Clandestine Behavior Modification is better than Direct Conflict

Taijiquan, Judo, Jujitsu… I appreciate these forms. They redirect your opponent’s momentum. Did I mention that I’m a nerd? Let me throw this out there too, I have read Sun Tsu’s The Art of War like four or five times. Now if all of this seems cringeworthy, get your cringes out of the way and I’ll tell you the story about how I made an opponent lose the will to fight through a form of attrition – the cost just wasn’t worth the payoff. Keep this in mind in all aspects because everyone is looking for the “low hanging fruit” – you just gotta make sure your fruit is higher up!

Another thing that I want to get out of the way is that every one makes mistakes – I’ve made a million of them! So have you! When these two events occurred, I was coming to it with years of experience in information security, information technology, physical security, and private law enforcement, as well as tons and tons of years in customer service. Not to mention my experience in aviation – I don’t know if that helped, but I’m compelled to tell people that I’m a pilot whenever I can.

Part One

So one of my jobs was doing some outsourced IT work. I worked as head of InfoSec and head of tech support, as well as being the lead engineer. Some of our customers were schools. One school in particular… I was sitting there Monday through Friday to try and turn the account around. Every summer, this school puts on summer camps for things like coding and movie making for little kids. The summer before I started there, the summer camp went so wrong because the IT department (allegedly) screwed up everything.

I kept that in mind while overseeing that IT department in person during my first summer camp there. Previously, I had been overseeing it from afar, but now that I was there, I had a much tighter reign. So… one day during the camp, our Internet bandwidth was completely saturated – everything was bogged down – classrooms, administrative, maintenance, secretaries – everyone. Because we used the best tools and best practices, it took exactly one minute to find out exactly what was going on – one student in the entire building was playing a Flash game that was somehow using 300Mbps up and down (Bitcoin jacking?) – Workstation number six in computer lab A.

I already had a plan. I was going to walk in there and very gently ask the instructor to excuse my interruption, and explain the situation. Now, you see, these weren’t students in the sense that they could get a detention or even a bad grade – their parents paid for them to be there, and as long as they weren’t doing anything that could get the school in trouble like looking at porn or preventing the other students from getting what their parents paid for. At least, that’s how the superintendent and assistant-superintendent explained it to the company I was working for (how they explained it to the ownder/CEO and how the explained it to me)

I walked into the classroom. No one noticed me. I’m six feet tall and at the time I weighed about 315lbs. No one noticed because I didn’t want them to notice me. >>>Cue the James Bond theme song<<< I counted workstations and figured out that it was the young boy in the front right corner. I don’t know what he was playing. It looked like a movie making website. Ironic, because that class was about movie making.

I approached the instructor: “Hi, my name is Tony. I’m from the IT department. The reason for my visit is because there’s a student playing an online game – which normally during a summer camp, wouldn’t be a big deal, but, it’s taking up all of the bandwidth in the building. I actually found out because the superintendent called me directly to talk about it. So, I’m just asking if you could ask the student to stay on task.”

The instructor had no problem with this at all. The problem is that two of my team mates walked into the room behind me. One of them had come here from working in security (he didn’t learn as much as I did. No force continuum, including the most effective step on the continuum, “officer presence”. No de-escalation.No verbal judo. All things that would have been relevant in this case. The other guy, well, he makes me look tiny. He’s actually still one of my best friends! One of the few people that checked in on me during my darkest days. So my two team mates both stood there, pointing and counting out loud, super, super obviously, and then, with pissy attitudes, told the instructor that one of her students crippled the whole building’s computers. The kid panicked. He kept looking back and forth between his computer screen, us, the teacher, the computer, etc. etc. He closed his flash game and looked at the computer next to his and started copying what that kid was doing – drawing geometric shapes in Microsoft Paint. Which cracked me up, because that kid wasn’t working on the assignment either.

The result is that the Internet usage was normal for the rest of the summer camp. The fall out is that the kid told his parents, his parents called the school, the enemies we had at that school blew everything out of proportion, there was a meeting with us, the superintendent, and the teacher, and everything ended well once the teacher stuck up for us. Still sucked though. It’s better, in my opinion, for a customer to not have any bad tastes in their mouth, as opposed to me having to pour Listerine down their throats.

Part Two

Fast forward roughly twelve months. I’m still overseeing this customer’s account personally. Summer camp time. There was lots more drama in Part One that wasn’t relevant to this story, and different and irrelevant drama in part two as well. But here’s what happened – basically the exact same thing, except a different Flash game, this time a clone of Call of Duty or something. This classroom happened to have security cameras in it (students and parents know about the cameras of course), and guess which department runs the security cameras…

So I pull up a couple of live views of the classroom, and a remote view of the teacher’s computer and the student’s computer and also glanced at some of the other screens to make sure that this game wasn’t some how part of the curriculum. It of course was not. In fact, the student would minimize the screen whenever the teacher would walk by. Doesn’t exactly take Sherlock Holmes to crack this case.

What the hell? He’s playing the game in Microsoft Edge? Come on, guy. What are you doing? I opened a remote command line into that workstation and sent taskkill /f /im edge.exe and lo and behold, the game he was playing suddenly vanished from the screen. Gotta give the kid some credit though. He reopened Edge and started loading the game again, skillfully avoiding the watchful eye of the teachers in the room. I watched the screen while the game loaded, and as soon as it hit 99%, I press the up arrow and then hit enter, re-sending the command that kills Microsoft Edge. He starts laughing, bumping into the kids on either side of him. They’re all joking around a little. The teachers come by, look around, go back to the front of the room…. Then here comes Edge again. Wait until 99%…. up arrow enter key – no more Microsoft Edge. He tried once more before giving up.

The Moral of The Story

This kid decided that the amount of effort that he had to put in to play the game was not worth the payoff. waiting for it to load and only getting a minute into the game, or 99% past the loading screen without any payoff. See, there has to be some payoff for anything that some one does, and that payoff has to outweigh the cost. The more impulsive the person is, the less patient they are going to be – the payoff has to be immediate. The less impulsive a person is, the longer they can wait. I went to school and got certs and learned first hand by working for free at first, all so that years later I’d be working at a job that I actually enjoy going to. Good things come to those who wait. And I think that bad things come less often to those who make it so that the impulsive people trying to do them harm have to wait longer than they want to wait; have to put in more effort then they want to expend for the payoff.

Here in lies the “Low Hanging Fruit” adage that is hopefully familiar to you. If there’s a hacker group that wants to hack some companies. They send their automated attack all at once against 10,000 different companies. Out of those 10,000, 9,000 are wiiiiiiiide open – they get in by exploiting vulnerable software, vulnerable people, vulnerable passwords, etc. Then out of the remaining thousand, 500 of them can be hacked with an extra few weeks worth of work. And the last 500 would take months or work.

What do you get from a hacked company? An attacker can make a ton of cash in a ton of ways – regardless of what the company even does or sells or whatever. Now, would spending a few months trying to hack one company be the end of the world to an attacker? No, absolutely not. But why would they bother when they’ve already compromised 9,000 in a day and a half? The low hanging fruit is there’s That’s a little bit of effort for a big pay off. But what about the fruit at the middle of the tree and on the top of the tree? It’s probably not any sweeter than the fruit that can be reached without even standing on tippie toes (trust me on that), so why bother getting out a ladder or an extra couple of people to try and get those last pieces of fruit? It’s a lot of effort for a small amount of something the attacker already has a lot of for free.

Do the basic best practices. It moves your fruit higher from the ground, and the attackers ignore it in favor of the easier to obtain – and just as tasty – fruit.

Leave a Reply

Your email address will not be published. Required fields are marked *