Ever since I was in elementary school I’ve wanted to be a K12 Technology Professional. I was that kid who lost his classwork because Microsoft Word crashed (I’m talking way before the days of automatic drafts or documents in the cloud!).

It was miserable.

I think about that moment and the way it made me feel to have no idea how to work this new technology, to be powerless. For a little know-it-all, that was the catalyst.

From that moment, I realized that the Technology person was the one I needed to talk to, because nobody I knew could help. At this point at the small school I went to, the tech person only came once or twice a week (and often after school hours). This is a departure from the position I just left, where I was a full-time 12-month contracted employee with an open-door policy.

I digress…

Considering I couldn’t get in contact with the tech person, I started to look closer at their handiwork. I would try things, and then read about even more things to try in order to see what I could do. Proxies, for example, were exotic because it got you around the content filter and onto whatever website you wanted while at school. (They’re also dangerous, if you’re reading this and are curious to try them.)

In my limited Internet time on the family computer in the evenings, I could research topics that came to mind, but Google hadn’t come out yet; so, I found myself in various tech communities (of various reputations) where I would learn programming and share scripts online. While there were countless, I can remember a simple script I borrowed and modified that opened and closed the CD tray at random.

As the years went on, I experienced a variety of new things and had my head buried in books and PC magazines to learn new things. The whole time, my parents lamented the fact that I would rather spend all my time on that computer instead of trying to get straight A’s in school.

I regret nothing.

I did countless small jobs and even interned at a local computer repair shop. Whenever I sat down to run the numbers, though, I didn’t see how I would be able to survive off of PC cleanings and the labor markup from building computers. No, I would have to go much, much deeper if I wanted to make a good living in the technology field.

Moving Forward

Fast forward to 2017 and at this point I have been a K12 Technology Professional for about a year now. I can remember staring at a rackmount server that was setting in the keyboard tray of a computer desk running just one virtual machine. Right below it was a highly overpowered tower server I’d gotten suckered into buying.

I was lost. Out of my depth. Imposter Syndrome kicked in and I started having nightmarish realizations that I was probably hired because I said I knew how to use Linux and that I had actually bitten off way more than I could chew.

Then that familiar catalyst started to burn bright once more, there was so much in this district that didn’t feel right technology-wise, but I just didn’t know! Now that I knew I didn’t know, I knew what I had to do.

I started plotting and researching, and eventually came to the conclusion that it didn’t make sense for the flow of traffic to go to an unnecessary building when it could all go to where the demarcation point was located, and therefore cut down on the amount of downtime we would have. I moved the servers and so began the journey I called the “5-9 Uptime Plan” or 99.999% uptime, within reason.

With that newfound obsession in focus, I would then go on to document switches and devices and make maps and eventually find a way to have tech support help me hack bridges into my awful content filter (it was running Debian Linux on a Dell R420) so that I could finally create VLANs to help limit the random network loops where a teacher plugged a device into itself and destroyed the entire learning environment until it was discovered. Except, I could only have about four.

It was something. A little victory.

Eventually, I would hack together a solution where a router would send staff and student traffic to the content filter, and all server traffic would go straight out to the Internet. This was because the content filter would crash. This way, I was able to monitor my servers from home, instead of thinking the entire district was melting down. Not to mention, I routed my workstation traffic through that router directly so I wasn’t dead in the water when that garbage ultimately went up in a dumpster fire.

In the following years, I set up monitoring, graphed network traffic, etc. I configured countless Linux and Windows servers – one after another, as I found myself needing them.

Year over year, improvements would come. Even during the middle of the school day. I used to break the network 5-10 seconds at a time to test network policies and whatnot in order to fully configure implicit deny rules without too many people complaining. For what it’s worth, I don’t ever recommend doing this. I was playing with fire because I couldn’t stand the state of the network. Either that, or I am effectively fueled by chaos.

Then, 2020 happened. By mid-March I was tasked with trying to find as many Chromebooks as I could as quickly as possible to give to as many grades as I had devices before we would ultimately begin our summer vacation. It was such a crisis, and a daunting task placed before a single technology person, but you do the best you can.

Looking Back

As I look back at K12 Technology Life in the rearview, I am grateful for the people I have met and have gotten to walk out the technology life with. They helped me; I helped them. It’s beautiful, and that concept of networking has led me to where I am today.

I once read a post on social media that went something like, “Being in IT is a lot like being on an inflatable raft full of a bunch of drunk monkeys with sharp sticks out in the middle of the ocean. Everyone expects you to keep the raft afloat, but you’re not allowed to tell the monkeys not to poke holes in it.”

Sound familiar? It should. Here’s to you, K12 Technology Professional.

You show up and read your e-mails. You take phone calls from teachers who think their projector is a SMARTBoard, and vice versa. You add lead time to tickets where someone writes in all caps (well, to be fair it’s not a ticket, it’s just a response to an e-mail you sent three months ago). You have countless times dropped the cat’s cradle you were carefully building to go help someone with something, only to find yourself further and further behind in the ticket queue. You’ve lost sleep over upcoming projects, and how you would find a way to pull it off. I could go on and on, but it’s quittin’ time somewhere.

IT is an often thankless position, so allow me to end my reflection by saying to those of you still in it after all these years how proud I am of each of you for going into the trenches day after day. You guys are fighting a war that most decision-makers cannot understand. You work for peanuts guarding the raft because it’s your duty while the others are oblivious. Even when you win the battle, what does it really look like to them?

How can you make a difference when you are fighting with people who don’t understand what they’re paying you for and why it’s not enough for the expanded threats in recent years, from ransomware to all the other new, nasty hacking tricks?

Will my leaving the K12 Technology Professional space to take a higher paying job in the private sector make a difference? I doubt it.

But allow me to offer you food for thought…

Your work is the cornerstone of modern education. However, the integrity isn’t in one sole entity. We, working together, improve the very material of the cornerstone itself. Each time we come to one another for questions or guidance, one fibrous pore in the cornerstone is filled in. One less crevice through which to break down the entire structure.

Thank you for all you do, K12 Technology Professionals.

Sincerely,

A Former K12 Technology Professional

The post K12 Technology Life in the Rearview appeared first on Bag of Tricks.

One of the most psychologically challenging aspects for end users tends to be that implicitly trusting entities on the Internet is a bad idea. I am going to break down the key concepts in order to demystify the concept of zero-trust security and provide practical applications for it.

What is Zero-Trust in Real-World Terms?

In terms of the Internet as a whole, we will refer to the two different environments as the old way and a zero-trust environment.

The old way requires implicit trust.

When you step outside your house and drive to work, there is a lot of implicit trust exercised. You may trust that each person you encounter will yield to traffic signs, keep a respectful distance, and not run you off the road. Or, you may implicitly trust in other areas entirely. We’re all different, which adds to the complexity.

Let’s go with another example.

The old way is leaving every door and window in your house unlocked because you trust that nobody is going to enter your house without your permission.

Zero trust in the driving example means that you are much more defensive of a driver. You don’t leave a stop sign until you verify no one is coming. You don’t merge lanes until you verify no one is close enough to be a collision risk. In the example of the house, you would lock all doors and windows, and only allow those you have specifically given permission to into your house.

Don’t trust, but verify.

You have no doubt heard that phrase spoken differently in the past. That’s because the real world and the Internet are different in some big ways. It’s that difference that social engineers and scammers depend on in order to accomplish their nefarious goals.

In face-to-face communication, we have collectively had years of experience with grifters and tricksters; so, they changed up the tactics. Whether it’s by phishing, hacking, or some other clever means, it is likely that they will eventually enter your network. Once they do, it’s up to you what happens next.

Let me preface this next example by saying that this part of the article will shift more towards those responsible for securing their home or work networks. If this is something you would like to accomplish, but feel it’s a lot to take on, reach out to me and we can take an inventory and I will discuss some of the best ways to apply zero-trust.

Compromised in the Old Way

So, it’s inevitably happened. Someone clicked that link to get a free gift card and ended up installing a remote access trojan on their computer. The hacker now has remote access to the computer network.

Using the computer they have accessed as a remote VPN server, they will do a few possible things, depending on the sophistication of the attacker. They may first begin scanning the network, using a network mapping tool (like nmap) in order to see what other devices are in the local subnet. They may use alternative methods to discover, but this is the information gathering phase.

Let’s say that while they were scanning the device, they were able to snag the hash of the administrator password. Now they can craft packets that allow them to hop to other similar devices in the network and try that administrator password. If that gives them access, they can continue to hop from device to device, possibly even exfiltrating data as they go.

The network is also flat, so there are wireless access points, servers, routers, etc that are all easily traversable without any significant barriers in place.

From here, the attacker can then begin exploiting servers in order to gain administrative access to either exfiltrate more data, or to ultimately install ransomware and lock all of your crucial data down. The ransomware that they install may also have worming capabilities, which would allow it to spread throughout the entire network using those compromised entry points and administrator passwords together to reduce the entire environment to expensive paperweights.

Compromised, with Zero Trust

So, it’s inevitably happened. Someone clicked that link to get a free gift card and ended up installing a remote access trojan on their computer. The hacker now has remote access to the computer network.

This time, however, you have micro-segmented the network. The only devices the attacker can see are local workstations. Those workstations are now configured to ignore any peer to peer communication from fellow computers; so, they don’t respond when the attacker on the compromised device attempts to access it.

The attacker finds addresses to servers and then tries to connect to them, but the networks have implicit deny configured into the firewall; so, any communication that isn’t absolutely mission critical is automatically denied.

Most attackers want the low-hanging fruit. In this example, the attacker would likely move on to an easier to compromise target.

Conclusion

In this article, I have covered how trust in face-to-face communication differs from trust across the Internet, real-world examples of implicit trust and zero trust, and then performed a deep dive into a network with implicit trust vs a network with zero-trust.

With this knowledge, I hope to raise awareness as to how important a zero-trust environment is in your home and office networks.

The post Zero-Trust Models for Internet Security appeared first on Bag of Tricks.

I feel it appropriate to begin this article with a story I recently encountered.

A lady at my work told me that her daughter-in-law got a text message claiming to be from myself. This text then went on to ask for the user’s personal account credentials. The daughter-in-law gave the email, but didn’t give the password (which was a good thing, as you should never give your password on anyone).

The imposter then asked for the user’s six-digit verification code. She attempted to give it, but it had expired so the imposter wasn’t able to gain access to the account.

The main issue with this situation was that the imposter already knew the username and password combination, and only needed the six-digit 2FA to get in.

Why did they already know it? Well, there are a handful of reasons, but I already clarified that it was password re-use.

At the time of writing, we are on the verge of finally integrating password-less authentication; so, hopefully this notion gets to be marked entirely obsolete in 2023 – but it’s been just around the corner for quite a few years now. And, no, I’m not talking about 2023 being the year of the Linux Desktop.

What I’m talking about is password re-use. No matter how good that one password is. Once someone has it and your email combination, they’re free to attempt to log in anywhere. This is called “credential stuffing”.

I know, I know. Passwords are used practically everywhere and most websites want a certain number of characters, with upper-case, lower-case, and symbols. What else are you gonna do?

The solution is simple: use a password manager.

What is a password manager?

A password manager is a program or service which allows you to remember one complex password to a vault which stores other even more complex passwords that can be randomly generated.

Which password manager should I use?

There are several options of password managers to use and no one option. The criteria for most users, however, is simple: it should be easy to use and also more secure than a Post-It note or password notebook.

NOTE: Due to the recent data breaches at LastPass, I have had to remove them as a viable option; so, for now, I only have the one.

BitWarden

PROS:

• Online/Offline Components
• Industry Standard “Zero-Knowledge” Encryption
• One-Time Password Component
• Random Username/Password Generation

CONS:

• Read-Only Offline Mode

BitWarden is easily my top recommendation for people whether they’re tech-savvy or not. The interface is intuitive and it integrates flawlessly with the browser; though, it also has apps for every major device on the market. If you pay for the Premium version, it can even insert time-based one-time password codes directly into the prompts with no extra work on your part.

The main draw for Bitwarden is that it is accessible anywhere you have access to the Internet with a master password (and second form of authentication, which I highly recommend setting up). From there, you can access your password vault that is otherwise fully encrypted on both your system and theirs.

I did list a con of having the read-only offline mode, and I dug into it deeper to see what that would entail. Bitwarden has to be able to sync to the remote server in order to make changes, but as long as you had an Internet connection to authenticate, you can access it without Internet access (they refer to this as locked versus logged out). You can adjust the logout time in settings, but it’s pretty generous by default.

Another component that made me happy is the random generation of usernames, as well as passwords. We are often bad about giving away too much information in a username, so having one that is random helps protect us in multiple ways, but mainly credential stuffing attacks.

Other Considerations

• 1Password
• Dashlane
• NordPass

Conclusion

Regardless of which password manager you choose, the main goal is to make sure that you aren’t using the same username and password combination across multiple passwords. It doesn’t matter how secure your password is if it got exposed due to a database breach.

My sincerest hope is that you will consider destroying the skeleton key once and for all and protect yourself from one of the most easily avoidable attack scenarios.

The post The Skeleton Key, a.k.a. Password Re-Use appeared first on Bag of Tricks.

Earlier this year, I started making to-do lists for things that don’t intuitively come to me as fun tasks to complete. One such example is cleaning the house. No matter how many times you clean the house, after a certain amount of time, you can’t even tell it’s been done!

After each task was completed, I would take a moment to pause and mark it off the list while celebrating the fact that one small task out of several had been completed.

How Does It Work?

Consider the way a slot machine dings and flashes even when you net a loss of $0.37 on a $0.50 bet. That’s because they understand how we’re wired! That type of response encourages us to keep pushing onward. But it doesn’t have to just be used to get you to gamble away money.

Every popular game going back as far as I can remember employs similar strategies: positive reinforcement that comes rapidly in the beginning, and then exponentially less (i.e. leveling up). When you hit that goal, there’s often a satisfying feedback that you can come to anticipate, especially if there are visible progress bars. Developers refer to this as “engagement”.

Unsurprisingly, I found this having the same effect on me to be able to check off a series of tasks and build up momentum. Sweeping and mopping individually take longer than doing dishes, but by starting with dishes and checking it off the list, the dopamine hit of watching the task fall to the bottom of the list on my Notes app with a filled bubble made the idea of completing the next task a goal worth achieving!

As a bonus, simply having a task to make your bed every morning gives you that boost first thing in the morning, and ought to help you push through accomplishing the rest of the day. While it doesn’t seem like a big accomplishment, you are starting the first few minutes of your day having already completed one task, of which many will surely follow. Psychologists refer to this as manipulating your dopamine levels by accomplishing small tasks.

Where Do I Start?

Let’s not get carried away, though. Gamified living is a marathon; not a race. Start off slowly. One or two tasks, or if you have a list, start off with a low number (i.e. saying that in a list of ten, three have to be done. That’s 30%!) and gradually work your way up.

Not unlike the concept of leveling up and how it takes exponentially longer with each level, you can add more and more tasks to these streaks as you become more accustomed to the tasks you’ve set out to do before. We often think of exercise as something to be done at the gym, but exercises can also be a series of actions carried out with a specific purpose in mind. Similar to the workouts we should all be doing, you will find that you can add more and more things as you build up endurance and proficiency. Not to mention, in the example of cleaning a house, it’s easier to maintain than to have to start over from the ground floor each time.

Conclusion

To wrap things up, there’s a reason that video games are so popular among all walks of life: there’s a reward system with rapid rewards in the beginning that start to become less and less frequent once you’re engaged. The thrill of the challenge and the achievements for succeeding naturally gives us the drive to push forward. By adding a similar type of reward system to your everyday tasks (especially the most mundane ones) you too can experience gamified living!

The post Gamified Living – Leveling Up Your Potential appeared first on Bag of Tricks.

In programming, you use “Hello World” as a test, a proof of concept that your project will execute as expected.

#include <iostream>

int main() {
    std::cout << "Hello World!";
    return 0;
}

This post in this blog is my proof of concept. It has executed as expected.

The post Hello World! appeared first on Bag of Tricks.