What Hackers (and Marketers) Know about You from your Switch

Of all my prized technical books, one of my favorites in the networking space has to be LAN Switch Security : What Hackers Know about your Switches | A Practical Guide to Layer 2 Devices and Stopping Campus Network Attacks by Eric Vyncke.

Though written way back in 2008 -back when we had IoT but called it IP on Everything- Vyncke's book is more than just relevant in 2016, it's a must-have.

Why? Because Vyncke's book is one of only a handful of practitioner resources that explores in-depth a problem we've had in technology for over thirty years: the Address Resolution Protocol. ARP is a fun little plumbing protocol that exists way down at the bottom of the technology stack. I like to think of ARP as a map of both Layer 2 (MAC) & Layer 3 (IP) of the OSI model, but the technical definition is outlined in RFC 826, written way back in 1982.
So what's the problem with ARP you might ask? By its very nature, ARP is a veritable goldmine of useful and interesting information about a network, or more specifically, a broadcast domain. So at work, querying the ARP table on a switch is usually the first thing I do when I'm troubleshooting a LAN issue. And at home, where you also have an ARP table whether you realize it or not, devices and computers query the same table too to learn about each other.

This is the great benefit of ARP; it just runs on your switch automatically, doing its job in the background with zero drama, just the way a plumbing protocol should. But, therein lies the rub friends: because it provides such useful information automatically to devices that need it without any authentication mechanism, ARP is in reality an un-securable information leaker about your network and you, especially at home.

Vyncke, take it away:

All ARP requests are sent as Ethernet multicast and every Layer 2 adjacent host can build a traffic matrix (for example, which IP address talks to which IP address). There is no known way to mitigate [this] information leak vulnerability [in the Address Resolution Protocol]. Although the security impact of this vulnerability is small, paranoid network architects must make a design where the amount of hosts per Ethernet segment is small (even to the point of having a single host plus its default gateway per segment). Hence, an attacker will only be able to learn that some hosts communicate with a router but will not discover the remote hosts’ IP addresses.

I wonder if Vyncke would choose to use the same word "paranoid" if he were writing his book in 2016. Because from my seat, it's no longer considered paranoid to worry about the information my ARP table leaks out. Indeed, I'd argue that you're being negligent if you're not worried about it, especially as we adopt more IoT style technologies in our homes and workplaces.

Remember, this is a goldmine of real, substantive data on your network, its devices, and, well, you. In the enterprise space, we've got tools to deal with this, so typically we just segment our networks into ever smaller broadcast domains, usually via VLAN tagging or, ideally, Private VLANs.

In the home though, router and Wireless AP manufacturers offer little more than a Guest VLAN, if that. Your average home internet network, as a result, will leak out juicy details from your ARP table to whomever -or whatever- connects to it.

Hackers are one thing, but imagine what a Marketer could glean from querying, then storing and uploading data from the ARP table on your home network:

  • When the devices you own come and go on the network
  • Which devices are used the most
  • The type, name, and manufacturer of the devices on your network

Consider that just by querying the ARP table over time, you could construct a detailed picture of a family's life at home: Dad's iPhone connects to the network a little after 6pm and leaves the network routinely at 7am. He must be employed. Junior's iPad is on and connected for about 7 hours a day, but the Wifi interface on the TV is off until late in the evening. Mom must not spend a lot of time with Junior. Meanwhile, the wifi thermostat, the wifi lights, and the daughter's MacBook are alive on this typical /24 network all day long. What's that tell us about this family and how can we tailor our direct-mail & web-based ads to them?

Frighteningly, since ARP and MAC addresses are easy to spoof -especially on a home network-, it's not inconceivable that an automated process inside an IoT device one day starts masquerading as your home's router, which would give you even more great details about this family. Even if your search queries are encrypted, there's still gobs of metadata to be had from such an approach.

All of this is not only possible, it's probable given the fierce competition in IoT, the lack of regulations governing technology use in general, and the fact that, to a marketer, such behavior has a very low risk of being detected due to the nature of a 30 year old plumbing protocol known as ARP.

I don't know of any device doing this of course, but I'm not the only one thinking about it. Steve Gibson dedicated a recent Security Now! show to the problem of ARP at home. His solution? He called it "Three Dumb Routers," a fix that more or less mirrors how enterprises use VLANs to segment broadcast domains.

#Mobile Mondays : Why I still rock a Blackberry

Like a lot of people who work in technology, my approach to mobile phones has always been simple: I want the latest hardware running the latest software and I'm content. I own multiple apps on just about every mobile platform, and since everything these days supports ActiveSync, has mature email/calendar/contact support, and since Microsoft has started developing some awesome applications for iOS & Android, I find I can function on just about any mobile device.

But all that's changed in the last six months or so. Today, a bulky communications device is hanging from my belt. This device comes with gasp a physical keyboard and is decidedly unhip and un-modern, with a square screen, no fingerprint reader, and comparatively few apps.

Yes sir. I rock a Blackberry Classic in an era of cloud, AI, and Uber. Why? Honestly, for one reason:

It gives me nearly full control of my mobile from my PC via Blend: I have observed in many businesses that employees often stop what they are doing on their PC, pick up their mobile phone after a notification, and tap out a response via whatever is hip and cool these days.

I have observed myself doing this as well; for instance I might be coding something cool in Powershell ISE but once my mobile beeps, I stop, move my hands from my awesome mechanical keyboard and pick up my mobile. I wonder how much computing mojo I lose as I switch from computing on a real computer with acres of screen real estate to a tiny computer with a tiny screen and awful keyboard, and then switch back?

I think I lose a lot of mojo, way more, in fact, than when I reach for my cursed mouse. I want to keep my hands on my keyboard because that's where I'm most productive. So how does Blackberry help me do that?
Blackberry Blend Enter Blend, a Blackberry fat client that runs on Windows. Blend essentially tunnels to my phone and allows me to read, respond-to SMS messages, BBM and manage things on my mobile from the comfort of my desktop. It saves me from switching back and forth, in other words, and I find that that fact -incredibly- outweighs all the negatives of rocking a Blackberry in 2016.

There are other ways to make sure your hands never leave your desktop keyboard, but Blend is better than syncing SMS messages to Outlook/Exchange because you won't end up reading the same SMS twice. And it's better than iOS + iMessage + Mac computer because it's agnostic and runs on Windows or OS X when I choose to boot into it. And it's way better than Android's solutions, which involve (where to start?) Hangouts or Push Bullet or AirDroid or some nonsense. Oh, by the way, Blend also has the same UI and fat-client feel on its iPad app.

The way I figure it, the less I'm reaching for and interacting with my mobile device at work, the better. I'd prefer to do all computing & communicating on my workstation as it's built for that purpose and I'm highly-skilled at using it.

When I'm not, Ill, I'll reach for my mobile.

Dear IT Pro : Time for some Toughlove

I've been hearing a lot of talk this spring about a nebulous but huge and important shift in the nature of business and technology. From obvious clickbait headlines ("The Matrix Is Here and Why That's a Good Thing") to podcasts about Agile & DevOpschallenging older business organizational models to no less an authority than the Shellfather proclaiming that an Inflection Point is at hand in IT Departments, there's been much to read, consume and ponder about IT and business technology in Spring 2016.

What to make of it all?

It can't all be buzzword, clickbait, can it? I'm sure much of it is, but I know one thing: I've never regretted taking Jeff Snover's advice, and I'm not about to start now. So if you get nothing else from this post,head on over to Channel 9 and watch his recent video about this "Inflection Point" in IT. And then come back over here for my take on it and some practical advice on navigating the "Inflection Point."


Since so many are speculating about our brave new cloud-enabled utopia, I may as well tell you what I think is going on:

  1. Cloud providers like Microsoft are rolling their own hardware, which has three effects 1) keeps costs of running IaaS/SaaS/PaaS services low, 2) hurts traditional enterprise hardware & software vendors and 3) makes hardware truly abstract and irrelevant when combined with scale. Open Compute Initiative is but one example of this.
  2. These inexpensive cloud services running on commodity hardware enable startups -even ones run by a single individual- to have all the technology bells and whistles their competitors in established and older business enterprises have with none of the Technical Debt or legacy stack headaches.
  3. Agile/DevOps/CI are less about development methodologies and more about a shift in the way businesses organize themselves to compete in the 21st century. New businesses are flat, cooperative, and function more like a sports team coached by a veteran of the sport, while older businesses are just that; older organizational structures based largely on hierarchical models of the 19th and 20th Centuries. Another way to think of this: technical skills and knowledge are as prized as business acumen & education in the 21st century. Having both is positively lethal.
  4. New businesses are finding success in the marketplace, which puts pressure on older businesses to compete.
  5. Older businesses are falling behind for a number of reasons, many of which are related to in-house IT, uptime pressures that prevent change, legacy application stacks, and Technical Debt they never paid off
  6. The five horsemen of the internet are jockeying to position themselves and their technologies as both the lingua franca and coin of the realm for this new business age
  7. All other technology companies, resellers, bespoke hardware vendors and others realize this and are scaling efforts rapidly to profit from the demise of older businesses and IT even as they fear a "Blackberry moment" or are selling their swank Silicon Valley office properties to Google.

If I'm right about this, then my career as an IT Pro might not have as much runway as I thought it did when I got into this field 17 years ago.

What's more, what runway is left in my career will depend entirely on the maintenance of legacy technologies in older businesses, which are facing pressures from new businesses.

That's not a happy thought for me, and I haven't even mentioned the escalating, highly-successful, highly-profitable attacks occurring on older businesses in the US and the west, which adds a strange, almost Darwinian twist to this unfolding drama about older businesses falling behind newer businesses.

But this is a tech blog, not a business blog, and so all of the above boils down to this: what do we do as IT Pros if the talk of Spring 2016 is even partly true?


I rather like my profession and technology, and I got into technology because I liked to learn new things. I want to stay in the game, so I list below some of my recommendations and encouragements for you if you are, like me, an IT Pro or generalist.

  1. Stop browsing the damned web for answers, and start investing in yourself and skill-up! Hey IT Guy, I'm just like you. I skated by in my career for years just Googling (and as of three years ago, Binging) for an answer to a technical problem I was having. Well guess what? Just in Time Knowledge is a bad approach. You need to invest in yourself to transition in this shake-out. And I promise you, it will be very rewarding both professionally.
  2. Build a lab now Talented basketball players practice their craft on their own time, so should you. The neat thing about this cloud stuff is that it's brought the cost down big time; as I wrote two years ago, you can get your own Office 365 tenant with full EOL, SharePoint Online, Azure AD, and Skype for Business for about $10 a month if you don't need the Office client, and under $30 if you do. If you're waiting on your employer to embrace cloud technologies, my advice is simple: don't. You will run out of time and have zero skills that are meaningful in the next 5-10 years.
  3. For the love of bits & bytes & TCP/IP, Embrace Powershell If you haven't already learned about Powershell, you're flirting with career flame-out. You need to make Powershell your primary interface at work, in your lab, and in your mind. It's that powerful and will help you in the years ahead. It helped me not only manage work stuff, but understand .net, which aided me in a bunch of other ways.
  4. Realize Microsoft IT Pros have an edge on Identity services We've been managing a unified Identity system called Active Directory for decades, and guess what? It's still a Thing and it's really the only unified, standards-based identity system that spans legacy on-premise to the cloud. So, dust off your AD Cookbooks, tear up Server TP4, play with ADFS 4.0 and get familiar with MSDN documentation because you're going to be the lead on this whether in an older business that's moving to the cloud or if you're lucky enough to go greenfield with a new business that harnesses Azure & Office 365 on day one.
  5. Remember that one time you had to stand-up an Internal CA for SCCM and you used a GPO to deploy certificates? Well guess what. Even if that's all you know about security, certificates, encryption and authentication, this too will give you a foundation to think about the years ahead. My advice is to embrace the full Microsoft thinking on security, which means that you need to understand attack vectors like Pass the Hash, securing AD, and enabling modern & legacy applications on all types of devices, not just PCs running Windows. Embrace it!
  6. Embrace your inner dev For a long time, I thought devs were just people in IT who beat up on my infrastructure then blamed me for it. Now I realize they are the ones powering this shift, and more importantly, get to play with all the new tech and build things constantly. So I've embraced my inner dev. You should too because that's the way the industry is going.

It's taken me a long time to put all these pieces together, and truth be told, I'm still just an IT Pro with one foot in the cloud and one foot in a legacy application stack.

But I think I'm geared up to transition successfully away from what we think of as IT.

Hopefully I'm on the right track as I've set my O'Reilly and Microsoft Infrastructure books on the shelf. In their place on my desk sit some well-thumbed through copies of MSDN magazine, a book about Object-Oriented Thinking, and Ivan Ristic's book on TLS crypto. Last week, I even compiled my first C# sample application in Visual Studio.

Most of my homelab hardware is powered off, save for a physical Domain Controller, a single Hyper-V host, and my storage box. I'm challenging myself to think beyond the VM.

My immature but passable understanding of the .Net framework has answered questions I didn't even know to ask, and it's given me a stronger understanding about some persistent problems in IT.

My laissez-faire attitude on security has been placed in the recycle bin, my new approach is to try and get an A+ on SSL Labs' website for all things I'm responsible for at work and especially on this blog.

Oh, and I turned off my old blog, agnosticcomputing.com, and stood up this new blog because it's utilizing current technologies Nginx, Ghost, NodeJS, and APIs, everything the old Wordpress/MySQL blog wasn't.

Everyone's path in technology is different, but I feel I should be able to extend the success I've had in my technical career no matter what's ahead by doing some of the things above.

I hope you find the best way forward in your own path and thanks for reading!