I don’t know which is worse… Chinese Hackers or Indian Headhunters

Kumar

Ok, 

Maybe I’ve overstated it a bit. Clearly the Chinese hacker is worse.

I just got an email from a headhunter, and this time I’m going to shame them, that’s what we do now days isn’t it?

There are a number of issues with this email.

First, this guy has contacted me before about other opportunities at the same company. I’ve politely responded to each and every one of these supposed opportunities and received NOTHING.

Not one single acknowledgement of any of my emails instructing him to submit my resume or any of my subsequent follow-ups on the status of the position.

Second, is this:

Please let me know should you be interested and revert  back with your updated resume along with the best time to  reach you asap. In case you are not interested, we request you to refer a friend or a colleague who might also be interested in this position. We have an attractive referral policy.

IIC New York

Revert back?

Wasn’t India a British colony? Don’t they still have a British based school system?

Third, Rajesh has a copy of my resume and he refers to the fact that he’s reviewed my resume prior to sending me the information on this position with Toyota.

Shouldn’t his sentence have been more like “Please let me know should you be interested and reply with an updated resume if applicable.

Fourth, since ol Rajesh won’t respond to my emails if I were to refer someone else to his company,  I’d NEVER be able to collect on that attractive referral now would I?

Thanks to Google Maps, Street View I can confirm that there is really a building at the address listed, although I wouldn’t have been surprised in the least if there had been an empty field.

I had no sooner written a response to Rajesh and pressed send. When another email came in. 

SS

This second email is the height of bad form. But what makes me really suspicious of it’s origin is the header information.

I’m going to investigate this company a little more so I’m not going to totally shame them.

The header is suspicious because the person sending the email is also the person to whom the email is addressed. It’s not until I dig into the header that I find my email address.

It almost looks like someone is spoofing the email except there are no links pointing anywhere other than to the company referenced in the footer. So maybe the email is legit.

The text of the email is:

Hello,

I have an immediate opening for Facets Tester –East Coast claims Exp.

With Regards

While I admire brevity, my only response to this email has to be “That’s Nice, now what?

“Facets” is an ambiguous term. It could refer to the GEE WHIZ new term (designed to make something “Sound” special) for testing filters in web searches. 

blue bonnet w flowers

Think “Womens Bonnets” — 25,000 items

add “Blue” — 5000 items

add “With Flowers + Floral” — 25 items

These are “Facets” of an item or search. In other words it’s a SQL search.

SELECT FROM Clothing WHERE Gender like ‘Womens’ AND ClothingType like ‘Bonnets’ — 25,000 items

AND Color like ‘Blue’ — 5000 items

AND Decoration like ‘Flowers’

OR Decoration like ‘Floral’ — 25 items

Apologies to the real SQL folks out there, I know some of you could do it all in one single statement. My SQL is a bit rusty.

I’m not sure why we keep renaming shit. It just annoys the crap out of everyone. If it’s NOT NEW then leave the name alone!

Facets healthcare System

Or, and the more likely meaning of “Facets” in this email is referring to a healthcare billing / insurance system called Facets. I’m basing that on the term “Claims Exp.” in the email.

But does this email mean that they want East Coast claims experience or that the position is located somewhere on the East Coast? Again, I’m left to wonder.

I swear I’ve thought more and more lately about just starting a Headhunting agency. The tag line would something like “We Do everything OLD school!”

For some of the hiring managers I know, “Old School” would be a breath of fresh air.

My goodness, I’m turning away from social media in one posting, and now I’m espousing the virtues of Old School job recruitment in another. 

Next, I’ll be writing a book on a typewriter!

Ok who put the Luddite pills in my cream of wheat?

All Hail the Death of Social Media (Thank God)

Myspace

Ok, perhaps I’m high, or simply well ahead of my time. I’ve had an on again, off again relationship with Social media.

Let’s look at this shall we?

Anyone remember Myspace? I actually had to go look it up, I couldn’t remember the name to save my life, and I had an account at one time. 

I had (Past Tense) a Facebook account. Haven’t missed it since I shut it down.

I’m on Twitter but the vitriol on Twitter is getting to the point that it’s not fun anymore.

LinkedIn is interesting, but even that site is becoming questionable. Really? Dick shots on my timeline? Uhh, suppose I’m looking for a job?

Thanks DUMBASS, I really appreciate your posting potentially offensive material on a professionally oriented website. Oh and by the way, I appreciate the morons that favorited said dick shot. You’ve propagated it across all your friends timelines too, well fucking done! To the owner of the dick… Umm there are some things no-one needs to see and your personal dick is, umm, one of those things. #uglydick #caring

MediaMonsters

I’ve never had instagram, vimeo, or any of the rest of the social media things.

I’ll personally be happy to see all these things relegated to the dustbin of computer history.  

You know, like the 36 PIN Centronics parallel printer cable?

These “social” sites and applications aren’t bringing us closer together they’re excuses to sit on our couches being hateful to each other.

Centronics Connector

Internet trolls multiply like antibiotic resistant Staphylococcus. I’m still unclear what the whole troll Raison d’être is.

I mean what’s the point of being inflammatory if you don’t even believe the shit you’re spewing? If it’s just about attention, then why do these “Trolls” immediately block someone that has an alternative opinion and the facts to back up what they say? 

internettroll

Even negative attention is attention. 

Why do the trolls even bother to seek out groups of people that they know will disagree with them, when they could just as easily hang out with a bunch of people that think exactly like they do? Wouldn’t they want to get positive reinforcement no matter how wacky their opinion is?

I’ve been thinking about it because I was noticing that I was using Twitter less and less.

When I do login my timeline is full of trolls duking it out with people who know their shit and yet… the battles go on and on. I can’t take more than about 10 minutes of it now.

I’m going to purge my timeline, my tweets, and thin out the folks I’m following. Maybe that will make the time line less vicious and more interesting. 

Perhaps I’ll ride Twitter into inevitable oblivion, maybe not, I’m still undecided.

Screen Shot 2015 06 17 at 7 48 41 PM

I have no clue what the future of social media holds, but I think it’s on it’s way out. 

More and more people are going to completely ephemeral communications. like instant messages that self destruct after they’re read.

It sounds mission impossible but I can see the point. There are still HR departments and bosses that want to know if you’ve got a social media account so they can monitor it.

I welcome the time when Facebook, Twitter, and all the other social media sites are considered “quaint” and outdated.

I wonder if I should be concerned about what will replace these quaint communication forms… 

God I hope it’s not going to be some tacky ass antenna sticking out of my skull! 


I stumbled across an article titled  Why Bloggers Are Calling it Quits a day or two after I wrote this blog piece. 

There’s a quote from Andrew Sullivan that sums it up very well:

I am saturated in digital life and I want to return to the actual world again. I’m a human being before I am a writer; and a writer before I am a blogger … I yearn for other, older forms. I want to read again, slowly, carefully. I want to absorb a difficult book and walk around in my own thoughts with it for a while. I want to have an idea and let it slowly take shape, rather than be instantly blogged. I want to write long essays that can answer more deeply and subtly the many questions that the Dish years have presented to me. I want to write a book.

The entire piece is worth a read.

Thrilling! Thank you OPM!

OPMI kept hearing about the data breach at the OPM. I thought to myself, “no big deal,” because I’ve never been a government employee. But then one of the articles I read spoke about a particular form. The form number seemed familiar.

Out of curiosity I checked my encrypted drive.

AHHHH SHIT!!!!

Yep, that’s a form I filled out while I was working for a government contractor.

DAMN! Checking some of the other forms and sure enough! There’s a TON of information that I provided to my employer. I’m sure that that information got sent at some point to the OPM, and is now in the hands of the Chinese.

I’m sitting here looking at my encrypted volume that contains this information thinking a couple of things.

CybersecurityFirst, I’m wondering why I take the security of this information so seriously? Why is it that I’ve spent the money to secure my data and theirs (some of the information contained in the forms I filled out for them also contains information that relates directly to THEIR projects) and am mindful of what data I have “live” on my system and what data I keep in cold storage? Cold storage in my life is something (like a drive) that is archival, MUST be turned on or attached directly to my computer and is encrypted.

Second, If I can secure my data with COTS (Commercial Off The Shelf) software why can’t our government?

Third, Why is the United States Government data vulnerable in the first place? We KNOW the safest computers are computers which are not connected to a network. Granted, that’s impractical because the government must share data.

Hearings

BUT  it is possible to isolate critical subsystems. One way to do that, don’t allow employees to transport any data offsite. No USB memory sticks or other media, and laptops are available only to those employees who absolutely need mobility. Employees using those laptops have VPN access to the corporate systems and for the most part those laptops when connected to the corporate VPN are Terminals in the old school meaning of terminals. ie dumb as a rock.

The point I’m making here is that the need for computer & network security isn’t new.  So why the hell hasn’t our government kept up with the needs for security?

Having seen the way government contracts work, I have a guess.

redtape

Imagine a situation where a bunch of cooks get in the soup and specify all manner of equipment down to the smallest detail. Once finished,  the specification goes from committee to committee and after a year or two the spec is approved, money is appropriated and the funds become available.

Our happy IT guys call a government approved vendor of equipment, and are told that equipment isn’t available anymore. Or worse yet, the equipment or software can be purchased but now it’s a custom build and will be 50% more expensive than the original product and by the way have significantly fewer capabilities than current off the shelf products costing significantly less than the originally specified equipment or software originally sold for.

Old terminal

So in the one case the specification process starts over again. In the other case the “approved equipment” is less capable,  yet more expensive, than the machine a hacker in China purchased on the internet yesterday.

Rather than the committees addressing the fundamental problem in terms of appropriations and approvals they’re content to keep failing. Meanwhile the security of government systems continues to fall further and further behind.

This isn’t a partisan issue. Regardless of what the administration might say. This is an epic systemic failure on the part of an entity that has access to all of our private data. A.K.A The United States Government.

UNIVAC

How do you solve this problem?

The simplest way is to allow the IT people, The REAL IT people, not the morons that built the healthcare.gov site, say “we need a router and after figuring out which is the best unit for the money… They BUY IT!

That should go for a single router or a RACK of routers.

Does Dianne Freakin Feinstein have a clue about the difference between a CISCO and a Barracuda? NO!

So why are people like Feinstein reviewing and voting on these appropriations bills or worse yet wasting time and money having hearings about shit they’ll never understand, when they should be letting the professionals do the job? You can tell pretty darn fast if an IT dept. is pissing money away and a quarterly budget review (again by IT pros who know what’s needed and what it costs) would keep the expenditures in check and at the same time maintain security.

I’ve got another dose of BAD news for you dear reader…

JihadiHacker

The longer our leaders put off fixing the government IT infrastructure, the more expensive it’s going to be.

Think about putting off having your brakes fixed on your car.

Brake pads cost $45 a wheel, Brake ROTORS cost $1000 a wheel. Most of us average folks learn the hard lesson, it’s always better to spend the $180 rather than spending the $1180. We all learn it once!

We never make that mistake again unless we’re wealthy, elitist,  over-educated, dumbasses.

Unfortunately, most of our politicians are the latter kind of people not the former.


Update 2015 06 19

As more comes out about this breach, I think it’s clear that the government IT people are not up to the challenge.

Here is a line to an ars Technica article titled Encryption “would not have helped at OPM says DHS official”

Below is the article minus the video.


Encryption “would not have helped” at OPM, says DHS official

archuleta-opm-640x359

Office of Personnel Management Director Katherine Archuleta would be happy to discuss the particulars of the OPM brief with Congress—in a classified briefing.

CSPAN

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.

At least we found it

Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer and implementing “numerous tools and capabilities.” She claimed that it was during the process of updating tools that the breach was discovered. “But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government,” she read from her prepared statement.

Dr. Ozment reiterated that when the malware activity behind the breach was discovered, “we loaded that information into Einstein (DHS’ government-wide intrusion detection system) immediately. We also put it into Einstein 3 (the intrusion prevention system currently being rolled out) so that agencies protected by it would be protected from it going forward.”

But nearly every question of substance about the breach—which systems were affected, how many individuals’ data was exposed, what type of data was accessed, and the potential security implications of that data—was deferred by Archuleta on the grounds that the information was classified. What wasn’t classified was OPM’s horrible track record on security, which dates back at least to the George W. Bush administration—if not further.

A history of neglect

During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.” Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General only began upgrading its assessment of the agency’s security posture in its fiscal year 2014 report—filed just before news of a breach at a second OPM background investigation contractor surfaced.

Rep. Will Hurd (R-Texas), a freshman member of Congress, told the OPM executives and the other witnesses—DHS’ Ozment, Interior Department CIO Sylvia Burns, the new US CIO Tony Scott, and OPM Assistant Inspector General Michael Esser— that “the execution on security has been horrific. Good intentions are not good enough.” He asked Seymour pointedly about the legacy systems that had not been adequately protected or upgraded. Seymour replied that some of them were over 20 years old and written in COBOL, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full rewrite.

seymour-opm-640x359

Enlarge / OPM CIO Donna Seymour said that systems couldn’t simply have encryption added because some of them were over 20 years old and written in COBOL.

Personnel systems have often been treated with less sensitivity about security by government agencies. Even health systems have had issues, such as the Department of Veterans’ Affairs national telehealth program, which was breached in December of 2014. And there have been two previous breaches of OPM background investigation data through contractors—first the now-defunct USIS in August of last year, and then KeyPoint Government Solutions less than four months later. Those breaches included data about both government employees and contractors working for the government.

But some of the security issues at OPM fall on Congress’ shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM’s investigation process told Ars, was essentially a company made up of “some OPM people who quit the agency and started up USIS on a shoestring.” When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—”a bunch of people on an even thinner shoestring. Now if you get investigated, it’s by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account.”

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.


<END>

What does the NSA think of my web searches?

CHP

In writing this blog I find that I do some of the darnedest searches.

I look for racist materials, I’ve looked up the KKK repeatedly. I’ve searched for Al Qaida, ISIS, nuclear materials, and bomb making.

Hey I’m curious about stuff.

When I was a kid, there were actual books that had diagrams describing the basics of Little Boy and Fat Man. I had Golden Chemistry books that described how to change household chemicals into basic chemicals for experimentation.

I once had a copy of the anarchists cookbook.

sealion

I dare you to find ANY of that material today with a web search. I should warn you that if you do find this information, you’re probably going to end up on a terrorist watch list.

I was thinking about this in a Starbucks yesterday while I had a big police officer behind me doing paperwork. I know he could see my computer screen and I guess that’s why I was thinking about “The MAN” watching me.

bitcoin

Then I thought about all the deviant stuff I’d looked up, photos for this blog for example. You know that the internet is like a library… YOU CAN’T EVER just go in to look at only one book!

I mean looking for pictures of female sea lions leads you to “Whales blowing” which leads you to pictures of really fat chicks giving head to really skinny guys. You can all thank me for NOT posting that picture… Bitcoin payments accepted!

Anyway there is a part of me that loves the thought of some NSA analyst jumping up from my data feed screaming “MY EYES, MY EYES!”

I wonder what exactly they have put in my records!

frenchfries

I’ve turned all the safeties off on my browsers. As my dear mother found out when she casually typed “Best FF in Florida”

She meant french fries… what she got caused her to completely forget about french fries and possibly scarred her for life.

So the next time you go searching for something offbeat, just remember you’re leaving breadcrumbs and your web history isn’t only stored on your computer.

Happy Searching.

OH! For God’s SAKE! Water Pistols?

Standard Water Pistol

The Boy Scouts of America has banned water pistols. It’s been on their books for a while but resurfaces each summer because the BSA reminds folks of the rules in preparation for the season’s activities.

BUT REALLY? I’m caught by the memories of my family and my friends and their families playing with squirt guns.

Across America during the summer folks are playing with super soakers, and hose nozzles and generally having a good time POINTING things at each other.

The Boy Scouts have also banned Nerf Guns, Lazer Tag, Paintball, Airsoft etc, too. (You can shoot at a non-living, non humanform target.) I guess that I can kind of, see banning projectiles.

Lazer Tag is a bit of a stretch. (Stealth, and learning when to dive for cover may be far more relevant to us all in the near future.)

BSA Logo

Lazer Tag is about moving, maintaining cover, and shooting accurately… Ok, maybe that is a bit warlike.

Water pistols???? I can’t help but remember summer outings with scouts where the scoutmaster tried to get us with a bucket of water and we buzzed around him like angry hornets fast and with accuracy that had HIM drenched while we were mostly dry.

No-one gets into a water pistol fight when it’s 100° F thinking tactics or anything other than “Got YA!” with a lot of running around and laughter. 

Water pistols are about the most benign, inexpensive, fun you can have as a child. Who doesn’t have fond memories of loading up a water pistol with Icy water from the ice chest at a family outing?

SCAN0072

I pity anyone who doesn’t remember catching an adult male in the crossfire and thinking, “We’re done for…” only to have that adult whip out a bigger badder squirt gun and chase all the kids, joining in the mayhem. Eventually everyone comes back soaked, laughing, and having made a memory that will put a smile on their face for the rest of their lives.

Some boys in my generation wouldn’t have had the opportunity to build those memories without Scouts. Those boys would never have had a chance to see adult males playing. Moreover, those boys, as they became young men wouldn’t have learned that restraint and letting the little kids “win” is also part of being a man. 

All boys need that kind of experience. It doesn’t matter that they might not get it from their fathers, what matters is that they get it from somewhere.  Scouting should be about those lessons, not legitimizing silly policies in the name of political correctness.

I fondly remember many lessons being taught to me on long warm summer days in the South. 

It seems like we’re stripping away what it is to be children. 

Even worse, it seems like we’re forgetting the simple beauty and joy of Adult Males showing children that it’s ok to play, be silly, and even “lose” a game.

I can tell you as an uncle, it’s really tough to “lose” a game without the children catching on.

You want to build their confidence with the “win”,  but make them work hard for their success. You never want them to feel that you threw the game.

That was a lesson I learned one particular summer in Tennessee just outside of Cookeville. I was watching my father play a game with my little brother. They were whooping and hollering in a pasture, playing some hybrid game of tag.

fireflies aka lightning bugs

I was sitting on a rock smiling as they tussled. I couldn’t join in because I had a big ass bandage on my foot.

Lightning bugs were blinking in the tall grass when Dad came out of the pasture carrying my nearly exhausted brother. Dad had been “caught” 10 times and that was the end of the game. 

As Dad came toward me he stopped. “Son, put your arm around my neck,” he said, helping me get on my feet. “Just keep your weight off your foot as best you can, lean on me, yeah that’s the ticket.” Dad carried his 5 year old and acted like a crutch for his 15 year old, bringing us both in to dinner.