- Posted by barak engel
- On September 17, 2022
- 0 Comments
(This is an excerpt from my book, “The Security Hippie“)
Since this is a book of stories, a personal story would be a good a place as any to start. And an excellent one to start with is the very same story I had shared with Dan. It is the story of how I failed to fail, even though I tried really, really hard. Yeah, let me start with that one.
Imagine this: a much younger Barak is sitting at home, laptop nestled firmly on top of lap, testing. In those bygone days, I had enough chutzpah as well as arguably sufficient technical acumen to fancy myself as capable of researching “technical things”. I also had a Thinkpad x60 (I think; I have been using Thinkpads exclusively for two decades and it might have been an earlier one), which had a delightful little feature: it included a wireless hardware switch, which controlled all the radios. You could turn that switch off and then could be assured that no signal could be received by or emanate from the machine.
As a security guy, I loved that feature, just like I love the physical camera shutter on some modern laptops. The testing in question involved a new kind of Trojan, which I found interesting, and I wanted to check how it might interact with non-standard email software; specifically, it was a very early kind of Trojan that was able to replicate itself via one’s address book, but I wanted to see if it was clever enough to work not just in Outlook.
So I set up my sandbox, and I put up my tools, set my memory monitor and my traffic sniffer, got my email client up and running, turned off the radios using the hardware switch, and … let … her … rip.
It only took five or six seconds for me to realize something was going terribly, horribly wrong. You know that sinking feeling at the pit of your stomach when you’ve done something monumentally stupid and embarrassing, and realize that you … are … not … alone? I mean, our current world brings a perfect example: just close your eyes and imagine yourself going to sit on the toilet while in a video conference, convinced that you had shut down your video feed.
Except maybe you haven’t.
And it turns out that 11 of your (previously in-person) office mates had just had the pleasure of accompanying you to the throne. You think I am making this up? There is a woman named Jennifer who was trending on Twitter for a while in March 2020 who would be ecstatic if I were, in fact, joking.
I was at first excited to see that the virus managed to grab email addresses out of my address book, even though I was running Eudora as my email client instead of Outlook. Then I noticed that my sniffer was spitting out actual network traffic.
How is this possible? My hand moved quickly over to the empty Ethernet † socket on my laptop, but it was indeed empty. No cable was attached. I stood up urgently, intending to run to my home office to deal with the crisis.
My laptop jerked out of my hand and almost fell to the ground, and I felt a strong pull on my shirt.
I looked down.
And there it was. The famous hardware switch, the entire reason I felt comfortable testing because no harm could be done since the virus could not actually access the network – it was solidly stuck in a sort of middle position that should not have existed, with the tip of my t-shirt clamped tightly by it, not allowing it to click properly into the closed position.
I had just tried to email maybe 400 of my closest friends, business associates, customers, partners, and many others one of the nastiest pieces of malware I had ever seen.
Now, you have to understand the broader context. I was new to this. I had a grand total of two customers by then. Many of these people were folks I was networking with, or trying to sell my services to, or were trying to help me find a gig.
As a security consultant.
What have I done?
Panic set in.
By all rights, I should have quietly closed my laptop down, given up the dream and the path of independent business existence, and probably moved to a different state (or country). I mean, seriously, why would any of these people ever trust me again? And make no mistake: security is a trust business. Here I was, putting myself out there, hanging my shingle, and its hook turned out to be poisoned.
Come on, let’s be fair: what hope did I have at all?
But I am, if anything, a determined (read: bull-headed) sort of fellow (read: em-effer).
So within 15 minutes of the incident which, thankfully, took place on a weekend, I sent a follow-up email to every impacted person on that list. In the email, I asked everyone to delete the email with the virus, described what happened, apologized profusely, and told everyone that it would be entirely reasonable for them to never want to work with me. Then I added that I would really, really appreciate it if maybe they would be willing to give me a chance to prove myself to them anyway.
Only then did I start looking at the online job boards.
One of the truly remarkable things about what happened next is that I only received a single rebuke for my performance – and even that person did not sever ties with me, telling me instead to “just don’t
eff up again”. Everyone else stayed in contact, and some even thanked me for letting them know.
That was, in itself, amazing.
But the single most astonishing aspect of this incident was this: by the end of the following month, I had two new customers – both of them recipients of my emailed viral affections.
I guess I was staying in California after all.