Podcast

Grace (and the abuse of grace) for narcissists and abusers

When It Comes to Abuse, the Church Needs a Paradigm Shift

The Power of the 8th Layer (Part One)

Tags

, , , ,

It’s been quite a while since I’ve blogged here, I do hope you will forgive me. It has been one doozy of a year. Today’s blog series will be a little more personal than normal. It will also possibly be much more useful to you than a technical discourse on blockchain or routers or Internet Security. It’s on human hacking.

The 8th Layer of Security

dipYou will probably recall from previous blogs my discussions about the OSI layers. As a recap, these layers are a logical methodology for us to understand how a computer can communicate with another computer. There are 7 layers (much like a heavenly party dish of bean dip) that start with the Physical Layer One (the sending of binary one’s and zero’s on a wire) and climb all the way up to the Application Layer Seven (where Facebook and email and other interactive computer stuff resides). But there are other, more unofficial layers that have been added to the OSI model. Most notably, I refer to the 8th Layer – the User layer.

burns

Nick Burns is not Bruce Schneier!

The great security cryptographer and security pioneer Bruce Schneier refers to the 8th Layer as the layer of the Individual Person. It is this human layer that has spawned tech support icons as Nick Burns the Company Computer Guy (an old Saturday Nigh Live skit starring Jimmy Fallon) as well as terms such as PEBCAK (Problem Exists Between Chair And Keyboard) and the infamous ID-Ten-T error (ID10T). And it is the most vulnerable layer of security – the only layer that is practically guaranteed to eventually provide results to the hacker. Any other layer can be protected using any number of security controls – things like software patches, bug fixes, Operating System Hardening, Firewall rules, and DNS Blackholes. But Layer 8 – the user – remains forever vulnerable.

OK, That Seems Kind of a Downer…

My undergrad work was in the field of Social Psychology. And for many years (and numerous student loan payments), I thought I had wasted a great sum of money on a worthless degree. It wasn’t until recently, during my graduate studies on Cybersecurity, that I realized that I was terribly wrong.

Social Psychology – the study of human behavior – is incredibly relevant to the field of Information Technology. There are numerous books dedicated to the study of this intersection of human behavior and computer security – such gems as:

These books recognize what the field of Social Psychology has long been aware – that in general, people are hard-wired into predictable responses to certain external stimuli. And because of this, an individual can type a few lines of behavioral code into the human computer, and get a predictable output. That predictable output can then be used for nefarious purposes. Or, to say it a different way, people are hackable.

The Hackable Human Computer

human hack

This is perhaps common sense, drilled into us at our parent’s knee – my childhood was full of warnings such as “stay away from him, he is trouble” or “bad company corrupts good character” or (my personal favorite) “One boy = one boy. Two boys = half a boy.” My Mother (God rest her soul) knew that certain external stimuli would more often than not lead to certain behavior on my part.

In the field of Information Technology, these techniques are being used to great effect to rob people and organizations blind. Companies spend millions of dollars a year on security – from devices such as Layer 7 Next-gen firewalls and SIEMs and web content filters, to security cameras and door locks and man traps… but research indicates that people are still hackable – and this hacking is highly profitable.

Blade1_2018DBIRThe 2018 Verizon Data Breach Investigative Report is a fantastic yearly review of where cyber security has been, and where it is likely headed. Most attacks are financially motivated – this is obvious. The bad guys (usually organized crime groups, featuring hacking) go after the easy money. And most attacks involve some form of social engineering to get access to your information – your passwords, your identity, your account numbers… with the goal to take your money.

I’ve talked in previous blogs about tactics such as Phishing (general), Spear Phishing (targeted), and Whale Phishing (individually targeted) to steal your information. These types of large-scale attacks are highly profitable, because of Layer 8. Statistically speaking, about 78% of people will never click a Phishing URL. That sounds great – but unfortunately, about 4% of people WILL click a Phishing URL. And if I send out a Phishing email to 1,000 people, getting back 40 responses is a pretty good rate of return. Especially considering sending out a Phishing email takes little to no effort for a hacker. By and large, the bad guys always know how to get your stuff. And statistically speaking, they will get some people’s stuff. The determined predator will eventually come out of the herd with a meal clamped in its jaws, kicking and thrashing – but ultimately, doomed.

Broadening the Horizon

downloadSo thus far, I’ve pretty much rehashed what I’ve already discussed in previous blogs. We’ve heard all of this before: don’t click on strange email links, and when Microsoft calls my house saying I have an infection, just hang up on them. To quote Garfield, “big fat hairy deal.”

Unfortunately for all of us, the field of Social Psychology is not limited to Cyber Security. The bad guys are not always merely after our money.

Sometimes they are after our souls…

<to be continued>

“Russia Hacked my Toaster!” and other tales of IOT intrigue

The Sleep Cycle alarm went off precisely at seven. From that point forward, Thursday was a day like any other – until the toaster attacked.

time.jpgThe flames greedily licked the underside of the cabinet, as tendrils of smoke curled this way and that. Flaming toast of death! Russia hacked my toaster. It was payback for the blatant meddling in the election – the blatant meddling by the US in the 1996 Russian election of Boris Yeltsin. A meddling so blatant that Time Magazine dedicated a cover towards it. Russia was not pleased. And now my hacked IoT toaster was toast.

Part of me has wondered at the rising trend in IoT devices. What’s that, you say? What is IoT? Why I’m glad I asked, then blamed it on you.  Wikipedia says thus:

IOT

To say it differently, IoT refers to an everyday device that is connected to the Internet. The most common examples of IoT devices are Nanny Cams, thermostats, photocopiers, Smart TVs, and whatever new-fangled Amazon device happens to be out now. I had to be vague with that last one, as it seems like Amazon has a new Alexa-style device every few months. Oh, and toasters. Now there are Internet-connected toasters.

The Good

beachmonitorHaving an IoT device affords you the luxury to use that device from wherever you are. You’re on vacation, and want to check on the progress of your contractor, who is doing remodeling work while you’re away? From the luxury of your beach chair, you can open an app and view the webcam sitting on top of the piano in the Dining Room. I actually did this a few years ago, after a pipe broke and we had water damage in our home. Our vacation was already booked, and we couldn’t back out without losing our money. So we left for vacation, knowing a gaggle of restoration experts would be tearing out some walls and drying things out (on the insurance company’s dime). The night before we left for the beach, I went to Lowes and picked up a hand full of Internet-connected cameras, as an insurance policy. And guess what? One of the contractors thought it would be hilarious to play a rousing song on the kids’ toy triangle instrument while grinning like the town dolt – right in front of the camera. I still have the video, an actual screen shot of the construction zone (without the triangle-playing construction worker) is on the iphone in the picture above. When I called the company to complain, the manager gave me quite a bit of grief – until I offered to post the video on Youtube as some free publicity for their company (the employee was wearing a company polo shirt in the video). Funny how people suddenly get shy when you offer to make them famous on the Internet. Go figure.

penguinSo anyway, another use case… You’re laying in bed, roasting to death as your spouse snores happily by your side. Isn’t it interesting how in just about every marriage, one of the couple is always way too hot while the other is always freezing half to death? From your iPhone, you can turn down the thermostat to something more closely resembling the spawning ground for an Emperor Penguin. Internet-connected thermostats are all the rage nowadays. There is a makerspace in nearby Dillsburg, PA (home of the New Years Eve giant dropping pickle). And when I take my overeager 15-year old geek there on Friday evenings to 3d print plastic widgets and tear apart old ipods, I sit at a table near their Nest thermostat. And I stare at it, and it stares at me, and I feel quite certain North Korean hackers are watching me from behind the shiny screen.

And here’s another great one. You are laying in bed, wondering what to wear to that big social gala later that evening. You roll over, and ask your Amazon Echo Look what to wear – and the camera that happens to be watching you in your bedroom (nothing creepy there, honest) offers to let you try on outfits for some crowdsourced fashion advice on what looks best on you. Remember in a previous blog where I talked about the value of your metadata (everything that makes up your online footprint)? We give away this information about ourselves in exchange for something that we value. The amount of potential metadata given away via a camera in the bedroom is not worth all the free fashion advice in Italy. That, being my own personal conviction – and given the fact that this camera exists, I’m clearly not the only one who feels this way. Because if a technology such as a webcam exists in the bedroom as a legitimate fashion tool, there is no 100% foolproof method to ensure that tool can’t be used in a way not originally intended. That leads me to The Bad, but first, we need to clarify some terminology.

Terminology Adjustment

Do you know what a hacker is? I’ve asked this question quite a bit, and truth be told, I get a very frequent response. A hacker is the bad guy. A hacker steals our stuff. A hacker belongs in prison. On and on, it goes. Unfortunately, that view is not quite accurate. Read this:

hacker

According to Dictionary dot com, the classic view of a hacker is relegated to definition 3b, lower down on the list. That view of a hacker is highly influenced by pop cultural norms, though it is not the whole of the part. Maple syrup is not a tree – though some trees may contain maple syrup. Let me try a different analogy – some people that hack (to modify (a computer program or electronic device) or write (a program) in a skillful or clever way) circumvent security and break into a network with malicious intent. They are a subset of the hacker population, just as maple syrup is a small component within the tree community. Does that help? Hackers are typically required as drivers of innovation – they think outside the box, and push the limits of what something is capable of being used or modified for. Many hackers wear “white hats” and use their skills for good. Some hackers wear “gray hats” and use their skills for either good or bad, depending on their own moral compass. And some hackers wear “black hats” and use their skills for ill gotten gains – typically, to steal money. Not all hackers are “black hats”. For technological innovation to occur, hackers are needed. We need people who find new and creative ways to solve problems with technology. When society fosters innovation, much good can come as a result. And yet CS Lewis, in his masterful creation Mere Christianity, wrote this:

lewis.jpg

Education, like hacking, is neither good nor bad. Likewise, we must fostering innovation simultaneously within a positive ethical framework – or we run the risk of creating more clever devils. Any American education about computer hacking must always begin with a comprehensive understanding of cyberethics and cyberlaw. Just because something CAN be done in cyberspace does not make it right or beneficial or legal – American prisons are full of casualties to situational ethics. I’ll stop here and move on.

The Bad

bookI’m currently reading a rather excellent book by Richard A. Clarke, called Cyber War. In it, Clarke provides a fantastic amount of information and research indicating that our nation is not at all prepared for an all out cyberwar. An individual sitting behind a computer in a far corner of Eastern Europe could bring down large portions of our national infrastructure, from power grids to trains to clean water to traffic lights. All the way down to your Internet Connected Toaster. Remember – if you can access the Internet from your device, the Internet can connect to your device. And because each of these Internet connected devices (remember the term IoT?) is running software, which may have bugs in the code, these devices can – and often are – weaponized. Viruses like Mirai and Reaper were designed to find and weaponize your unsecure IoT devices. Some moons ago, I blogged about Denial of Service attacks.  In this specific case, a bad guy (threat actor) can control an entire army of unsecured IoT devices, and point them all towards a target on the Internet, and bring it down. These attacks are fairly common these days, and can cause harm and loss of revenue to businesses.

Image - hacking next.jpg

But wait – it could get more personal. A threat actor could utilize bugs in the code running on your NEST IoT Thermostat – or the code running on ALL NEST IoT Thermostats – and tweak the code. Remember the blog about Ransomware? Imagine one morning, waking up because the temperature in your house is unbearably hot. You go down to the NEST Thermostat, only to find a message that it has been hijacked. You are forced to pay a ransom to the hacker, or your thermostat will increase by one degree every minute, until your furnace overheats and your house burns down. It’s possible. Or in the dead of winter, reverse the scenario – your heat shuts off until you pay a ransom. Pipes freeze. People freeze. These kinds of attacks could directly result in the loss of live.

Office-smoking-printerHow many of you have a photocopier at work? They run code and can be hacked. In 2016, a hacker remotely accessed about 29,000 printers, and had them all print offensive racist fliers. Photocopiers have, within the fuser assembly, a heating element that is used to dry toner on a page. It could be possible for a hacker to remotely encourage all the heating elements to overheat and catch on fire. Don’t think this approach to weaponizing equipment is a new concept. In 2010, a virus research company identified a new virus (code named Stuxnet) that was able to infect industrial control systems in a nuclear plant. The virus was designed to modify the code that ran centrifuges – it either sped the centrifuges up slightly, or slowed them down slightly, then hid the alarms so the operators never noticed they were malfunctioning. The result was that about 1,000 of  Iran’s nuclear centrifuges malfunctioned and tore themselves apart. This attack set their nuclear program back by several months. To this date, no one has claimed credit for the Stuxnet virus, though it is believed that the US and Israel jointly developed the virus to use against Iran. What prevents Iran’s hacking team to retaliate and overheat all the nanny-cam-with-camera-arrowInternet Connected Xerox printers in America? It’s certainly possible.

These days, cameras are built into just about everything. As I mentioned earlier, I bought some IoT Cameras to watch my home while on vacation. The make many different types and flavors of Nanny Cams, that let you secretly spy on the Nanny while you’re supposed to be enjoying date night with the spouse. One of my coworkers had a watch with a built in spy camera, that let him take photos from his wrist, James Bond style. I mentioned Amazon’s fashion advice camera, though they also have a different model designed as an alarm clock substitute. Newer Smart Televisions have webcams built into them, so you can Skype with the relatives from the comfort of your couch. Laptops, iPods, iPhones, Android phones, iPads, tablets…. the list of camera-enabled devices goes on, and on, and on. And remember this – if you can access the camera, who else can?

One of the most enjoyable classes I ever took was for the Certified Ethical Hacker material. The entire course is designed around teaching you how the bad guys can get into systems, and the damage that can be done. How best to protect yourself against the bad guys, if not learning their tricks? As part of the course, they provided an isolated sandbox environment where you could play with dangerous things without fear of harming anything. Once you were done with a particular lab, it nuked itself and everything within it. It was very much like keeping an ugly bug in a glass jar to study. One of the labs involved crafting, installing, and using a RAT (Remote Access Trojan virus) that could run a keylogger (capturing everything that was typed), take screen shots of what was on the computer’s screen, and access and capture from the onboard webcam. To be honest with you, I was shocked at how simple it was. Ben Makuch is well known for his series on Viceland called Cyberwar, which by the way is absolutely fantastic. In this video, Ben Makuch explains about Webcam safety and security. I highly recommend watching it and educating yourself. Because if you can use it, someone else could potentially access and use it, too. And I recommend covering your laptop webcam with a C-Slide webcam cover (or something like it). If you cover it with tape or something sticky, it could gunk up and ruin the camera forever.

1507926541191-CYBER_SEC_WEBCAM_CLEAN

Ben says lock that camera down!

So now that I’ve freaked you all the way out, let’s put a bow on this. If your widget can connect to the Internet, you don’t know who could be accessing it without your knowledge. And if they can access it, they can weaponize it for profit (ransomware) or to cause harm. Lock down all your Internet connected devices with very strong passwords. Be safe!

Bitcoin: Beyond the Basics

Today I’m going a little deeper into the wading pool that is Bitcoin.

Overview / Recap

maskAs I discussed in our last episode, Bitcoin is a decentralized Cryptocurrency that is relatively anonymous. Technically speaking, it’s pseudonomous, meaning it records all transactions based on your online Bitcoin ID. Believe it or not, my real name is not The Geek – it’s a pseudonym. I can hide behind the relative anonymity of that name, but if my real name were tied to my pseudonym, the anonymity dissolves like a Mentos candy in a bottle of Diet Coke. Bitcoin was invented in 2009 by a group or individual known as Satoshi Nakamoto. A Bitcoin is like a Dollar in that it can be sub-divided into smaller pieces. For example, a Dollar can be broken down into 100 pennies, or 20 nickels, or 10 dimes. The smallest Bitcoin part is the Satoshi, with one Bitcoin being worth 100 million Satoshi.

Blockchain

logo-blockchain6Bitcoin is unique in that every transaction is visible and known to all Bitcoin clients in a digital ledger called the Blockchain. Each month, you probably get a bank statement that lists each deposit and withdrawal from your own bank account. Now imagine how unique that would be, if you had record of every transaction for every single dollar – for everyone who ever owned each dollar, since its inception back in 1785. Bitcoin’s ledger keeps track of the creation of each Bitcoin, as well as who had ownership of each Bitcoin at any given time. Pretty impressive, right? And that ledger is stored, updated, and maintained by each device that mines Bitcoin. More on that in a moment. Once a transaction is agreed upon (or confirmed) six times by miners, it is considered legitimate and is added into the Block. Each Block is then updated with a hash of the previous block, in a process that in essence chains all the Blocks together. Now the concept of a Blockchain makes sense, right? This graphic does a great job of visualizing the process:

It can take transactions up to 100 minutes to receive the necessary 6 confirmations that validate the transaction. In the good old days of Silly Putty on Sunday comics, you wrote a check to someone, then waited for that check to clear before they could access the cash. That’s kind of like how validation works, in the Bitcoin realm. But when you buy that Triple Mocha Latte at Starbucks, and pay with Bitcoin, does Starbucks really wait around 100 minutes before handing you the a steaming cup of overpriced caffeinated bean juice? Some vendors will consider a transaction as being immediately legitimate, which in Bitcoin land is called a zero-confirmation transaction. A diabolical individual could take advantage of the inherent trust in a zero-confirmation transaction, and run next door to the Gamestop (with steaming Starbucks cup in hand) and spend that same Bitcoin on a used copy of Legend of Zelda – Breath of the Wild. This is called a double-spending attack. We’ll get into this later on, in the section on Bitcoin Security.

Hashing, revisited

001

I mentioned that each block contains a bunch of Bitcoin transactions, as well as a hash of the previous block. I attempted to explain what hashing was, but don’t think I did a very good job of explaining. Hashing takes any string of any length, and uses a one-way method to boil it down into a fixed output. Please be patient with my horrendous attempt at doing complex maths, as I confess I really do stink at it. Because all feeble attempts at complex math should begin with a universal truth, let’s start with this phrase:

hashexampleILikeDuckDonuts

I can run this phrase through a very simple process, where each letter of the alphabet is given a number. a = 1, b = 2, and so on until z = 26. Then A = 27, B = 28, all the way to Z = 52. For the sake of simplicity, I removed any spaces, but you get the point. I then add up the total of each letter’s numerical output, and get 282.

Now I take each letter’s numerical output and multiply it by itself (square it), and add them all up, and get 6,890.

And now I take the sum of each letter, and the sum of each squared letter, and multiply them together to get 1,942,980. 

Because each hash must always be a fixed length, and for giggles I want my hash to be six characters long, I’ll take the left-most 6 characters, and say my hash is 194298.

x-pythagorean-theorem-find-algebra.jpgNotice that my hashing algorithm always stays the same – I take the numerical output of each letter in my message and add it together (282). I then take the numerical output of each letter in my message and multiply it by itself (6,890). I then multiply those two numbers by each other (1,942,980). Then I want only the left-most six characters (194298). For that message, I will ALWAYS get the same output if I run it through my hashing rules. And note that you cannot take the hash output of 194298 and figure out what my original message was – it’s uni-directional. It’s a one-way process. And the chances that any other message having the same exact hash is extremely unlikely. So yeah – with such a small simple example as my hashing algorithm in the example, it’s possible. But most modern hashing algorithms are so incredibly complex that it’s statistically improbable that two different inputs will produce the same hashed output (in IT, the term for this is called a Hash Collision).Duck-Donuts-Logo

I can send someone my message of ILikeDuckDonuts, and include the hash for the message, and they can run my message through the hashing formula to see if it is the same. It must always be the same. Because if I change even one letter in my message, the hash is totally off.

In the security arena, hashing is a method for checking the Integrity of something. When you download a disk image of Kali Linux from their web page, they include the hash for the file. Once you download the disk image, you can run the one-way hash tool that they specify (in the picture below, the sha256sum hash), and make sure it matches what they advertised as the hash on their download web page. This guarantees that no one made one single change or modification to the file. It’s guaranteed authentic – it has integrity.

thehash

Now I’ve nerded out on you with hashing, and probably lost you forever. But hashing is a pretty big deal in the computing arena, you really should understand it. I hope that I’ve done it justice – and if not, leave it here and move on.

Mining

mining

Bitcoin mining involves using your computer’s processing power to solving complex mathematical equations. Mining includes verifying / confirming transactions and adding them to the ledger (Blockchain), as well as developing and verifying the hash for Bitcoin transactions. Why would people want to spend their time and effort and computational power to build the Blockchain through mining? Remember the alligator / bird symbiotic relationship I spoke about in a prior blog? Zuzu Bailey had a wonderful line from a wonderful movie – “every time a bell rings an angel gets his wings”. Well, every time a new block is added to the blockchain, a new baby Bitcoin is born. And if you’re the individual who took part in adding that block to the chain you get 12.5 Bitcoin. You’re a miner, and you just found a gold nugget.

mining rack

a Bitcoin mining rig

This explains why so many people willingly spend hours and powers (electricity) and money (electricity costs money) mining Bitcoins. A new block is added to the chain roughly every ten minutes. Doing the math (something I am pretty bad at), one Bitcoin is currently worth $9,021.50. If you earned all 12.5 in ten minutes, that would land you about $112,768.75. When you consider that much money being made available every ten minutes, now you understand why the world is going crazy for Bitcoin mining. All the devices (nodes) that participate in Bitcoin mining create the distributed Peer to Peer backbone upon which the entire system runs. As time progresses, the mathematical stuff you perform as part of the mining process get more difficult. And ultimately, because there is a finite number of Bitcoins to ever be mined (21 million), they should all be mined some time around 2140. Please, don’t ask me what will happen to Bitcoin miners when that finally happens – I imagine they could all just stop mining (because the reward for discovering new Bitcoins would be gone) and the entire system collapses. I don’t know. Maybe I’ll blog about it if I’m still around in 2140, that should provide a welcome break from shaking my cane at passing cars from my front porch.

Bitcoin Security

With all the hullabaloo about Bitcoin, and the possibility of earning $112,768.75 every ten minutes, it stands to reason that bad guys are paying very close attention to Bitcoin. The 2017 version of the Verizon Data Breach Investigation Report (a fantastic free resource about the trends and motives of hackers) noted that 93% of all data breaches (hacks) were motivated by financial gain & espionage. It makes sense – hackers go where the easy money is. Why are there so many Ransomware attacks these days? It’s easy money.

The Good

First, let’s talk about what Bitcoin does to protect itself.

goodEncryption: The Bitcoin is encrypted to prevent unauthorized people from tinkering with it. Hashing: Each new blockchain contains a hash of the previous blocks, which ensures that no one tinkers with it. Decentralized: Because Bitcoin does not exist on a single computer system or bank’s network, it cannot easily be hacked and hijacked. Unregulated: Because Bitcoin is not owned or regulated by a single government agency, it is relatively free from the coercion and corruption that is inherent in any government regulation.

The Bad

badFirst, a term needs to be introduced – Theorycrafting. According to the rather excellent Bitcoin for Dummies book, theorycrafting refers to “any strategy that exists in theory and is never actually put into action”. Geeks tend to love theorycrafting – get two geeks together, and they will joyfully spend hours passionately arguing about something or other that probably will never happen. I liken this to visiting a comic book shop on delivery day (the day that all new weekly comics come in). If you stand around long enough, you’ll most likely overhear a jovial argument about important topics like Thor’s hammer, the likelihood of a kaiju attack, or something involving kryptonite. It’s pretty much a given – it’s the mesh that holds the geek universe together. So that said, much discussion revolves around attacks that may not ever happen, but may – if the technical stars align – be statistically possible. You have been warned.

I’ve already talked briefly about the biggest threat to Bitcoin Security – the dreaded Double-Spend. In actuality, this is much less common than you would think. Remember, this type of hack would require the victim to accept zero-confirmation transactions. That filters down the potential victim pool considerably, and requires more effort. Hackers typically go for the perfect balance of big gains for minimal effort – and Double-Spend doesn’t exactly fit that bill. There are several different types of Double-Spend attacks, they all have the same thing in common – they attempt to rip people off by spending a Bitcoin twice.

51

This brings us to the dreaded 51% attack. If one individual bitcoin miner owned more than 50 percent of all the network’s computational power, that miner would have the ability to control what transactions were written into the ledger, and control the mining process. This could create a “fork” or split in the blockchain, and cause two ledgers to form into existence. This would be bad, because Bitcoin’s reputation is built upon a single authentic decentralized ledger. If this one miner created its own fork, it could choose to enter certain transactions while ignoring others. Or to be more concise, it would allow that miner to ignore documenting its own transactions, and double-spend its own Bitcoins.

Before you write this one off as being impossible – how could one person’s computer be powerful enough to be handling 51% of all Bitcoin mining – let’s talk about Bitcoin Pools. Because so many people are dewy eyed at the concept of mining free Bitcoins (which is itself a silly concept, as mining requires hardware and power), mining groups and pools have formed, to pool all their mining resources together. In July of 2014, the Bitcoin mining pool Ghash.io crossed the 51% threshold. Thankfully, they did not intentionally (or even accidentally) cause a fork. But this forced the Bitcoin community to take action and Ghash stopped accepting new accounts into the pool. According to research, the current largest Bitcoin pools are in China and contain about 25% of all the mining resources. Iceland, Japan and the Czech Republic are in the top ten, though China clearly rules the roost. The threat of a 51% attack and subsequent fork are, for now, a topic for theorycrafting.

The Ugly

The biggest threat to Bitcoin security comes at the most logical place – where they are exchanged. This makes a lot of sense. Imagine, if you will, that Bitcoins are like normal currency that is stored in a third party bank vault. Because the ledger is so well built, it’s too difficult to try and tweak the books and steal money. The best strategic place to steal that money is where it is transferred between banks – the classic stagecoach robbery, if you will. In the Bitcoin arena, this happens at the Bitcoin Exchange level. Let’s say I have $20 and want to buy some Bitcoin with it, to do some online shopping. I could get an online Bitcoin wallet and attempt to sell something in real life (IRL) for Bitcoin, then I’d have some Bitcoin to my own name. Or I could buy some Bitcoin from an exchange, who has a large pool that they can sell to others in exchange for real currency. That is the stagecoach rumbling down the dirt road, ripe for the plundering.

robbery.jpg

And ripe it is. The number of Bitcoin exchanges who have been hacked and plundered is staggering. Many of the largest Bitcoin Exchanges in the world have been brought down through hacking. And because Bitcoin is not centralized, it’s difficult for a governing agency to offer insurance options that are provided for a typical brick-and-mortar bank. Or to say it differently, if you entrust your Bitcoin to a third party bank, and that bank gets hacked, you’re flat out of luck. Ars Technica provides a great (and frightening) history of the largest Bitcoin heists and robberies. It’s safe to say that millions of dollars worth of Bitcoins have been stolen at this exchange level, use it at your own risk.

So that wraps up this blog series on Bitcoin. I hope you have found it helpful and interesting. As always, if you have any questions or I’ve done a poor job of explaining something, I’d love to hear from you, the comments section works great.

Deciphering Bitcoin

Chances are, if you have a technically-minded teenager, you’ve heard of Bitcoin. Here in the Geek homestead, it started casually, over dinner, with something like the following:

Hey Dad (for some reason, it ALWAYS starts with that)… can I mine Bitcoin?

8170144_f520

Don’t sit on me!

And here we are. Maybe you’ve gotten similar questions from your teenager, drunk on the prospect of fabulous riches with no effort. Or perhaps you’ve heard about Bitcoin, but have no idea what it is. Or perhaps you’re a New York Times best-selling author, looking for a little research for your next project. Or maybe you accidentally found this page while searching for a babysitter for your pet hedgehog. Well, this blog is for you. No, I won’t watch your hedgehog.

What is Bitcoin?

Glad you asked. Bitcoin is an open source, Peer-to-Peer (P2P) digital currency. I could end there, but the blank look on your face tells me that didn’t help. Let’s break it down.

Open Source

Wiki

Software that is open source simply means that the lines of code that act as the building blocks for the software program are available for other people to read, analyze, tweak, and re-distribute. The key word for open source software is “collaborate” – you are encouraged to work together with others to find new and creative ways of using the software. By comparison, an example of closed source software would be your Windows Operating System. The lines of Windows source code are the closely guarded secret sauce that no one else should ever discover, out of fear that Bill Gates’ gang of rowdy stormtrooper lawyers might drag you into court and sue you into oblivion.

Peer-to-Peer (P2P)

napsterSomething that is P2P means that its job or function is distributed across multiple devices. Remember the hullabaloo a few years back about Napster and Limewire and all those P2P file sharing applications? If I had Wham’s Greatest Hits sitting on my computer hard drive, I could share those MP3 files with anyone, anywhere, and they could access them using a P2P program. Likewise, I could access any other P2P user’s Wham music, should they choose to share it. Other computers (peers) could access my computer files, and vise versa. That is file-based P2P sharing, though there are other applications. A few years back, there was a program called the SETI@Home Project. This program was a P2P distributed computing platform that allowed other peers (computers) to utilize your computer’s processing power to help search for extraterrestial life. The big word for P2P is “de-centralized”, meaning the whole is made up of many individual parts, spread all over the place. The copyright lawyers had a challenge in cracking down on P2P file sharing because there was not a single place all the files were shared from. They had to identify the individual peers, then encourage those peers to cease and desist. I worked for an Internet Service Provider back in the hayday of P2P File Sharing, and had to send out lots of nasty legal letters to home users to scare them into stop sharing their stuff.

currencyDigital Currency

This is the easy one. Were I to look inside your wallet right now, I might find a few dollar bills. Those are examples of physical currency – you can touch it and feel it and spend it or hoard it. By comparison, digital currency does not have a physical form – it only exists, digitally. You can find a cool looking round Bitcoin chip, with the Bitcoin B on it, and even transfer some digital Bitcoin onto it (via an onboard chip)… but that would be like moving Wham’s Careless Whisper MP3 onto an ipod, and thinking the ipod now was Wham. The coin isn’t a Bitcoin – it’s a cute shell, on which you placed some Bitcoin, because Bitcoins are digital currency, not physical. Make sense?

Whodunnit

The concept of Bitcoin came about in 2008 through the release of a technical research article (called a Whitepaper) published by a person or group of persons named Satoshi Nakamoto. Much speculation abounds on who Satoshi Nakamoto is, and while some people believe they cracked the mystery, no one knows for sure. A few months after the whitepaper was released, Nakamoto bought the domain bitcoin.org and released the software source code there. The very first blockchain was created using this sourcecode, with an embedded note from the creator of ‘The Times 3 January 2009 Chancellor on brink of second bailout for banks’. This provided a clue as to the reason why Bitcoin was created, as it references the British government’s bailout of the centralized banking system. This is quite significant, as Bitcoin was created as a reaction to the perceived shortcomings of centralized currency-

lennon
You may say I’m dreaming about cryptocurrency, but I’m not the only one..

namely, shoddy government oversight, stock market crashes, the Great Depression, the transfer of bank debt onto the public taxpayer through bailouts. All of this could be remedied by creating a global digital currency that had no central bank, no government oversight, no middleman that could corrupt it. By utilizing strong encryption (hence the term Crypto-currency), creation and transactions could remain safe and secure. The classic utopian society, enabled by cryptocurrency… Lennon would have been so proud…

 

I See What You Did There

I mentioned a word in the previous paragraph, “blockchain“. Forgive me for getting ahead of myself, and let me explain. The magic of Bitcoin involves the use of blockchains, which are the transactional Bitcoin records that are linked and encrypted for increased security. Think of it like a ledger of all transactions. Each time someone buys something using Bitcoin, that transaction is written in the ledger. Each time a new Bitcoin is born (more on that, later), that transaction is written in the ledger. All Bitcoin transactions are recorded in the blockchain, going back to the very first transaction in January of 2009. Each block of information that is created lists any Bitcoin transactions that have occurred since the creation of the LAST block. In addition, each block records a hash of the previous block, to ensure the block’s integrity (to ensure no one tinkered with it).

hash

Hash? Like that funky meat-and-potato stuff my Mom used to make me eat?

No, not that. A hash is a method for taking information and boiling it down into a simple fixed-length fingerprint. Hashing is used most commonly in password security. What I mean by that is your Windows computer doesn’t know what your password is. Strange, right? How does it know whether or not to let you log in? The first time you set up a password, your computer takes that password and creates a fixed length hash output. That hash is one-directional, meaning you can not determine the password by looking at, or modifying the hash. Your computer stores that one-way hash on your computer, and when you log in, it looks for your user ID, then when you enter your password, it runs hashingthat password through the one-way hashing mechanism, then compares the output with the hash value that is stored on your computer. You can play around with creating hashes of words and phrases here, to see what a hash looks like. Note that changing even one single character in your word or phrase drastically changes the output hash. Because the one-way hashing output must always be the same, a match means you can get in. It is statistically improbable that two different passwords could ever result in the same hash. So now you know what a hash is, and why your computer doesn’t actually know your password. If it did, a hacker could easily steal it. As it stands, a hacker could get the hash, but could not easily reverse engineer it and figure out the password. If your password is something simple like a dictionary word, a hacker could run all the dictionary words through a hashing program, then compare your hash with the list of dictionary hashes, looking for a match. There are hacking tools called Rainbow Tables that do precisely that. But staying on target…

genesis

the creators of Bitcoin?

Each blockchain contains all the Bitcoin transactions since the last block was created. Each blockchain also contains the hash for the previous block. Hence, each block is chained to the previous block, and ensures that no one tinkered with it because the hash is recorded and can be verified. So what about the very first block? What was it chained to? Answer = nothing. The author of the Bitcoin software created it when the first Bitcoins were created. The second block contained a hash of the first, then listed all the transactions since that first transaction, and so on until today. If you’re ever asked on a game of Jeopardy, the very first blockchain was called the Genesis Block, and was created on 18:15:05 GMT on 3 January 2009. It’s the only blockchain that does not reference the blockchain before it – because no blockchain came before it.

OK so that’s the basic introduction of Bitcoin. I’ve left a ton of questions unanswered – how do I buy a Bitcoin? Where do baby Bitcoins come from? And why is my teenager asking to mine Bitcoins? I thought they were digital and not made of metal? And how are Bitcoin transactions anonymous, if their records are stored in the blockchain? Look for a second installment on Bitcoin, coming soon…

The Different Webs

Hello, friends and strangers! It’s been quite a while since I’ve blogged, I hope you will forgive me. I’ve been rather busy working on my Masters Degree in IT, but now… at long last… all is done, and I’ve walked the aisle. Now that my brain is a little fuller, and my calendar is a little less complex, I’m hoping to get back on the blogging horse.

Today’s topic is something I’ve been doing some independent research on, and found rather interesting. Hopefully you’ll find it informative, or at least mildly amusing. The Internet is frequently called the World Wide Web – but in actuality, it is made up of three different types, or levels, of Web.

The Clearweb

Chances are, you are reading this blog on what is called the Clearweb. This is what we commonly consider the Internet that we know and love. Th

iceberg

e Clearweb is also called the Openweb or Surfaceweb. The most notable characteristic of the Clearweb is that it is Indexed. That’s a fancy way of saying that Google (or Bing or any number of  other search engines) routinely read through the Clearweb and index it, so you can find information more easily. If you fire up a new tab right now, and search for “Hagrid’s Rock Cakes”, you will get a list of hits, or web pages that match your search description. Those results appear because Google routinely reads through and catalogs (Indexes) portions of the Internet with a Web Spider (huh… a Spider on the web? Go figure!). Google uses a complex algorithm to determine what search results show up at the top (usually those come from the highest paying advertiser). Within minutes, you are reading up on recipes for Hagrid’s cakes. A Spider (or Crawler) goes through web pages and indexes them based on key words and metadata (embedded key words) within a web page. Though we are the most familiar with web pages on the Clearweb, research indicates that these pages make up only about 4% of the Internet.

rock cakes

Examples of the Clearweb are pretty obvious: Google and its search results, entertainment websites such as Starwars dot com, church websites such as Liberti church dot org, and the Pennsylvania Department of Motor Vehicles website. All of these sites will turn up from a basic Google search, as they are indexed.

The-Deep-Web1The Deepweb

The second Web I want to discuss is the Deepweb. This web is not Indexed, though it is readily available from a Web Browser, if you know where to look. And that is the key here – because these pages are not indexed, you can’t find them directly from a search engine. These pages are still hosted on the main Public Internet, but their contents aren’t there for everyone to see from a search engine. Pages on the Deepweb are deliberately not indexed, so as to remain private and secure. The fancy security word for this is Confidentiality – the information on a Deepweb page is only shared with those who SHOULD have access to it, whereas the information on a Clearweb page is indexed and searchable by anyone. Research indicates that Web Pages on the Deepweb make up approximately 96% of the pages on the Internet. That’s a lot that you don’t see – but it’s there. If the Internet is an iceberg, the Deepweb is what’s below the surface. Typically, there is a public facing page that acts as a login portal to an un-indexed Deepweb.

portalExamples of the Deepweb are: Government web pages. A company Intranet page. For example, if you log into your company’s Outlook Webmail page, the main login page may be indexed and found from a search engine – but the actual page where you view your mail is private and not indexed. It is on the Deepweb. When you log into your bank’s website, you typically hit their main Indexed page. But once you log in, you enter a private Deepweb that is not indexed. Private, or subscription web pages. When you log into Facebook, you are entering the realm of the private Deepweb that are hidden from public view – but only if you lock it down and choose not to share your page with everyone. People may search for your name followed by Facebook, and see your public profile – but they won’t necessarily see the photos you took of your kids, unless you allow that. You’re cloaking that information on the Deepweb.

The Darkweb

The Darkweb (also called Darknet) is a small portion of the Deepweb that is not indexed. In addition, web sites hosted on the Darkweb are encrypted and are not available using a normal web browser. These sites must be accessed using a special encrypted browser, such as TOR. TOR, short for The Onion Router, is a program that uses several cloaking and encryption techniques to attempt confidentiality and secure access. This small portion of the Deepweb makes up about 6% of the entire Internet. The Darkweb is of particular interest to us, as parents, as most of the really bad stuff on the Internet is hosted here. underrockIf the Internet were a large flat rock, the Darkweb is the gruesome underside of that rock. As parents, our goal should be to keep our children off the Darkweb as much as possible. Because you need special software such as TOR to even access the Darkweb, it should be rather obvious that we don’t allow little Johnny to install any software he wants onto a computer. The Darkweb is one of the biggest threats to a company’s information, which explains why many companies lock down their employee resources (ie. computers) and don’t allow employees to install their own software.

Examples of the Darkweb are: The Darkweb is host to many DNMs (Darknet Marketplaces) that buy and sell things so horrific, I won’t speak of them. They are the Internet Voldemort – and must not be named. Traffic is made possible on DNMs through Voldemortthe use of Cryptocurrencies such as Bitcoin, with the goal to ensure a truly anonymous buying and selling environment. It is worth noting here that using TOR on the Darkweb is not a guarantee of anonymity and privacy. DNMs such as the Silk Road are proof that the Government is highly interested in what happens on the Darkweb, and can indeed find out who and where you are.Truth be told, some legitimate companies such as Facebook host a .onion web page on the Darkweb. They do this to cater to proponents of Internet Freedom and privacy advocates. Some in this camp argue that it’s more dangerous to surf the Clearweb than it is to surf the Darkweb, and have a valid point in light of all the malware, adware, metadata, tracking cookies, and so on.

Nietzsche says…

Remember the old quote by Nietzsche? And if you gaze long into an abyss, the abyss also gazes into you. A large risk to connecting onto the Darkweb is that you are now connected to the filthy underbelly of the Internet – and while you are connected, you have in essence created a bridge between your computer and the underbelly. Using the Nietzsche reference, you can see them, and it stands to reason that they could see you. Don’t ever connect to the Darkweb from a computer that you aren’t completely comfortable with it becoming compromised, infected, wiped, locked with Ransomware, darknessand so on. Better yet, just don’t connect to the Darkweb. In the Information Security realm, much of the world is framed by risk. If the benefit far outweighs the potential risk, it may be a good idea. In this specific case, that is rarely the case for a casual user. I highly recommend that – as a parent – you do everything within your power to keep your children off the Darkweb. Prevent your kids from the ability to install software such as TOR. Also consider locking down your computer’s BIOS so that kids cannot boot from a bootable CD, thus circumventing your computer’s security settings. These parasite drives can load a version of Linux such as TAILS, which is designed for confidentiality and secrecy. You don’t want your kids operating in such an environment, so follow the direction most companies have already gone, and lock the computers down.

On The Value of Metadata

I’m going to put on my privacy advocate hat for a moment, and indulge the argument that we are all large fat fruit shrubs on the Clearweb. Our surfing habits are being watched and farmed to other companies for a profit – often without our knowledge. Many privacy advocates would argue that we should have the choice, that this information that makes up our online footprint should be ours to choose to share, as we wish.

This idealistic approach is – in this day and age – not reasonable. When you choose to log into Facebook, you typically sign an agreement to give away some of your privacy. Facebook makes money by farming your metadata, and you get to share pictures of lolcats, or rant about politics, or click a thumbs up that your niece is pregnant. It’s an exchange of sorts. Everything you do on the Clearweb is being gathered, analyzed, and sold. There is no guaranteed confidentiality here. As a consumer, your goal is to strike that balance between what you receive, and what you provide. If you find enough value in a service, you will be more likely to willingly provide sell-able metadata.

download

Probably the best example of that balance is the streaming music service, Pandora. When you sign up for Pandora, you provide some basic information. For example, you name a band or musician that you like (metadata). Pandora then lets you listen to music that is either identical to, or similar to, the metadata you provide. In exchange for your clicking a thumbs up for a song you like, Pandora gathers more metadata, and rewards you by providing a more accurate customer experience – it will then shape your musical experience towards songs that you like. If you hear a song you really don’t like, clicking the thumbs down button gives them more metadata, and as a result, avoids playing songs similar to that one. Pandora provides you with a “free” customized music streaming service, and you provide them with metadata about your favorite musical styles. It’s the modern Internet equivalent of a Plover Bird and Crocodile symbiotic relationship.

The Geek’s Guide to Creepy Stuff, Part Two: Denial of Service

Story Time, Chapter One
6e9b47f8f2342f847c51c5f2122bae9a
There was an old woman who lived in a shoe.
She had so many children, she didn’t know what to do.
And I’ll stop there, lest we dissolve into a heated debate about the dietary merits of broth without bread, and sparing the rod and spoiling the child, and all that stuff.
Let’s take a moment to imagine what her days would be like.
Setting: Inside the shoe.
<The telephone rings>
She reaches for the phone, and like a flock of kittens after a red laser pointer, they descend upon her.
I WANT WATER.
RALPHIE HIT ME.
CAN I PLAY OUTSIDE?
WHERE IS MY STUFFED HEDGEHOG!?
And on it goes. The poor woman quickly becomes incapacitated under a deluge of little voices, all demanding her undivided attention.
Story Time, Chapter Two
Waiter-poetic
Setting: inside the Super Grover Diner.
Time: 12:17, peak lunchtime rush.
WAITER! WHERE’S MY HASENPFEFFER!?
Super Grover (here, just mild mannered Grover in disguise) heads to the kitchen. Moments later, out he comes, seven glasses of ice water (and lemon wedges) balanced precariously on a flat round tray.
I DIDN’T NEED WATER! I WANTED ICED TEA!
HEY WAITER! CAN I GET MY CHECK?
Super Grover (here, just mild mannered Grover in disguise) heads to the kitchen. Moments later, out he comes, six glasses of ice water (and lemon wedges) and one glass of iced tea (with a lemon wedge) balanced precariously on a flat round tray.
HEY WAITER! ARE YOU GONNA TAKE MY ORDER, OR WHAT?
I NEED A TO GO BOX! CAN YOU GET ME A TO GO BOX?
MY BURGER IS OVER COOKED! I DIDN’T WANT COW JERKY!
WAITER! WHERE’S MY HASENPFEFFER!?
HEY! CAN I PLEASE GET MY CHECK?
Super Grover (here, just mild mannered Grover in disguise) heads to the kitchen. Moments later, out he comes, two to-go boxes and a steaming plate of hasenpfeffer balanced precariously on a flat round tray.
HEY WAITER! ARE YOU GONNA TAKE MY ORDER, OR WHAT?
CHECK PLEASE! OVER HERE!
I NEED A TO GO BOX! CAN YOU GET ME A TO GO BOX?
WHO COOKED THIS THING? THEY BETTER GET ME A NEW BURGER. I CAN’T EAT THIS.
HEY! CAN I PLEASE GET MY CHECK?
I’M READY TO ORDER! WHAT’S YOUR SOUP OF THE DAY?
I NEED TO SEE YOUR MANAGER. PRONTO.
And on it goes. Zoey called off at the last minute with some pathetic excuse or other. Bert is seating people as fast as he can, but the crowd is building. Tempers flaring. Hungry muppets everywhere.
Super Grover – super though he may be – can not keep up…
CAN NOT KEEP UP…
Cute, Geek. Now What’s Your Point?
Today we are going to talk about Denial of Service (or DoS) attacks. Like the Ransomware attack, a DoS attack denies the Accessibility of a resource. But while a Ransomware attack prevents access with the purpose to hold it ransom (financial gain), the DoS attack is designed to merely prevent access. End of story. The end.
How the DoS attack works, is the bad guy finds a target (usually a website), then launches a barrage of requests to the target. Like our little old lady in the shoe, and super grover, our target is overwhelmed and cannot keep up with the flood of demands. The target slows down, becoming more and more overwhelmed, until it crashes.
There are several different types of DoS attack, though they all have the same purpose. A standard DoS attack is usually launched by a single bad guy. In my Ethical Hacking class, I was stunned to see the large number of out-of-the-box tools that were designed to flood a target and cause a DoS attack. It’s remarkably easy to do this – you pick your target, press the fire button, and BOOM. They drop. My particular favorite tool was the HOIC, short for High Orbit Ion Cannon. My preference for the tool was rather simple – the button to fire said FIRE TEH LAZER! in a classic nod to the lolcats (of which I have a soft spot for).
maxresdefault
Another type of DoS attack is the Distributed Denial of Service attack (DDoS). This attack differs in that an army of devices (usually called a botnet) are under the control of a bad guy (or group of bad guys), and all of the devices attack a single target at once. The hacking collective known as Anonymous has used this DDoS trick repeatedly in the past. One of the most severe DDoS attacks in recent history used a botnet of IoT devices to bring down core DNS servers on the Internet. Computers across the globe couldn’t correlate GOOGLE.COM to its Layer 3 IP Address, and the Internet blew up.
originaliotI-O-What?
IoT stands for Internet of Things. These devices (things) are network-accessible devices, such as webcams, baby monitors, smart televisions, smart refridgerators, washing machines, and so on. Remember this – if you buy a webcam for home security, and you can access it from the Internet to check on the babysitter, other people can also – in theory – access that webcam.
So a crafty hacker found that many of the IoT devices that were on the Internet were using either the default (out of the box) password, or had no password at all. The hacker did some basic coding to hijack these devices into a personal army (botnet), then pointed them all towards a target in a DoS attack. Because the devices were distributed across the world, it was difficult to identify the attacker and shut them down.
ddos-attackAnother type of DoS attack is the TDOS attack. This is a fairly new type of DoS attack that targets voice devices and infrastructure. This attack was used to great effect recently to bring down the entire 911 service for Dallas, Texas. We’ve all suffered from irritating robotic telemarketers and voice spammers – it seems I get more phone calls from recorded devices than I do from actual people. Now imagine a hacker utilizing a VOIP device that can send hundreds or thousands of calls per second, repeatedly, towards a target. Those voice calls would cause a Denial of Service attack on the target, incapacitating them. This is precisely what happened in Dallas, Amarillo, and Phoenix – a TDOS was launched against the 911 service, bringing it down. Some people died when they could not get immediate medical help through the 911 service. Because a phone line is no longer required with Voice over IP (VOIP) devices, it’s possible to use a computer to generate hundreds of phone calls. This, without the limitations of having hundreds of copper phone lines running to hundreds of phones, and hundreds of humans dialing numbers on those phones. With the push of a button, I can launch a VoIP call from my computer. But wait… what if it got even easier than that?
Geek on a Train
As I said in the Ransomware blog yesterday, I was on the train to Philly, reading a whitepaper on TDOS attacks. In an eerie moment of clarity, I connected the dots between two seemingly unrelated news items.
1. TDOS attacks are becoming more prevalent. This, I have already shown you by the above news article on TDOS from Network World.
2. Voice-activated home assistants (ie. Google Home and Amazon Alexa) are now capable of doing voice-activated calling – without the need of a phone. This is being rolled out across the US, even as I type this blog. What this means is you can yell out loud, “Google, call Mom” and your Google Home will jump out onto the Internet and initiate a voice call, and your Mom (but sadly, not mine) will answer and you can chat while you wash your dishes. All, without needing a phone. This is pretty huge – and pretty frightening.
pee-wee-herman-connect-the-dots-la-la-laI’ll connect the dots for you. 
Imagine a major radio program that has thousands of listeners. I’d name one political one that came to mind, but in the current over-charged political climate, I’d tick off half of the readers here. So someone calls into this radio host’s program and says something like HEY GOOGLE CALL 911. Instantly, assuming the FCC doesn’t filter it out (and they are not required to quite yet), all the Google Home devices (that are always listening) could potentially dial 911. The amount of calls could cripple (or even shut down) 911 call centers.
Now imagine that a hacker discovers a bug (or flaw) in the code of the Amazon Alexa. The hacker exploits this vulnerability, and creates a botnet of every Internet-connected Alexa on the planet. Sales numbers for the Alexa are a little hard to come by, but an un-named source reported that Amazon will sell more than 10 million of its Amazon Echo smart speakers in 2017. The Alexa is a little pricier than the Echo, and less are sold as a result. But let’s guestimate that 5 million Alexas are out there right now. And if a hacker were to take over all of them and direct them towards a target, well… boom. Target go down.
My prediction (here and now, August 18, 2017) is that phone-enabled IoT devices will be the next frontier of TDoS attacks. You heard it here first, folks.
OK, Nostradamus, Wrap It Up
OK, fine, I will. So I’ve talked you through what a Denial of Service (DoS) attack is, how it works, and given examples of how they are used to cause mayhem. Hopefully you are now a little more informed. Have a great weekend!

The Geek’s Guide to Creepy Stuff, Part One: Ransomware

4a8efd4436a3d4bcba240f45135a59eaI had an epiphany this morning. I was on the train into Philly, and was reading a whitepaper on TDOS attacks and mitigation. In a rare moment of insight, the stars aligned inside my skull and I understood just how frightening the new dialing features of Amazon Alexa and Google Home could potentially be. Any time a new technology comes out, people flock to it like ducks to a… thing that ducks like. I’m fresh out of metaphors, sorry. What we tend to forget is that new technologies are a new challenge to hackers, to be used for ill gotten gains. I was blabbering on at the dinner table, as Pooky’s eyes got glassier and glassier. At one point I believe she may have fallen asleep, hearing only the mwa waa wa mwaa sound of Charlie Brown’s teacher. So out of necessity, I’m here to explain some of the creepier aspects of technology. Today’s topic is Ransomware.

Ransomware

Next week, I present my Masters Thesis on Cryptovirology. If all goes well, I’ll add some letters to my name, and re-gain my evenings and weekends for unlimited leisure time. I’m currently ABD – an acronym that means I’ve completed all my Masters-level coursework, but haven’t given my dissertation yet. Quite literally, it means All But Dissertation. If you haven’t had your head in the sand over the last few years, you’ve probably heard about Ransomware. It’s the boogyman that hides under our beds, jumping out to steal our digital vacation pics and lock them up. Here’s a Geek Guide to Ransomware.

RansomwareRansomware is a newer type of virus that affects the Availability of your stuff. That’s a fancy way of saying, it prevents you from getting at, or using, your stuff. Ransomware typically gets on your system when you click on a URL link, and it directs you to an infected web page, which runs some code and pushes the virus onto your computer – the classic Drive By Download approach to getting a virus. Once the virus gets onto your machine, it prevents you from accessing something, and demands a ransom. There are two types of Ransomware – the locker (which locks your computer, demanding a ransom to unlock it), and the crypto ransomware. Crypto Ransomware is the newest threat. It encrypts your files, deletes the original files, and then pops up a nasty message.

u5ecpcfiltnjxnfa0k7g

Typically, the message will tell you that your stuff is being held for ransom (hence the term RANSOMware). If you want your stuff back, you have to pay them some money – typically in the form of Bitcoin, a type of online currency. The Ransomware popup messages are usually very creative, using fear tactics to get you to pay up. No, it’s not REALLY the FBI or CIA who is demanding payment, it’s just a crafty hacker.

Ransomware has been running rampant across the world over the past year. Different types of Ransomware have grown from just a hand full in 2013, to several hundred in 2016. 2017 is quite possibly the year of Ransomware, with the latest strain (Wannacry) pounding computer systems across the globe. Ransomware is really a bad guy’s dream. It’s easy to seed – you just dump it on some websites, then trick people into hitting that site. Once infected, users have two choices – kiss their goodies goodbye, or pay up. And if you pay up, there is no guarantee that the nasty hacker will actually give your goodies back.

You-said-it-was-peanut-butterRansomware was invented back in 1989, when a gentleman handed out floppy disks at an AIDS conference that had a virus on it. The virus, when executed, attacked the victim’s computer and renamed files. To put things back, it demanded that the victim donate money to AIDS research. The strategy and technology was incredibly basic, and easy to thwart. It used a Symmetric key, meaning all you needed to put things back was a single password (key). In 1996, the team of Young and Yung wrote an excellent paper about cryptovirology – that is, utilizing cryptology as an offensive weapon in a virus. They determined that the peanut butter and jelly of viruses would utilize more complex keys (Asymmetric keys), along with an untraceable currency (Bitcoin). It took a few years for creative virus writers to take note – but soon enough, modern Ransomware followed their advice, and the rest is history.

A Note on Keys

I’ve used two terms here that are worth discussing. Symmetric keys are a simple way to encrypt, or lock up, files. This is also called shared key technology, because a single key is used to lock up stuff. That same single key is then used to unlock stuff. Because there is only one key, it’s typically shared with the sender and the receiver. Otherwise, the receiver couldn’t unlock the stuff. And as a result, it’s easier to guess the key and unlock the stuff. If I wanted to send you a secret message, and used a symmetric key on it, I’d have to share the key with you so you could unlock the message and read it.

sy10500a

Asymmetric keys are different. In this case, there are two keys – a private key (that only the owner knows) and a public key (that everyone knows). If I want to share a secret message with you, you would give me your public key. I’d lock up the message with that key, in a one-way process. I could not unlock it, once I did this. The only way to unlock the message would be by using the private key, which only you know, and won’t share with anyone. This type of encryption is the foundation of modern cryptology. You’ll see this technology a lot with email encryption, such as PGP. If I want to keep my goodies secret from prying eyes, I’ll give everyone who I want to communicate with my PUBLIC KEY. They can then send me messages that are locked up with that key. To unlock the message, I use my PRIVATE KEY. Botta bing – my stuff is secure (assuming no one gets my private key). Ok, enough on keys and encryption.

q009800b

Ransomware locks your stuff up with a public key – and the only way you can get it back is for the bad guy to use the private key, that only they know. It adds complexity and security to the process.

Bitcoin is an online currency that is pretty much untraceable. Because of the high degree of anonymity it offers, it’s the currency of choice on the Darkweb (the seedy underbelly of the Internet). Bitcoin transactions make it possible for the bad guy to get paid, without you being able to (easily) catch or stop them.

OK, Professor, Now What?

For the average home user, your strategy to preventing Ransomware should consist of a few key tools.

  1. why-backupBackups – back your data up. Do this frequently, and in several different ways. I back my data up to the cloud (using Carbonite). I also back my data up to an external hard drive, which is disconnected unless it’s backing my data up. If I were to get Ransomware, my encrypted files would automatically get backed up to Carbonite, and replace my good files. That’s why I need an external hard drive backup that is not connected to my computer. If it were connected to my computer, it would get encrypted when Ransomware hit. This is the number one way to protect yourself against Ransomware – it can’t hurt you if you have your data backed up.
  2. squirrel-240x300Patches and Updates – frequently install the latest security and operating system patches on your computer. This also goes for your programs and apps (tablets / phones). Hackers use bugs in the code to install their viruses on your computer / tablet / phone. Make it harder for them – update your programs and operating systems frequently. Think of it like you’re covering holes in the side of your house – holes that mice and squirrels and bats could come in, should they so choose. You want to keep them out, so patch the holes.
  3. Awareness – users are typically click-happy on the Internet. Don’t be that person. Don’t click on links unless you know what they are. If you get a strange email that baits you to click on a link, don’t do it. This is known as a Phishing attempt. Threatening emails or popups or texts or chats are phishing attempts to get you to click on their links – which leads to an infected website – which leads to an automatic installation of a virus. Chances are, these days, that will be Ransomware. Also – never plug in a thumb drive that isn’t yours. If you find a thumb drive laying on the ground, leave it be. Leaving an infected thumb drive laying around is a very common way for hackers to infect computers. This tactic was used to great effect in the infamous Stuxnet virus campaign.thumbdrive
  4. Protect your resources – use antivirus software and antimalware software. I’m always asked to recommend one, which is difficult. They all have strengths and weaknesses. It is worth noting that there is no one single tool in this area that will catch everything. Pick a good one that is highly rated (from a reputable site like PC World or similar), and go. Let it run and scan and protect. It’s not going to be perfect, but it’s better than no protection at all.

I hope this helps you in understanding Ransomware attacks, and how to protect yourself.

If time permits, I’ll tackle other bad guy stuff in the near future. Since I mentioned TDOS attacks, it’s worth a discussion on DOS attacks.

It’s OK to Lie!

OK, so now that I have your attention, let’s break this one down.

questionMFA for Fun and Profit

There is a trend in information security (or InfoSec if you’d rather) towards Multi-Factor Authentication (MFA for short). What MFA means is that to authenticate (log in), you need Multiple (Multi-) forms (Factors) to gain access.

The most common types of MFA revolve around three pieces of information:

  1. What you know. This is most commonly a username or password or pin number. To log into a site like Facebook, you typically need to provide your username (often an email address) and your password. Both of these pieces of information are things you know.
  2. What you have. This is most commonly provided by a card or chip or (in many cases nowadays) a cell phone. As an example, if I swipe a badge to enter a parking garage, that is something I need to have, in order to gain access.
  3. What you are. This typically encompasses what is known as biometrics. Fingerprins, the iris of an eye, hand geometry, and so on. Remember the movie National Treasure with Nicholas Cage? Of course you do – great movie. In that movie, he pulled a fingerprint off a champagne glass, and used that fingerprint to get past a fingerprint scanner. He hacked this form of authentication.

Screen-Shot-2013-02-07-at-12.14.39-PMSo the golden rule of security, in this regard, is the more different types of authentication, the better (or more secure) it is. It’s great for me to have a bank card (something I have). It’s better, yet, to require a pin number along with that card, in order to do a transaction. If you have a newer credit card with a chip onboard, that is the direction we’re (hopefully) headed. You put in the chip, then enter a pin, and botta bing – you just bought groceries with MFA. We’re not quite there yet, and credit card numbers are bought and sold on the darkweb all the time. They are crazy easy to steal because you only need the one factor of authentication.

201612278172e086-59df-4eea-9ab7-14e04551c5e4OK Sherlock, but why do I care?

Hey glad you asked. For some sites (most notably, banking and financial sites), you are now being required to set up security questions. These security questions cover a deeper level of only one factor – something we know. As an example, to log into my bank account online, I provide my username and password, and then I’m asked a security question that I have to answer. I set those questions up beforehand, and simply regurgitate an answer to log in.

Security-Question-Shield-iconThese Security Questions are Not Very Secure

There are many websites out there that provide lists of the most common security questions. Here are a few examples I dug up, with a very quick and basic Google search:

  • What is the first and last name of your first boyfriend or girlfriend?
  • Which phone number do you remember most from your childhood?
  • What was your favorite place to visit as a child?
  • Who is your favorite actor, musician, or artist?
  • What is the name of your favorite pet?
  • In what city were you born?
  • What high school did you attend?
  • What is the name of your first school?
  • What is your favorite movie?
  • What is your mother’s maiden name?
  • What street did you grow up on?
  • What was the make of your first car?
  • When is your anniversary?
  • What is your favorite color?
  • What is your father’s middle name?
  • What is the name of your first grade teacher?
  • What was your high school mascot?
  • Which is your favorite web browser?
sarah-angry.jpg

Angry Sarah is Angry!

Understand, this is just a basic list – and it provides more of the one single factor of “What You Know”. While it seems on the surface to be a deeper level of security, it’s actually not. In September of 2008, the personal email account of Sarah Palin was hacked by guessing the answer to a few of these basic questions. The answers were possible through just a little bit of detective work, and once provided, gave the hacker complete access in to her email. This is just one example – and there are myriad others. Using this type of “security” doesn’t really help all that much.

phishing-1Facebook Polls for the Phisher

Hey did you know that when you fill out those cute little Facebook top ten posts about yourself that you are potentially providing a hacker information about yourself? They can then use that information to potentially hack your account. The information you provide about yourself online is often etched into eternity, and publicly accessible. Palin’s hacker learned the answers to her email security questions by doing a little bit of Google work. Single Factor Authentication is not that secure.

Lie!

fe6y34ba_3810So that brings me to the point of my rather sensational Blog title. While there are exceptions, it is generally against our nature to lie to other people. But I encourage you to lie – openly and completely – when you set these security questions. That way, when someone does try to hack your account, and has access to your history and background and life story (by sifting through your online footprint), they cannot simply guess the answers to your security questions. The trick is to remember the answer to your questions. If you can pull that off, you’re home free. This trick is recommended by Kevin Mitnick in his awesome book, The Art of Invisibility.

For example, let’s take a few of these common questions.

960

What is the first and last name of your first boyfriend or girlfriend?

Well, that one would be pretty easy to find out, right? Chances are, you have that person as a friend on Facebook. Someone else out there knows this information – perhaps even your first boyfriend or girlfriend. You just gave that person potential access to your account. But what if you chose a different answer – such as the school bully who you despised? What if you chose for all of these questions, the most blatant lie you could think of?

187

Who is your favorite actor, musician, or artist?

Who is your LEAST FAVORITE actor or actress? Who is the least musical person you know? All potential answers here.

dp-high-school-mascots-20160812

What high school did you attend? Or what was your high school mascot?

Very easy to guess, and I think one of the questions that got Palin hacked. But what about instead picking your high school rival school? Or decide to instead pick the name of a fictional school like Hogwarts? Be creative in your lies.

OK so I could go on all day long with these, and I imagine by now you get the point. I strongly encourage you (as does Kevin Mitnick) to think outside the box here, and fabricate answers that are not easy to guess.

Well That’s Simply Spiffy

It is. But that covers only one Factor or Type of Authentication – what you know. It is highly advisable to layer in more forms of security authentication. Adding what you know with what you have drastically increases your level of security. It’s no secret that my Steam account username and password were recently hacked. The good news is I had MFA set up, and to log in you also had to provide the randomly generated pin number that Steam texted to my phone. That, my friends, is MFA. Consider adding more layers of authentication to your online accounts – Facebook, Gmail, Twitter and Steam all support MFA. In fact, many online accounts do. My friend (who I don’t know in real life but I’m sure I’d get along with fantastically) over at Lifehacker released this article which delves a little deeper on enabling MFA for online accounts.

Don’t Be Sad – Two Out of Three Aint’ Bad!

0bc236512dda9b2f076cc04359b1dc6b55596abd.jpgYeah I know – now you have that song in your head. If you’re paying attention, we’ve talked about using two out of the three main factors (or types) of authentication. That is, what we know, and what we have. We’ve left off what you are – biometrics. I’ll be honest with you, at this point. I am not aware of any consumer-level sites or services that offer biometric authentication. Because of the high cost, this factor is typically reserved for higher security areas within companies and government agencies. I’ve used three factors, simultaneously, to access some computer data centers in my line of work. Big Brother is indeed watching, and protecting his stuff.

So anyway, I hope you will head out to your favorite online sites and sign up for their MFA services as soon as possible. Remember – even the most trivial things like Facebook can be a gold mine to a hacker. Lock your stuff down. Do it now!