Admittedly, the last episode had a pretty creepy person in it. I mean more than the guy who hangs out a little too long at the break room. Or maybe leering men’s eyes as you walk down the street. Perhaps wondering if you should drink the beverage when you turned your back on for a moment.
Note I gendered these events. The power dynamic in these situations are primarily men controlling women, placing them in fear or some other fight or flight situation.
In a broad statement from then till generally now, women rarely have an equal footing on control, access, and welding of substantial power in the corporate world. Those who don’t tend to choose career over family as the narrative goes, are seen as gold diggers if they pair up with a more powerful, straight, usually white, male to build a family – pets, kids, real estate, etc. – rather than their independent selves. Sometimes you get a pairing of equals, and even in the rarest of times, maybe looking at Stedman and Oprah, it’s flipped 180 degrees.
To each and everyone’s right to live, be happy and have success, some connections are trope worthy, others have a really good story behind them. In this case, the stories were very much yet to be written, both by the press, and eventually a court.
So, the astute reader at this point in time notes I’m probably dropping more than a few hints in the episode titles as to the key activity or outcome is from these stories. In this case, yes, peer-to-peer (P2P) networking plays a key role in this one. It may not be the hottest worry now in companies, but at the time, due to aggressive pursuits by media companies and their lawyers, we stomped down on any of it we found.
Not that I want to milk one work experience for so many stories, but there was a lot that happened in the near four years I was there. This was first, because it was a Fortune 125 energy company that had a very broad footprint in the US and the market overall. Second, in those near four years, we saw a lot of change in the technology and environment we worked in. Finally, the luck, or perhaps, less than luck involved to have a series of major events around my time that one would be lucky to just experience one of them in their career happened.
As you’ve also noted in the past stories, we had a reasonable amount of coverage for network awareness as to what was transiting throughout certain network segments. We had areas for new companies as we brought them on, a “business partner zone” for our market and transaction partners, our internal corporate network and its segments, and of course a DMZ (demilitarized zone) for our external facing and accessible services to the public.
Most days, we’d see various things bang on our front door, and in those days, we weren’t really in the market for “perfect security” as it’s sold by many vendors nowadays. However, our goal was to be less “juicy” a target than the next organization and not let us be an easy target. Key thing for our sensors on the network was to have some monitoring the outside interfaces and then on the inside, since we had NAT (network address translation), we tended to use this to track the translation of rules activated across that barrier.
We had the occasional denial of service attempt. Website scanning. Port scanning. We also had a lot of background internet noise, with random stuff from worms on the loose triggering alerts at the castle gate, as it were.
What we didn’t get a lot of “insider threat” type of incidents. Short of the occasional case like the two prior ones written about, which we were lucky to stumble upon, most of our issues were with devices that spewed nonsense on to the network from a malfunction or misconfiguration. These were important to catch, as, while the generation networks were reasonably protected, we still didn’t want to risk something chatty to break through a defense and cause problems in those systems.
I mean, I busted somebody for playing an inordinate amount of Everquest on their work computer. I played “block the conference room port” game with some audit consultants whose site sponsor didn’t do the right paperwork to allow for their machines to be on the network. That was an entertaining game of whack-a-mole that our NOC got in on. I wanted to see how far around the office floor those consultants would go on the hunt for an authorized connection port. If we had them in the bathrooms, I would have led them into there.
I even accidentally discovered that our executive office area had open cameras during a vulnerability scan. I mean, given we had small teams for the size company, and still didn’t have anything show up related to us in the news, I figured we were doing okay. Any day without something that could be a distraction was a good day for me.
Some younger folks who read this probably never had to think twice about how they got their media, particularly music. I mean instant access to digital downloads and streaming form nearly anywhere. Many can’t remember a time without a computer, smartphone, or high-speed internet access. But, in a very weird lull in time, between Tower Records’ decline and the rise of Netflix from DVD rentals to streaming, how you got entertainment sometimes veered into what is classified as illegal.
Nowadays, I think many people now have a passive, victimless crime view on digital piracy. We poke fun at the “You wouldn’t steal a…” awareness campaigns that have become a meme, and often don’t’ care about the provenance of the media, as long as we got to see or hear it to remain current in the arms race of pop culture relevance. But for a time, using Napster, Gnutella, Limewire and others to get your personal library of media a little wider and deeper was seen as a little criminal, a little edgy, something that carried a little cache if you said you used it, and then replied back to the person who you shared this with “but did you see/hear it yet?”
We’d hear of stories about the MPAA and RIAA going after grandmothers, college students, and I think one or two pets for downloading a single pirated movie, or better yet, the nature of P2P, was that they may have only had a part of the file, but in the eyes of the law at the time, it was enough to award a ridiculous judgement.
Since the events of this story happening, I’m on my fourth media company, and I value the artists and creators, and hope that when they were contracted, the got worthwhile reimbursement. What I’m not a fan of is having punitive personal damages applied to a single citizen, while there to curb future behavior, be a larger percentage of their income, perhaps over multiple years even than those penalties often given to the companies for much more egregious malfeasance that is, in total, less than a daily rounding error on their income.
Those that know me that I’m very much a fair-compensation person. I have an extensive personal media library in physical form. I will go see a really good movie in a theater. I’ll go see artists I really enjoy at a live show and buy their merchandise. This is the good rewards system, the one that hopefully balances the exploitative arrangement that many artists have with their sponsors and employers.
When balancing these prior pieces of ethical conundrums, when it came to work, it was often a cut and dry determination as to, if we saw company resources being used for a violation of the acceptable use policy (AUP), it was easy to go after the incident until we resolved it or mitigated it from occurring in the future. Keeping out of a legal or PR incident was highly valued at this time.
That being said, a lot of this has sensitivities when you step back and look at the action, activity, seriousness of the offense, and of course who’s involved. Again, everybody seems to be agog at the lightness of white-collar crime sentences are compared to those of a drug conviction, and don’t immediately think things are rigged or biased.
So, then say when found that the trickle of P2P traffic from a single host finally was regular and voluminous enough to warrant deeper investigation.
For most of my time there, we had a pretty good addressing scheme. You could generally work out which company area was on a certain netblock or figure out the role was based on the address as well. We had good naming as well, tying things together by floor and building, so when you had to go find something, you could get close pretty quick.
Things I still has a dead spot in my knowledge was our generation networks, since up until late in my time there, I never had permission to map out and inventory. Again, the mantra, you can’t protect if you don’t know what you have. My network inventory was my road map and most valuable operational asset for my work. The other most valuable was the “decoder ring” for what segments went where and what buildings and other facilities they went to. I was only regularly in four (4) buildings for our company, so everything else was about feeling it out and then documenting it for later reference.
Well, wouldn’t you know, this P2P traffic was on a segment I didn’t know or have documented completely. I really did value our close relationship with our enterprise networking team, so much so to join forces with tools and service purchase of Lancope since we couldn’t ever purchase the solution individually.
You know, teamwork.
But I regularly referenced their spreadsheet for the addressing schema regularly. I re-did similar maps at subsequent jobs because it was stupid easy to use and understand. To the CEG Networking team from 2003-2007, I raise a glass. We still did pwn your VoIP system, so I’ll pay for your drink on account of that.
Now back to that mystery network block. It didn’t seem associated to a plant, a work yard, an office, or even mobile gear. It was a black hole.
But, that was only for a moment.
What the block was, was adjacent to our headquarters’ network. The subnetting was also strange, as it was only about a dozen addresses, way too small for any corporate facility.
To set the stage, I recently took the Department of Homeland Security’s (DHS) Cybersecurity Service exams. They now essentially require a series of exams for certain roles, if only to get you on a pick list for DHS and the Cyber and Infrastructure Security Agency’s open billets or can be offered up to other Federal agencies. I love public service, and having not been in the military, I feel it’s the next best way to give back to your country, so I’d go back if asked.
The exams, which are computer-based, give you a series of technical questions as well as some work simulations. Some are rote memorization, but they don’t tell you what’s covered prior, so whatever is kicking around in your head should be able to be regurgitated. The work simulations try to approximate an event or other incident to see how you’d apply the knowledge. I’ve been providing commentary on my progress on these on my Facebook page but will write a summary of my entire experience to share out with others and maybe get some stuff updated or changed.
The one work simulation posited that there was a breach of the corporate network and a foothold had been taken by some nameless adversary, and as part of one of the risks, besides outages, ransomware and data exfiltration was that the network also housed the CEO’s personal records and data.
While I blew through the simulation and questions, and completed the rest of the exam, that moment stuck in my head.
“Why would the CEO’s personal data and records be on our company network?”
Was this some executive cold storage service we started offering? If we think about personal records, are there any regulations that would affect similar data on our network, like Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA) covered data for employees. What kind of personally identifiable information (PII) on the network besides the CEO’s was on it that should have been included in that simulation’s statement.
So, I sat and stewed on that for a moment.
Are there companies which provided some weird perk to their executives who are already paid a metric ton, to do some basic record keeping and other administrative activities. I mean, it could be some weird CEO contract rider or something.
Then I remembered what happened in this story.
That network segment was a point-to-point T1 from our HQ to the CEOs house.
I found that out with that phone call I mentioned prior. Of course, it was an email to networking for a copy of the updated IP sheet. Sadly, it didn’t have the hole labelled, so I called our executive support “guy”.
He’d helped our team before with patching machines we had a hard time getting to because they were executive machines. I did feel bad for him, as I think he had to wear a suit every day and still was asked to go to network closets and climb under desks for some tasks. We were the home of Jos. A. Bank, well-known discount menswear, but proximity to those resources doesn’t make it any easier.
The call was basically me calling him, because it was easier than an email and, again, as we weren’t mobile like we are today, you were more likely to reach his flip phone than waiting on the delay of an email. Hearing a slight gasp, and then a “how can I help?”
I read off what we were seeing, and that everything pointed to something over his way. So, he asked me to wait a moment… a comically long beat… and then sheepishly replied back, “Yeah, I know where it is. Are you sure you want to be asking this question?”
I said, “Yeah, because I’d like to not have a call from legal asking about why some recording agency firm was calling them about Jay-Z songs being downloaded en-masse from our company.”
Another sigh back, “Well, this is the private network tail off to Mayo’s place. But Mayo is in the office today.”
Now, I want to say that we don’t run private networks to a sandwich condiment. Our Mayo was Mayo A. Shattuck III, the CEO. For folks not recognizing the names of major industry movers and shakers, he worked in investment banking prior, and took over the CEO role a few years prior to me joining. For a time after I had left, he was considered to be in the running to be the Commissioner of the National Football League and was intimately involved with the Baltimore Ravens.
That last bit is of note for this story as well, since his second wife Molly, was lobbying to become a cheerleader for that same team. She was successful in that effort through tryouts, and in 2005 became the oldest active cheerleader in the NFL, which lasted until 2009.
Since I joined the company in 2003, there was about two years where Molly probably was pretty bored, and surprisingly, turned to peer-to-peer networking to pirate, possibly, the music needed to dance for the cheerleader tryouts.
Who knows, but we asked our executive support assistant if he could ask Mayo and Molly if they’d stop doing that because it put the company at legal risk. While it stopped shortly after that, I didn’t publicly document finding out what that segment was for just not possibly getting reverse attention on our team.
Weird thing about all of that. Seems that Molly did have a bit more of a criminal streak in her outside of media piracy. In 2014 she had struck up an inappropriate relationship with a friend and classmate of her oldest son. If you end up finding the media stories on this, they are quite a tale, and others have told it better. But in the end, she was convicted of a sex offence, sentenced to weekend in prison, registration as an offender, undergo and pay for counseling, and restitution to the family.
Again, it seems to be a slap on the wrist. But it also comes at the end of a series of, at the time, stories of women trying to exercise a change in the power balance but doing it all the wrong way. Maybe it’s how those power dynamics play out and create cases where bad decisions are made and then expanded upon. Maybe other contributing factors cause individuals to break bad – I don’t know. I don’t like anybody hiding under notoriety or power, regardless of their gender or other status. There’s a lot of inequality out there and struggles people undergo, and leveraging those is never fair.
Never underestimate where risks exist, and where threats may come from. Like the old horror movie trope, those calls could be coming from inside the house. Monitor and protect accordingly and have processes and procedures on how to handle that insider threat. You never know, you may get a good story about it one day.
