Six weeks, Twenty Lbs.
Ok, so your Doctor does your blood work and tells you that:
a. Your cholesterol is too high.
b. Your glucose numbers are a bit marginal.
Of course, the very next thing he tells you is that it is all about your weight. Now, you are a pretty active guy, lift and run, and you are convinced that the 210 lbs you carry are due to extra muscle and a bit of weight, and for crying out loud, you really are not that fat!
What is an engineer to do?
Well, I will give you a secret, forget Adkins and South Beach and all that other stuff. Here is what you do:
1. Trade in the biweekly beer for single barrel Kentucky Bourbon (Evan Williams is great), Gentleman Jack, or some good single malt scotch. Sip it straight from a brandy snifter after you have given the car keys to the designated driver.
2. Give up the mayonnaise. Switch from Half and Half to 2% milk for the coffee.
3. Trade the bread for a wheatberry/ ryeberry mix. You can put a little olive oil on it and season to taste and eat it by the truckload. Sun dried tomatoes are also good on this. Bottom line, you get carbs, fiber and a full belly, but because it is a whole grain your body has to work hard to get the carbs, so you have fuel to burn, but not a lot of sugars to drive insulin and fat production.
4. Back off on the red meat, though chicken and fish can be consumed as if you were a hungry Grizzly bear.
5. Add a big salad to your chicken/ fish dinner with the wheatberry side. Eat these three staples to your hearts content.
6. Get some moderate exercise.
7. Potatoes are fine. Keep around fruits and veggies and pack them down when you get hungry.
Three things will happen:
a. Weight will drop off you like a winter coat off a dog in spring.
b. You will never feel hungry.
c. Your wife will find a new found appreciation for your naked, thin body. This will be a very good thing
Oh, and I suggest you add some non fat plain yoghurt to the mix. I also take a daily vitamin.
This worked like a dream. The weight is off and continues to stay off. I am not hungry and I can and do enjoy the occasional frozen yoghurt or dinner out.
Hey, we all have our tricks, and as a disclaimer, I am not a doctor or a nutritionist, this is just one man's opinion on something that worked for him. Your mileage may vary.
But for all you guys, if you are carrying an extra 20, time to get it off and keep it off. My dad is a heart patient, three bypasses and trust me, you do not want to end up like him.
Hackers and Guerrillas: Information Security and Lessons from History
Casually skim through any five books on hacking and information security the next time you are in the computer section of Borders. Guaranteed four out of five, if not all five will explicitly draw comparisons between cyber security and military science. Titles like "Know Your Enemy", "Cyber War" using terms like "attack" " reconnaissance" Defense in Depth". Business texts also tend to go a bit overboard with Sun Tzu and Clausewitz, almost as if General Electric should be building up armored divisions to launch their next marketing campaign.
In the case of Cyber Security, the analogies are not that far off. Truly, no one is getting bombed or straifed, and the worst casualties are blunted careers, defrauded banks, wasted time and the occasional prosecution. Still, malicious hackers and the opposed security teams are engaged in something more like war than say, a foot ball game or competitive marketing. Consider that like war:
- There are targets defended by security groups and their attending systems.
- There are attackers attempting to breach these targets using their skill and systems.
- Breaching or disabling the system provides gain for the attacker and loss to the defender, even if the gain is the knowledge of the damage done to the target. It is a pure zero sum situation.
- The only rules are those imposed by the laws of nature and physics.
A few more minutes of thought would bring more parallels to light, but for now we can see the outline. Cyberwar really is cyber war.
One objection to this analysis may be that hackers have many motivations that are beyond simple economic gain. Max Kilger, Ofir Arkin and Jeff Stutzman, in their chapter on Profiling in the Honeynet Project's book, "Know Your Enemy" make the argument that hackers are driven as much by the societal imperatives of their counter culture as they are by the lure of ill gained credit card numbers. If war is politics by other means, and if politics are in the end driven by economics, where then how do we understand the need for hackers to exploit simply to impress fellow hackers?
Interestingly, the answer may be found in another modern work, John Keegan's " The History of Warfare". That distinguished historian and scholar makes a lucid and compelling argument that war, much to the chagrin of the realists, is a cultural phenomena that is not necessarily tied to realpolitik or the dismal caculus of loss and gain. If nations can go to war because the culture demands that men prove themselves on the field of battle, what is different about a hacker proving his skill in an elegant exploit that brings down an e-commerce site?
It is useful to those of us in the security community to think on what kind of war we are fighting. Military theorists spend much time studying the history of war as a way of understanding present and future conflict. Technology advances can morph the tactics and change the damage profile, but the fundamental principles remain suprisingly invariant across time, across space and across technology. Perhaps this is true because in the end, war is a human endeavor. If we can categorize modern hacking as a form of understood warfare, then at an operational and strategic level, we can use it as a model for our own actions and as a guide to solutions.
Simple reflection gives us a hypothesis, as it is obvious that hacking is not like the classic stand up fight between armies. (Though some days security professionals feel a lot like Custer at the Little Bighorn.) Malicious Hacking shares common characteristics with three conflict styles, guerilla war as practiced in the twentieth and twenty-first centuries, submarine warfare of the last eighty years and the Barbarian Raids of Ancient times. We will leave the ax wielding savages and the U-boats for another time and article, and focus on guerrillas.
Mao's book on guerilla war is the best basic reference on insurgencies. To paraphrase from Mao:
-Win the hearts and minds of the people
-Fight where the enemy is weak, retreat where he is strong
-Secure bases are critical
-Stay decentralized, cells are isolated from each other
-Strive to have better intelligence than the government
-Stay mobile, stay flexible. Use tatical innovation to counter government superiority in numbers and material
-Live off the enemy
There is more, but this is enough to draw some parallels to hacking. Mao saw the population as a sea and the guerilla as a fish that swam in that sea. Now, clearly the hearts and minds of the computer using populace is not with the hackers (except for maybe a few anarchist webzians) but in this case, it is not the mind of the owner that matters, but the processor of the computer.
Parallel One, hackers view the mass of poorly secured home and small office PC's as the populace to win and use. It is the "sea" that he swims in. Also, just as Mao sees the populace as a necessary source of supplies and intelligence, the hacker sees the home computer as a necessary source of processing power and storage. I leaned this one some years back when, as a neophyte user of DSL, I found one day that my laptop was hosting, among other things, an IRC chat server.
Parallel Two of note is the need for secure bases. In every case, the insurgent invariably must set up secure base areas, preferably across an international border, where they can rest and re-supply away from the danger of the government security forces. For the hackers of today, that is often accomplished by being located in a country other than the one where the targets are located. In particular, the more dangerous, profit motivated hacking groups of recent years are located in countries where law enforcement is practically an impossibility (think former east block, China and India). In the US for example, there is always the possibility that a hacker in Connecticut could be tracked and prosecuted. If not a deterrent, at least this fact makes the hackers job harder and forces more caution. A foreign based hacking gang can launch attacks with impunity, the only thing risked is time.
The rest of the list can be summarized in Parallel Three. Like the guerilla, the hacker adopts tactics to seize and keep the initiative, choosing the time and avenue of attack. He pursues and exploits weakness, when faced with strength or risk, he breaks off quickly, re-groups and starts probing for a new weak spot. This can be very frustrating and demoralizing for security forces and security departments alike.
It is possible to take the analogies too far, but clearly government security forces in an insurgency and information security teams face a similar nightmare scenario; immobilized behind static defenses in a hostile, or at least an insecure populace, waiting for the next attack from an enemy that has both initiative and a safe place of retreat. For the information security professional, in the new world of organized hacker crime networks, it presents a question not of if, but when they are going to be cracked, against a backdrop of every increasing hardware, software and personnel expense devoted to information defense.
What the study of counter insurgency does is give us a few new ways of thinking about information security. Firstly, it points out the potential ultimate futility of just investing increasing dollars and hardware to defeat a mobile, flexible attacker (think Viet Nam). Secondly, as counter insurgency experts have learned, victory is less about technology and more about properly addressing the strategic requirements of the insurgent. Lets focus on three concepts from counter insurgency and see how they can address computer security.
1. Deny the insurgent a friendly populace. For a security force, it means taking action to defend the populace from the insurgent, seeing to the populace's welfare and win the people's hearts and minds away from the guerilla. From an information security perspective, the populace is the vast number of personal computers that are sitting, unprotected, on a broadband connection.
The state of the internet today results in most installations being improperly patched with poorly maintained or non existent anti-virus and firewall technology. This provides the hacking community with unlimited computing resources that can be used in sophisticated attacks against more valuable targets. These systems also provide a small source of easy revenue.
The web community needs to start moving these systems into defended and managed networks, much like a government would relocate populations to defended hamlets to better protect and provide for the populace. To be successful, any such policy should provide benefits to users for participation (better on line security, protection from hackers) and consequences for the user not taking steps to protect their machine. An example would be greater responsibility for losses incurred or caused due to improper protection.
AOL and Earthlink, among others, provide such services today. What is now needed is a concerted push by technology and financial companies to get the job completed, in a way that is both a net positive for the consumer and protective of their privacy rights. If every machine connected to an ISP was part of a Defended ISP Security Zone, hackers would be denied access to a critical resource.
2. Seal off the borders. The British succeeded in Malaysia partly because they could and did seal off insurgents from their cross border bases. In the same way, the web and financial community needs incent countries that turn a blind eye to hacking to start taking computer crime seriously and act aggressively to close down hacking rings. This will be a very hard task that will take time. However, the community needs to start the work now. One step might be to devise a series of sanctions among ISP's and at a minimum get each countries ISP's serious about responding to intrusion attempts, blocking the sources and referring cases to law enforcement. If it seems like too much trouble, think about what you would do if thieves could rob your house and then just get across the county line to escape prosecution?
3. Take the initiative. The security community as a group needs to get off the defensive and on to the offensive. While counter-hacking attacks are a no-no, I think that the Honeynet project is an example of a good start and methodology. Another thing to Google is Microsoft's Honey Monkey project, where "Honey Monkey" machines crawl the web looking for and identifying websites that exploit or launch Spyware. What is needed is cross industry support, cooperation and perhaps legislation providing legal protection to Honeynet operators and incentives to companies to participate.
The final lesson of counter insurgency is the need for coordinating actions. Groups working in a vacuum or without a central strategy, no matter how well intentioned, will be only marginally effective and possibly counterproductive. Remember, the insurgent by definition seeks and exploits gaps in the security structure of a target country. Nothing creates gaps and wastes valuable resources like uncoordinated effort the counter insurgent.
A great model for coordination is the VISA CISP program, where companies that want to utilize the VISA network must agree to, and be audited on, a standard set of security practices and policies. One can imagine a web e-commerce Association, led by major ISP and financial networks that could coordinate these kinds of policies across the web.
All of us that are on the internet for peaceful and beneficial reasons are smack dab in the middle of a guerilla war. If we want to be successful, we cannot just hide in our firebases while the bad guys run wild. We need to get coordinated, we need to take the initiative, we need to get the people into defended zones and starve the hackers, isolate them and shut them down.
