Friday, 22 June 2012

Poverty

Many love to state how fixing poverty is a simple matter of reallocation. It is not. It is better to make a richer world than to redistribute, the socialist ideal, and make us all equally poor.

Teach a (wo)man to fish

The future is one of low cost technology. Computational power increases 10,000 times each decade. This means that in 20 years we will have systems more than 100 million times more powerful than we have now (and hence able to run Windows Vista without crashing).

This also comes to cost.

The systems we have now will decrease in cost. There are already plans to create tablet (or augmented systems)  that will translate to any of 3,000 languages, act on voice (to aid those who are illiterate) and work visually. In coming years, such a system will be cost effective enough to distribute to all people on the globe. This is not a far off SciFi issue, but one that will become reality within 10-20 years.

This is a platform for education as well. What we need to do is to start developing courses and means to educate LARGEW numbers of people at once. Udemy is one of these. In a few days I will be starting a number of free courses on this platform myself. These will cover Math (statistics) and Computer Science topics at first and go towards economics and law later.

Food

Many will argue that these people are starving, but the truth of the matter is to ask WHY these people are starving. They cannot earn a living. They have repressive governments. That is why we have poor. What is needed is not knowledge so that people know the issues with their own political situation, a means to earn from any location globally. This is not too far from us.

As for food, the earth has the ability to produce enough food to feed a population 10 times the size we have now (and more potentially). Food itself is not the issue. Access to food is.

If people are free and they have a means to earn, then they have food. This is the answer to poverty. Easy said, but never easy to achieve.

  • The problem, too many people oppose it.
  • Too many people want this to fail.
  • Too many people who argue good create poverty though their words and actions.

Education will be opened not through redistribution, but capitalism.

“Twit” of the day

I see MATH is no longer a required skill in spewing out “facts” about the economics of the world. I was RT’d a tweet today as follows:
@InjusticeFacts: If the richest 10 ppl renounced their wealth, 1 billion hungry ppl can be fed 4 250 yrs with the $$.
First, let us take this at face value, the Math sucks. It blows badly for a start. We have a total of $650 in wealth from the top 10 people in the wealth scales and that is actually being generous as if they had to liquidate shares, try halving that figure. For argument sake, let’s use the higher figure.
Now, we have $650 billion in wealth and 1 billion people. That is a simple calculation of $650 per person. Not too difficult even for a socialist.
So let us look at $650 for 250 years.
That comes to $2.60 US a YEAR folks. Or better, under a cent a day. Can you live for even a cent a day? Not I. I really want to know where these people shop!!!
The real fact of the matter is a little different. What we need to look at is how much wealth was CREATED by these people.
In a capitalist society, wealth is created. This is different to a socialist or mercantilist economy where all wealth is a zero sum game and what one gains is taken from another. What we have here is newly created wealth.
If Bill Gates did not exist, that wealth would also NOT exist. More, the others who have also benefited as a consequence of the wealth created would not have made more.
That stated, let us look at how much the top 10 individuals CREATED. That is made from nothing, not took from others.
Well, if we take the values these people, started with, the investment placed at their disposal, the and take this from the total value they have added to the world, we have a figure over $US 2.7 trillion dollars.
So, yes, they are rich, but the net on this is that they have made the world richer. The introduction of new technology has increased efficiency and made fewer poor.

But hey, what does actually looking at some of the figures behind the BS that is spewed forth actually mean… A little math. I guess they prefer the lies to learning how to calculate a few simple sums.

Maybe it is time to give these people a calculator… Maybe eXcel? Then, what the hell are they using to tweet in the first place huh?

Thursday, 21 June 2012

Penetration Testing or Ethical Attacks Vs Protection Testing

Penetration testing is reactive, this could be problematic and that it does not uncover all vulnerable systems and does not mitigate risk in the manner that is expected.

There are alternatives.

  • Penetration testing is an effort to penetrate a system in order to demonstrate that protection has weaknesses.
  • Protection testing is a way to confirm or refute, through empirical evidence that controls are functioning, as they should be.

The difference is quite bleak when you consider it. For instance, it is feasible that penetration testing will succeed at detecting a vulnerability even though controls are functioning as they should be. Likewise, it is extremely common for penetration testing to fail to detect a vulnerability whilst controls are not operating at all as they should be.

The objective of a controls assessment should be to gain an understanding and knowledge of the all entry points to the network. This is than measured against known vulnerabilities against each connection type (e.g. radio scanners or line tapping) and any system specific weaknesses. A vulnerabilities matrix can be developed from this information relating to chances of attack, severity of the attack & expected uptime or availability given the system, platform & Susceptibility to attack (including Denial of Services). A detailed report on all connections can be developed from this information and maintained for future reference.

See :

http://all.net/Analyst/netsec/1997-08.html

Wednesday, 20 June 2012

Climate lies

Today I had the misfortune of hearing a stinking pile of rhetoric from Greg Combet, Australia’s climate change and energy minister.

In this speech, he stated with a straight face that “climate change is a decided matter” and that “there is no debate”.

Greg Combet, in this non sequitur is correct, but about the wrong thing completely!

It is true, there has NEVER been any serious debate as to whether climate change exists. The climate changes daily. The climate 11,000 ago was drastically different to that we live in now. The climate has experienced radical changes and shifts in the last 1,000 years even. In that time we have experienced temperatures far in excess of what we have now and a mini-ice age.

This line of rhetorical political hog wash is what makes debate such a farce.

This line of argument is a non sequitur for the reason that the debate is not as I alluded to whether climate change is real, no serious scientist has ever denied this point. The debate is the effects of anthropomorphic forces.

This is the logical straw man that is easy to knock down. The reality is that it is easier to confuse the masses with emotive hype than to actually address the real issues. The issue is not one of climate change. It is nothing so simple. There are multiples questions, none of which have been decided.

We have no valid models as to what is making a change to the climate or even if this was a part of some ongoing natural cycle. This is why the climate police cannot and will not state any testable hypothesis. Climate will change and WE can do nothing to stop it. That is all that is stated. Technology will fail and we will all die in a disaster as Gaia reacts to expel us. What hogwash. If you want a religion. choose a real one. 

If you want to argue anthropomorphic global warming resultant from carbon emissions (and not those from other probable sources including alternative human induced ones), then you NEED to allow for test, timeframes and costs. This is not what is being done and the “low” cost of a carbon tax is actually likely to cost more than all the worst disasters multiplied. But why look to the economics of the scenario when it is simpler to argue from the emotive mass hysteria that is promoted.

First, will a carbon tax actually do ANYTHING? Well there is no evidence for this and no plan to test. It is unscientific, but it does make a great political tool. It creates more revenue for government and a means to extract another tax from us with the BS they feed.

Yet, this tax is touted as the ONLY way to actually make a difference. Even (and this point is still unproven) was the reduction of carbon to actually make a difference, would this tax lead to a difference in levels. Even this is debatable.

The argument by innuendo was played in this speech to assume the worst if we do not have this tax. That it will save the globe, whether or not any other nation follows suit.

Then, in repetition and Proof by verbosity, we see the audience drowned in the same calls that the debate is settled and those opposing it are enemies to the earth.

Those climate heretics who have the audacity to actually want to assume that a tax will not solve an issue that cannot even be modeled as yet should be burnt at the stake as the religious non-conformists that they are. For this is NOT science, it is theology with the great God Gaia punishing us for leaving nature and issuing her disapproval at our evil technology.

Statistics and R for beginners

More details will follow. This is an announcement that a Udemy course will be starting on the 1st July 2012.

The software used will be R, http://cran.r-project.org/

Course to start 1st July 2012. Under grad level. Hands on and FREE :)
What is Statistics?
Statistics involves:

  • collecting data about real life processes
  • presenting and describing the data
  • formulating models which allow for chance variation
  • using models to make predictions
  • using data to check the validity of fitted models.

This course will concentrate mainly on formulating and analyzing statistical models.

We will cover the fundamentals, the basics of math (from the ground up for those with no experience to those with 1st year college completed as a start). We will cover simple R programming, graphics and importing data.

Following this, I will integrate a course in R for unstructured data (text mining/ data mining ) and importing data from logs and networks into R for analysis.

The course will be 14 weeks long with a total of 28 lectures, tutorials and assignments.

Look for further information and a link to sign up this weekend.

System Break-Ins–Gaining access

There are generally two possible goals for an attacker.

  1. 1. To break into a system
  2. 2. To deny services to a system
  • or a combination of both

The attacker breaks into a system to control it. In the “hacker” community this is known as “owning a system” or p0wn’ing it.

Vandalism

Electronic vandalism is similar to graffiti. The idea is to “tag” a page, replacing it with one of the attackers design. This is often used by “Hacktivists” to transmit their message.

Attack Chaining

Often when a site has been compromised, attackers will continue to use the system in order to attack other systems without leaving logs of their location. This is known as attack chaining. It may be difficult to find the original source of the attack as the intervening systems have likely had their logs destroyed by the attacker.

Extending access

Follow-up and continuing attacks

Often after a successful attack, it is common foran attacker will load a Trojan in order to either;

  • 1. Gain access to the system again (without security controls),
  • 2. To use the exploited system as an attack platform
    •    a. For DDoS attacks against other sites
  •    b. To cover their tracks (i.e. logging)
  •    c. To attack other systems within the organization

Any system that has been compromised should not be trusted again unless it has been rebuilt in a secure manner.

Monday, 18 June 2012

Methods of attack

Any attack will have a number of stages and it is important that an administrator both knows and understands these states in order to be able to;

  1. mitigate attacks before they cause damage,
  2. log an evidence trail for possible prosecution use
  3. defend against possible attacks against the organization.
It should be possible to stop all attacks from unskilled attackers and to make it infeasible for skilled attackers to spend time on your systems.

An understanding of how an attacker thinks is essential to this process.

The attack process follows the standard pattern.

Phase 1 - Recon or Information Collection
This stage consists of several parts.
Phase 2 - extending access
In this phase we see:


To be continued soon…

Scanning

Once an organization has been researched and all possible information gathered (through research and social engineering) the attacker may scan the systems and addresses collected for more information (if a vulnerability was not already discovered – i.e. using version information etc).

Social Engineering

Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of inappropriate trust relationships with insiders. Attackers use this approach to attempt to gain confidential information, such as organizational charts, phone numbers, operational procedures, or passwords in order to evaluate the organization's vulnerability to social engineering attacks.

Social engineering can be defined also as "misrepresentation of oneself in a verbal manner to another person in order to obtain knowledge that is otherwise unattainable."

In the past we called this a “con’.

Attack Phase 1–Recon or Information Collection

As noted in the post, Methods of attack, attackers go through a series of stages. The first of these is reconnaissance.

Initially a skilled attacker will look for information about your organization.

This often differs from the process used by unskilled attackers (such as “script kiddies) who will scan blocks of addresses for a particular vulnerability that they have a tool for (e.g. scanning blocks of IP addresses for a particular IIS web attack).

It is extremely rare for this type of attacker to have access to tools prior to a vendor releasing a patch and as such they are generally mitigated using a good patch regime.

Attack Phase 1–Recon or Information Collection

As noted in the post, Methods of attack, attackers go through a series of stages. The first of these is reconnaissance. In this, a series of unobserved steps will allow the attacker to gain information without your knowledge.

Unobtrusive Public Research

Skilled attackers and others with some cause will research an organization to attack it. Before any attack starts it is generally easy to gain a large amount of information about a site. Some of the methods used are;

1) Checking whois information about a site. Whois information can provide names and phone numbers (both technical and management), domain names and IP addressing and sometimes ISP information as well,

2) Searches of NNTP (Newsgroups) may turn up technical information (such as systems used and possible problems),

3) Web based search engines may provide a wealth of information form the organization itself or from other sources (such as newspaper articles and references from vendors),

4) Web based search engines may also be used to search for mis-configured systems and network devices which run web browsers for management purposes. A commonly missed example is to do a search for printer management pages (many HP, Fujitsu etc printers support telnet – thus allowing access inside a network and set the password using a web page on the printer). It is a common error to miss this type of vulnerability as it is often not widely known.

5) Checking version information on public services. Opening a web page or SMTP mail session in a telnet client will often give the version on the server (unless the administrator has obscured it).

6) DNS searches using nslookup and DIG. These tools can be used to find the IP addressing of an organisation, its public servers and sometimes even version information.

7) Viewing bad pages will often give system information. For this reason it is recommended that error pages be customised.

There are numerous other sources of information that an attacker would search. For this reason “Security through Obscurity” is not a defense. No organization is obscure.

Cheap labor is not an endless commodity.

In a recent reply to a post of mine, an anonymous commenter has managed to take the evils of trade”argument and stated that “Cheap labour is not an endless comidity”.

We will forget the spelling as I also make egregious errors here when talking passionately.

What we should look at are the facts of the reply. I will start at the end and work my way though in reverse.

First, we have the notion that “Cheap labor is not an endless commodity”. How far from the truth this is. It is the classical Malthusian argument. It is one of pessimism and not of optimism. We as humans cannot maintain growth and will fail as the population explodes as would a population of rabbits. The difference and distinction being that we can control our destiny and nature cannot being lost of those proposing this. Even Malthus himself abandoned this line of thought. A shame it still haunts us today.

So, let us address this supposition in full. We will investigate the touted claim that labor must inevitably rise in cost.

The death of manufacturing

FANUC Corporation has been running “light’s out” manufacturing plants since 2001.

Nike has plans for some of these. In fact, the future is one of automation. With 3d printing technologies advancing at an increasing pace, it is not too long before we see the vast majority of manufacturing move to a design phase. Many objects we see now will become an online purchase within the next decade. In 20 years, there will be little that is not automated.

This means, if you have little to offer other than your brawn, then you are not even in the position of the fabled John Henry. In this story, John Henry managed to beat the machine (in principle), just, but died at the end from the exertion.

The trouble with this is that John gave more than his all and died. The machine continued. More, the next generation of machine would have been faster and thus John died for nothing as the next generation would have beaten him outright. The truth is that manufacturing is the same as the machine that John Henry opposed. It is one that will come to replace any role we have in physical labor.

When we can select an item (and there are even clothing items now being printed online) and have it as we wish, with a better quality than even the best bespoke, then there remains little place for human labor other than the intellect

So, as the cost of systems decreases exponentially, the growth in population is lower than the growth in capacity. The Malthusian fallacy is not justified. We can create more and faster and cheaper.

So, the reality is that cheap labor is sustainable for at least as long as any of us can forecast and that goes well into the next century. More, it will become less and less expensive as technology also decreases in cost and rises in power. If you are in manufacturing, it is time to start re-skilling.

Providing more for the downtrodden

The argument , “A civilisation is measured by its ability to protect the vulnerable and sooner all later every developing nation comes to this same conclusion” is always interesting.

Other than the fallacy that all nations come to this conclusion (which is not supported in fact), what we neglect is that it is the rise of technology that has created a world of far more than we could have imagined only a century hence.

We look to the past with rose colored glasses and do not see the reality of the poverty that we have removed. The world a century ago was one that was bathed in poverty to a scale we cannot imagine. That of the 1700’s, well that was a world that mired even the “middle-class” rich to a standard that the majority of the poor in Africa today would find abhorrent.

The past was not one of plenty. It was desperate, hard and dirty.

Does capitalism pollute more

Please, I really wish people would actually open their minds and stop thinking that rhetoric from a few with politically engendered motives is a scientific answer to anything.

The statement, “What happens when the excesses of technology and free trade have polluted the seas to such an extent that fish are no longer of nourishment?”

First, it is technology that has enabled us to pollute less. It is technology that has moved us from using whale oil as a source of lighting to LED lamps. Each jump in technology has become less polluting, not more.

The Roman’s deforested most of Europe. In coking steel, they cleared vast stretches of that continent. Much of the forest returned later, but it was removed for an earlier technology

We have more free and accessible oil reserves now than we did in the 1970’s and we produce far less pollution though we use more.

Maybe we should return to the Soviet ideal, help a few, harm many?

Ostrom showed that localized free decision making can actually have better results than a Hobbesian state based model. This is of course backed by the evidence with the failures in the many controlled economies (such as the variety of Russian attempts, China, and other socialist regimes).

Calculating…

Then there is the cry of despair from those without the understanding of what economics really measures, “Economic decisions should not just be computed using algorithms with money as the only factor.”

Taking what you see as a measure is inadequate, the world is large and one’s choices never suit another completely. A market allows us to choose. It is a form of freedom and at the end of the day, the alternative is a selection (as we saw in socialism and still do now) of a set of choices that nobody wants.

The value of agriculture

We should relearn to value the fundamentals- agriculture and manufacturing of essentials being among these and not just place monetary significance on the sea sharks.”

Again, manufacturing is a dying industry, we cling too fast to that we wish to maintain in a world of change. The fact is, the world will change whether we like it or not. Economics means that we have more with each advance than less, it means we spend less for the same thing and those luxuries that we could not have imagined as a Prince in a world two centuries hence have become the staples of the poor today.

It is technology that allows us to correct the mistakes of a less advanced culture of the past. It was the drive for lamp oil and not food that has driven the whales to near extinction, it will be technology that can save them as the few remaining whale fleets are rightly tracked and hounded.

Economic value has a significance. It is when the scales are tilted though government intervention that troubles occur. When food is subsidized, we buy more of that which is provided at a lowered cost.

When something becomes scarce, the cost naturally increases. It is intervention, especially that of socialist government that distorts this process.

If we placed the real cost of marketing goods to the consumer and stopped allowing tariffs and subsidies, we would find more and better controls, not as this line of thought proposes less. 

To conclude

It is technology that has reduced disease allowing us to embrace and love our children in a manner that could not have been imagined two centuries hence when families had 18 children so 3-4 would survive to have their own families. Where disease would kill many before their 40th birthday. Where a small cut could be an entry point for a bacterial infection that claimed many through blood poisoning.

It is technology that allows us to obtain more and better food stuffs from the same plot of land, to have it to market sooner, to have fresh produce year around.

It is technology that keeps the elderly alive longer than we could have imagined 50 years ago.

It is technology that allows us to determine what we are doing and to repair it, something our forbearers would not have even considered.

What we need is for people to think more. This requires more education, more awareness and more thought. In time, there will be no manufacturing jobs, but this will also come with cheaper labor.  What will be of value is thought.

How about we start showing the value of thinking things though and start learning now. It is really all we can offer in a future world and all we will have of value

Sunday, 17 June 2012

Attack Level Definitions

The following definitions can be used as definitions for network and host based attacks.

Critical

Any systems compromise is a Critical attack.

Critical events include:

  • A system compromise is any attack that has gained unauthorized access (including altering of files on the respective system).
  • Bypassing a firewall filter or other security controls (Inc VLANS) when this is not permitted.
  • Any DOS (Inc DDOS) attack that significantly impairs performance.
  • Virus infections or Trojans that are not stopped and infect systems.

High Security Risk

A high risk is a threat or attack with the potential to effect or compromise a system. These are appropriate or targeted attacks.

High level risks are those that concern relevant attacks against relevant systems and security controls. These are issues that need to be addressed as soon as possible to stop them becoming a critical issue.

Any high level attack has the potential to become a critical event on a system if left unattended.

Medium Security Risk

Skilled scans or attacks with the potential to affect the system if security controls (including patching) were not in place. These are targeted but filtered attacks.

A medium level attack is defined as one that is targeted towards the systems in place but is not likely to succeed due to other factors that are in place. An example of this would be an attack against a patched web server. The attack may be listed as high if the system was unpatched, but is now unlikely to cause any noticeable effect.

Low Security Risk

A low level attack is an attack with little or no likelihood of compromising a system. These are often general probes and tools often run by unsophisticated attackers.

An example of a low level attack would be an attacker running an IIS targeted attack tool against an Apache web server on Linux. The attack being directed towards a Microsoft Web server running IIS is not likely to cause any noticeable issues on a Linux based system with Apache. There are exceptions to this, for example, if that version of Apache was configured with FrontPage extensions, than this attack (if against IIS FrontPage extensions) could be relevant and may be thus classified as either High or Medium.

Suspicious Activity

Suspicious Activity covers all traffic and system behavior that is not explainable or does not conform to any reasonable expectation of an attack and is not capable of causing damage to the system.

Modifiers

The following events are modifiers and may affect the level of an attack as reported.

High volume of attacks

If a high volume of a particular attack occurs, the severity level may be increased. An example of this is:

clip_image002

In the examples above, the volume affects the level assigned to the attack as a large number of packets consumes bandwidth and may affect performance. In the Web example, a large volume of attacks from a single source may signify a new or unpatched vulnerability that the attacker is trying to exploit and thus needs to be investigated.

Skilled and/or unexpected attacks

“ICMP Source Quench” is generally considered a Suspicious packet and not an attack. If these packets have been forged or it is suspected that a “trusted” host has been compromised to send these, the attack may be rated as either Low or even Medium.

An example of this would be if “ICMP redirect host” packets where being received from the ISP upstream router.

Definition matrix

The following table is a guide for determining levels of risk associated with an attack.

clip_image004

Using these definitions we can start to formulate a rule of thumb for risk and threat levels even before we start to analyze the risk being faced in detail.