Richard J. Bocchinfuso

"Be yourself; everyone else is already taken." – Oscar Wilde

FIT – MGT5156 – Week 4

Discussion Post

Discuss ROP and code injection.

Late yet again, probably later than I needed to be, but like Dr. Ford said this week at the beginning of the lecture, this was the week I was waiting for, and I had to get a little dirty and break some stuff.

Code injection typically refers to getting something (data) that is not machine code to run as code. Code injection tries to take control of a machine by gaining privilege, the privilege that code injection works to obtain is the ability to run binary code.

To understand code injection and buffer overflows understanding the stack is essential. Return-Oriented Programming (ROP) focuses on overwriting a buffer on the stack, which overwrites the return address and allowing the attacker to jump back onto the stack and execute an instruction, to prevent this, a few defense mechanisms have been developed. (Ford, 2018)

  • The no-execute flag marks something in makes memory non-executable. Data Execution Prevention (DEP) works by using the no-execute flag to prevent attackers from executing data as if it were code. Attackers are unable to execute code from the stack.
  • Address Space Layout Randomization (ASLR) works by randomly moving segments of a program around memory; this prevents the attacker from predicting gadget addresses.
  • Stack cookies (canaries) is a random value written to the stack immediately preceding the return address. Before the return address is executed the system checks to see if the canary has been overwritten, it the canary has been overwritten the system will trap execution.

ROP is based on the Return-to-Libc exploit technique but uses gadgets from different areas of memory to create an executable program.

ROP gadgets may look like:
0x1000b516 : pop eax ; pop ebp ; ret
0x10015875 : pop eax ; pop ebp ; ret 0x1c
0x1000ffe3 : pop eax ; pop ecx ; xchg dword ptr [esp], eax ; jmp eax
(apriorit, 2017)

While the widespread adoption of DEP which ensures that all writable pages in memory are non-executable has made classic code injection attacks difficult, ROP has become the approach for all modern attacks. Rather than injecting malicious code the attacker chains together existing code which already exists in the stack, these code snippets which are taken from the stack and are called gadgets. (TehAurum, 2015)

I was really interested in getting some hands-on experience here to see how this worked in the real world. A bit of googling and I happened across this website: https://samsclass.info/127/proj/lbuf1.htm – I fired up a Linux machine with Vagrant on my desktop and started playing.

Here is my ASLR example
Note:  I ran in debug mode to show all the commands.  Lines prefixed by the + symbol are input commands and lines with no prefix are output.
vagrant@vagrant-ubuntu-trusty-64:~$ sh -x aslr.sh
+ echo Let’s make sure ASLR is enabled
Let’s make sure ASLR is enabled
+ sudo tee /proc/sys/kernel/randomize_va_space
+ sudo echo 1
1
+ echo Let’s look at the C code that will print the esp (pointer) memory address
Let’s look at the C code that will print the esp (pointer) memory address
+ cat esp.c
#include <stdio.h>
void main() {
register int i asm(“esp”);
printf(“$esp = %#010x\n”, i);
}
+ echo Let’s compile the source code into an executable program
Let’s compile the source code into an executable program
+ gcc -o esp esp.c
+ echo Let’s execute the the binary executable esp three times
Let’s execute the the binary executable esp three times
+ ./esp
$esp = 0xd47931b0
+ ./esp
$esp = 0x5526d700
+ ./esp
$esp = 0xf7542b00
+ echo You can see that the memory address changes each time (ASLR at work here)
You can see that the memory address changes each time (ASLR at work here)
+ echo Let’s disable ASLR
Let’s disable ASLR
+ sudo tee /proc/sys/kernel/randomize_va_space
+ sudo echo 0
0
+ echo Lets’ execute the binary executable esp three more times
Lets’ execute the binary executable esp three more times
+ ./esp
$esp = 0xffffe620
+ ./esp
$esp = 0xffffe620
+ ./esp
$esp = 0xffffe620
+ echo You can see that now the memory ddress remaind the same each tiem (ASLR disabled)
You can see that now the memory ddress remaind the same each tiem (ASLR disabled)
vagrant@vagrant-ubuntu-trusty-64:~$

I pushed on to more more complex exercises; these are both excellent ones:

A couple of pointers to get started:

  1. Get Virtualbox to build your sandbox. (https://www.virtualbox.org/wiki/Downloads)
  2. Download a Windows 7 Vbox image (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) to run the vulnserver executable you will get above on (note: get vulnserver.zip from the alternate link)
  3. Download Kali Linux for Vbox image (https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/)

I left a bunch of stuff out like how to configure networking, getting going with Immunity Debugger, etc… but it’s about the journey, not the destination. Right?

References

Carlini, N., & Wagner, D. (2014, August). ROP is Still Dangerous: Breaking Modern Defenses. In USENIX Security Symposium (pp. 385-399).

Ford, R. (2018, May 23). Vulnerabilities: How Things Go Wrong, Part 2. Retrieved May 23, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTYvQ1lCNTI4ME04VjEvRGF0YS9tb2R1bGUueG1s

Shacham, H. (2007, October). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security (pp. 552-561). ACM.

TehAurum. (2015, December 30). Exploit Development: Stack Buffer Overflow – Bypass NX/DEP. Retrieved May 25, 2018, from https://tehaurum.wordpress.com/2015/06/24/exploit-development-stack-buffer-overflow-bypass-nxdep/

apriorit. (2017, June 02). ROP Chain. How to Defend from ROP Attacks (Basic Example). Retrieved May 25, 2018, from https://www.apriorit.com/dev-blog/434-rop-exploit-protection

 

Discussion Response 1

Good post, given that you were interested in tips I thought I would respond with a toolkit for playing with buffer overflows and code injection.
The toolkit (assuming you are a Windows user):

  • Code:Blocks:  http://www.codeblocks.org/downloads/binaries
    • This is a good free C IDE and Compiler
    • Note:  Grab either codeblocks-17.12mingw-setup.exe or codeblocks-17.12mingw-nosetup.zip
    • Note:  To use the debugger you will need to set it up Setting -> Debugger -> Default, and enter path to gdb32 (on my system this is  path_to\codeblocks-17.12mingw-nosetup\MinGW\gdb32\bin\gdb32.exe but it will vary, just find gdb32.exe and enter full path here).  You will also need to make sure you create a project and add .c files to the project otherwise you won’t be able to debug.
  • OllyDbg:  http://www.ollydbg.de/ or IDA https://www.hex-rays.com/products/ida/support/download.shtml
    • Both good debuggers and disassemblers that will let you view the stack.

Some code to get started with:
/* vuln.c */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int func (char *str)
{
char buffer[5];
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv)
{
char str[517];
FILE *inputfile;
inputfile = fopen(“inputfile.txt”, “r”);
fread(str, sizeof(char), 517, inputfile);
func (str);
printf(“Returned Properly\n”);
return 1;
}

– Create a text file called inputifile.txt and place at least 517 characters in it.
– Compile and execute vuln.c
– Set a breakpoint at main() and debug to see what happens.

Play around with the size of the read or write buffer:
By Changing the value of 5 in “char buffer[5]” in func() to 517
OR
By changing the value of 517 “char str[5]” and “fread(str, sizeof(char), 5, inputfile)” in main() to 5

If you debug while you play you will start to see things happen.

Happy hacking!

 

Discussion Response 2

I’ve started doing some additional research and sandboxing because I am wondering about Return Oriented Programming (ROP) as a method to circumvent Address Space Layout Randomization (ASLR).  Need some hands-on time to really understand how gadgets can be chained given that the address space is randomized.

Doing some additional reading and experimenting to better understand the topic:

Anyway, I feel like I have a good handle on buffer overflows and ROP when ALSR is disabled.  I have played with this on Linux by disabling ASLR on Linux (sudo echo 1 | sudo tee /proc/sys/kernel/randomize_va_space) and when debugging I can see that instructions always reside in the same stack address.  OK, back to the sandbox.

 

Discussion Response 3

Sharing this link
All here is a good free sample from a Coursera and the University of Maryland that reviews much of what we spoke about this week. I found it helpful to reinforce the concepts so I am sharing with you.

https://www.coursera.org/learn/software-security/lecture/Lz5GW/low-level-security-introduction

 

Essay Assignment

Describe in detail code injection attacks and the countermeasures that exist to stop them. What future solutions are there?

 

Midterm Exam

 

Grade: 98%

FIT – MGT5156 – Week 3

Discussion Post

Discuss open source vs. closed source and security.

Another ridiculous week leads to another late discussion post, feeling like a real slacker.  Luckily things settle down next week, so I should be back on track. Apologies to my peers for my late post, yet again, all I could do this week to avoid a mental breakdown was accept a late discussion post.

Before we get started discussing the facts (or opinions of others) associated with open source vs. closed source I wanted to share some personal thoughts on this topic.  I remember installing Slackware Linux (Slackware, 2018) back in 1993, from 20+ floppies, the access to the source code, the ability to tweak or modify the kernel had me convinced that open source would eventually eclipse closed source.  After running Slackware for a few years, like many early Linux adopters I tried other early distributions like Yggdrasil (Yggdrasil, 2018) and Debian (Debian, 2018). In or around 1998 I read Eric Raymond’s essay, “The Cathedral and the Bazaar” (Raymond & Young, 2001), it was around this time that commercial distributions like RedHat (RedHat, 2018) and Caldera (Caldera OpenLinux, 2018) were beginning to take hold in the enterprise.  During this period, I worked in big pharma, and I had traded shell scripting, sed, and awk for a cross-platform interpreted open source language called Perl developed by a guy named Larry Wall. I can remember how fast we were moving now that we were building web applications with open source tech like Apache, CGI, and Perl. Security was for people who didn’t want to go fast, just hit CPAN, grab the library and go. (Perl, 2018). I highly recommend reading “The Cathedral and the Bazaar”, if not, watch the documentary called “Revolution OS”. (Revolution OS, 2012) IMO Raymond’s essay was on the money, but a little early to the market.  Raymond outlined the open source model perfectly, but we were in the age of the innovation, rapid change and resistance; today the open source, agile and the DevOps movements have allowed Raymond’s vision of the Bazaar to be fully realized, and the benefits to agility and velocity are unparalleled. As we all know from Clayton M. Christensen’s book “The Innovator’s Dilemma” (Christensen, 2016), innovators struggle to retain market leading positions, the open source world has many examples of this, first movers like Slackware and VA Linux (Tozzi, 2016) are today either niche players or gone from the market. I provide this detailed background because IMO the paradigm shifts brought about by the movement from the cathedral (closed source, rigid release cycles, etc.) to the bazaar model (open source, continuous integration, etc.) has some real and some perceived implications on security.

I’d like to point out an observation regarding security and social behavior.  People tend to watch their possessions in a cathedral with less vigilance than they would in a bazaar.  This behavior is human nature; when we feel safe we relax, when we feel unsafe we keep a watchful eye, I believe it’s this human behavior that is very impactful.

No matter how much research you do, the answer is almost always that open source vs. closed source in the context of security is a matter of preference rather than one model being more secure than the other. (Security Showdown: The Open Source vs. Closed Source Debate, 2017) Vulnerabilities exist, and there will always be those who seek to exploit them.  My personal opinion is that OSS (open source software) has a perceived attack surface by the user which is broader than that of closed source software; thus the community is more vigilant. Those who willing adopt OSS know they are moving into a neighborhood with a high crime rate, so they are more likely to lock the door. The alternative opinion is that closed source is less vulnerable because the source code is not “readily” available (Lettice, 2004), but the “security through obscurity” paradigm has been proven to be a poor one.  There are comparable examples of both open source, and closed source exploits such as Heartbleed the OpenSSL vulnerability and WannaCry the ransomware attack that targeted Microsoft Windows users. (Security Showdown: The Open Source vs. Closed Source Debate, 2017) With this said there are not many closed source operating systems or applications which do not contain some piece of open source code.  OpenSSL exists everywhere, and Microsoft Windows has had a package called SFU (Services For Unix) as an operating system option since 1999, today it allows Windows 10 users to run a full Linux distro in user mode on top of the Windows kernel and as we all know Linux is open source. While closed source software is not going away, open source code integrated into closed source by almost every closed source provider today making the perceived closed source controls are just that, perception, not reality.

To close out my thoughts here, open source vs. closed source is merely a matter of preference and perception.  I believe that the danger lies in the perception that closed source is somehow less vulnerable than open source, this perception relaxes the security posture, and the best way to prevent a breach is to be vigilant.  Linux, the open-source operating system which powers greater than sixty-seven percent of the internet along with open source applications like Apache, Nginx, etc. may be the most prominent targets, but they also may be the most well-defended targets. (Open Source vs Closed Source – Which Is More Secure?, 2017) The inability to obscure open source should remove the sense of “security through obscurity” and foster a sense of vigilance, does this always happen, no, but the premise is sound.

References

Caldera OpenLinux. (2018, May 15). Retrieved from https://en.wikipedia.org/wiki/Caldera_OpenLinux

Christensen, C. M., & Christensen, C. M. (2011). The innovator’s dilemma: The revolutionary book that will change the way you do business. Harper Business.

Debian. (2018, May 18). Retrieved from https://en.wikipedia.org/wiki/Debian

Lettice, J. (2004, Feb 13). MS Windows source code escapes onto Internet. Retrieved from https://www.theregister.co.uk/2004/02/13/ms_windows_source_code_escapes/

Open Source vs Closed Source – Which Is More Secure? (2017, June 13). Retrieved from http://www.franklinfitch.com/blog/2017/06/13/open-source-vs-closed-source-secure/

Perl. (2018). Retrieved from https://www.perl.org/

Raymond, E. S. (1999). The cathedral and the bazaar: Musings on Linux and Open Source by an accidental revolutionary. O’Reilly.

Red Hat. (2018, May 17). Retrieved from https://en.wikipedia.org/wiki/Red_Hat

Revolution OS. (2012, January 25). Retrieved from https://youtu.be/jw8K460vx1c

Security Showdown: The Open Source vs. Closed Source Debate. (2017, April 04). Retrieved from https://www.veracode.com/blog/security-showdown-open-source-vs-closed-source-debate

Tozzi, C. (2016, July 29). Open Source History: The Spectacular Rise and Fall of VA Linux. Retrieved from http://www.channelfutures.com/open-source/open-source-history-spectacular-rise-and-fall-va-linux

Yggdrasil. (2018, May 12). Retrieved from https://en.wikipedia.org/wiki/Yggdrasil

 

Discussion Response 1

Nicely done, good read. Open Source can be a confusing topic, even to those who live it daily. The guttural instinct is to assume that open source is free, like “freeware” but this would be incorrect. There is a quote from Richard Stallman the founder of the GNU (GNU’s Not UNIX!) movement that perfectly describes the freedoms of Open Source; the quote reads “Think ‘free speech’, not ‘free beer.'” The challenge with the word “free” is it does not distinguish between “free of charge” and “liberty.” The other things that further complicates open source are the number of license agreements which can be applied to open source works, they differ slightly, and the author has to know what he or she is trying to accomplish when applying these licenses to their work. Popular open source licenses include the GPL (General Public Licenses) for which there are multiple versions and controversy over each (Watch Revolution OSBruce Perens discusses the GPL at length, and Eric Raymond explains the cathedral and the bazaar at length), the MIT license, the Apache license, etc.

I agree that perspective plays a significant role in regards to security and open source vs. closed source. With regards to the attack surface, I think we have to be careful to distinguish vulnerabilities from exploits (i.e. – a piece of malware targeted at a specific vulnerability is written and released into the wild). I like your thought on hackers wanting to disassemble compiled source code to hack it, not sure if they are looking for that kind of challenge, but it’s possible. I think the reality is that today hackers target the user as much as they do the system. When you think about Linux, you think a user that understands the system, unlikely they bought their computer loaded with Debian at Best Buy, this user harder to social engineer and deliver a malicious payload. When you think about the average Windows, sure some people understand the system, but then there are my parents who click on every link they get emailed. Systems like Windows understand their demographics; they attempt to balance security and user experience, but features like “autorun” naturally make these systems more vulnerable.  The user demographics and attack surface (adoption rate, number of versions that can be impacted, etc.) matter.

Like I mentioned above, on a rainy day watch “Revolution OS” and you’ll have a great intro to open source. If you like it, I recommend “The Code: Story of Linux“.

References

AutoRun. (2018, May 10). Retrieved May 20, 2018, from https://en.wikipedia.org/wiki/AutoRun
Bruce Perens. (2018, May 19). Retrieved May 20, 2018, from https://en.wikipedia.org/wiki/Bruce_Perens
Hash, V. (2012, January 25). Revolution OS. Retrieved May 20, 2018, from https://youtu.be/jw8K460vx1c
N, A. (2014, July 23). The Code: Story of Linux documentary (MULTiSUB). Retrieved May 20, 2018, from https://youtu.be/XMm0HsmOTFI
Open Source Licenses & Standards. (n.d.). Retrieved May 20, 2018, from https://opensource.org/licenses
RobinGood. (2006, October 19). Richard Stallman – What is free software? Retrieved May 20, 2018, from https://www.youtube.com/watch?v=uJi2rkHiNqg

 

Discussion Response 2

excellent post, I would like to point out a few thoughts that I think are important aspects of open source. First, remember open source is about freedom and liberties and has nothing to do with dollars and cents. If you were to look at the market today, and all the attributed open source software I think you would be surprised by the amount of revenue that is being generated by open source software and its derivatives. It is also important to realize that while the community of open source subject matter experts dwarfs that of closed source, open source has a robust support paradigm. Let’s look at an example; I’ll use Amazon Web Services as a cloud company built almost entirely on open source. Let’s look at a prominent AWS’ service like EC2 (Elastic Cloud Compute) which is built using Linux and the Xen hypervisor, both open source projects. EC2 is just one of the dozens of AWS services built using open source, that is packaged and delivered to customers with support in a business model (the cloud) that will drive north of 20 billion in revenue in 2018. How about Nvidia and the machine learning craze? Nvidia has been a GPU (Graphics Processing Unit) leader for years, their primary customers were gamers, but the use of GPUs for AI, machine learning, and cryptocurrency mining has propelled Nvidia to new heights. Nvidia capitalized on the machine learning craze and their hardware platform by packaging their hardware with open source software; they called this the DGX-1, a turnkey platform for machine learning. What is the secret to the DGX-1? It’s packaged open source. The challenge with open source, especially in complex applications like machine learning is compatibility, what version of Nvidia CUDA code do I need to pair with my required version of TensorFlowMXNet, etc., etc. Those who don’t need commercial support, like me, build systems that closely parallel what Nvidia did in the DGX-1, and we will turn to the community for help (e.g., GitterStackOverflow), an example of a packaged machine learning system is Deepo, almost identical to how the DGX-1 is constructed. For the average enterprise where the tech is context, they may prefer to turn to Nvidia for support. Does AWS buy open source support, the answer is no, they employ people capable of debugging the source code and self-support; alternatively the Kalamazoo Credit Union may have a machine learning project, but they don’t want to be debugging the framework source code, they are likely to purchase a Nvidia DGX-1.

I don’t think I can agree with the open source training and usability hypothesis. Conduct a Google search for “learn R”, then conduct one for “learn Matlab” and see if you see a difference in the number of resources for R (open source) vs. Matlab (closed source).

On the topic of security, this is a pretty close to a religious argument, what I believe is that the weakest link in the system is the user. I also think that there is a link between the user and exploitation. All systems have vulnerabilities, the Linux kernel has more vulnerabilities than the Windows 10 by nearly a factor of 2x, but if you leave the door open and no one robs you there is an unrealized impact. Windows is a target because there is social engineering required to deliver a malicious payload, the link between the user, system usability and ability to exploit a vulnerability is a subjective measure (because I have not done the research), but I believe empirical data would support it.

References

Amazon EC2. (n.d.). Retrieved May 20, 2018, from https://aws.amazon.com/ec2/

CUDA Zone. (2017, September 30). Retrieved May 20, 2018, from https://developer.nvidia.com/cuda-zone

Dignan, L. (2018, May 17). Nvidia continues to ride AI, gaming, machine learning, crypto waves. Retrieved May 20, 2018, from https://www.zdnet.com/article/nvidia-continues-to-ride-ai-gaming-machine-learning-crypto-waves/

Gitter. (n.d.). Retrieved May 20, 2018, from https://gitter.im/

MXNet: A Scalable Deep Learning Framework. (n.d.). Retrieved May 20, 2018, from https://mxnet.incubator.apache.org/

NVIDIA DGX-1: Essential Instrument of AI Research. (n.d.). Retrieved May 20, 2018, from https://www.nvidia.com/en-us/data-center/dgx-1/

TensorFlow. (n.d.). Retrieved May 20, 2018, from https://www.tensorflow.org/

The Linux Kernel documentation. (n.d.). Retrieved May 20, 2018, from https://www.kernel.org/doc/html/latest/

Top 50 Products By Total Number Of “Distinct” Vulnerabilities in 2017. (n.d.). Retrieved May 20, 2018, from https://www.cvedetails.com/top-50-products.php?year=2017

Ufoym. (n.d.). Ufoym/deepo. Retrieved May 20, 2018, from https://github.com/ufoym/deepo

Where Developers Learn, Share, & Build Careers. (n.d.). Retrieved May 20, 2018, from https://stackoverflow.com/

Xen Project. (n.d.). Retrieved May 20, 2018, from https://www.xenproject.org/

 

Discussion Response 3

I think you hit on an excellent point here with the IKEA furniture analogy.
IKEA produces closed source furniture that requires assembly, and they provide subpar documentation. It’s been a while since I bought something from IKEA (kids not off to college yet), but given the price point, I can only imagine what the dial-in support experience is.
Let’s contrast this with the Norm Abrams and the New Yankee Workshop, what I would consider open source furniture. Norm delivers high-quality plans to a consumer who possesses a certain skill level, is willing and capable of reading the plans, acquiring the raw material, etc. If you are this individual, you get a higher quality deliverable, but it requires a generally higher level of skill as a starting point. If you don’t possess this starting level of expertise, you might lose a finger. Many people will buy from IKEA because they are afraid of losing a finger.
Microsoft is to IKEA what Linux Torvalds is to Norm Abrams, closed source vs. open source in the context of self-assembled furniture; I love it!
As a developer I read release notes, I make sure a patch won’t render a library I am using inoperable, well actually not so much anymore because I pretty much microservice everything and use containers to avoid this dependency pitfall, but the anecdote serves a purpose. Your wife is a smart Windows user, she’s the anomaly though, kudos to here for developing here own test and QA department :), the reality is most windows users upgrade with no idea what is happening, then they scramble when something stops working.

Enough has been said on the religious argument of the security of open source vs. closed source so I will leave this alone at this point. 🙂

Thanks for the IKEA idea, I will definitely be using it in the future! 🙂

 

Essay Assignment

Write an essay contrasting the security models of Linux, iOS, and Windows. Which is more secure and why?

 

OS Security Module Assignment

FIT – MGT5156 – Week 2

Discussion Post

Discuss how an attacker looks at the system.

Sorry for the late post, having too much fun at the ServiceNow Knowledge18 CreatorCon (ServiceNow, 2018) this week; heads down “hacking” some Javascript and Groovy for the past three days and just coming up for air.

What is a hacker? In the context of this class, at least thus far a “hacker” is probably best defined as a person who uses computers to gain unauthorized access.
In his 2004 essay “The Word ‘Hacker’,” Paul Graham states that the word “‘hacker’ connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not.” I much prefer this definition.

Before I begin to dig into this weeks post, I want to say how much I love Open Source and the community, but every now and again I am reminded how important vigilance is. Earlier this week, there was an article about a Python library called “ssh-decorate” luckily I make extensive use of “Paramiko” (Paramiko, 2018) and not ssh-decorate, but I could have just as easily used the “ssh-decorate” library, and my ssh creds could be sitting on some server with a .cf domain. (Cimpanu, 2018)
Open Source has created this model where people (developers like me) grab a library; they grab a Docker container, etc. from the community and they build and roll to production. The backdoors metastasize so quickly because a library like “ssh-decorate” is embedded into millions of applications.

Before I get into the research on how an attacker looks at a system, let me say that I see a system like as the best puzzle game on the planet, one that enraptures me. These puzzles can hold my attention for sleepless days fueled by heavy metal and coffee with the only goal being to solve the puzzle. I consider myself a hacker, a builder, a creator, a developer, an instigator and quite often an agitator. For as long as I can remember I loved taking things apart, learning how they work, making something new from something old and accessing systems which I had no explicit permission to access. I am obsessive (apparently a common trait) and I like to think of myself as a digital explorer and everything from RF hacking to hardware hacking interests me. It’s a great day when you’re sitting on your lawn and have control of your neighbor’s wirelessly controlled devices, like their garage door, car, etc. I like to think of myself as the neighborhood watch, teaching people about the danger that lurks around them. 🙂
If you have never seen an RF hack this is a pretty good video: https://www.youtube.com/watch?v=oGfRAbJ0u0Y
Incredibly easy to execute with the right device, the HackRF One SDR (Software Defined Radio).

Subjectively I believe that hackers regardless of motivation look at systems like a puzzle. Regardless of objectives like financial gain, espionage, FIG (fun, ideology, and grudge), other (errors, glitches, etc.) (calyptix, 2018) I don’t believe a hacker can successfully execute unless their motivation is far more intrinsic, a motivation where the journey is far more interesting than the destination. A McAfee blog (McAfee, 2018) lists seven types of hacker motivations, I agree with these as the motivation for a hack, but I think the motivation of the hacker is far more ubiquitous and foundational. Deep down the separation between a whitehat hacker and blackhat hacker is not that great, one found a legal way to satiate their desire, and one is a bit more mischevious, but the underlying motivation is the same.

In “Understanding the hacker psyche” Steve Gold states that early hackers were motivated by “beating the system”, the next generation of hackers become more destructive and finally the 21st hacker who became cyber-criminals looking for focused on financial gain. (Gold, 2011)

“Hackers have a compulsion to analyze, to explore and to be curious to the point of obsession.” (Kropko, 2015) I agree! This quote conveys who hackers are, and they look at systems as the only puzzle capable of satiating their compulsion.

References

calyptix. (2018, March 19). What Motivates Hackers? Money, Secrets, and Fun. Retrieved March 09, 2018, from https://www.calyptix.com/top-threats/motivates-hackers-money-secrets-fun/

Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/

Kropko, M. (2015, April 16). How Hackers Think: Researcher studies the hacker mind | think:blog. Retrieved from http://blog.case.edu/think/2015/04/16/how_hackers_think_researcher_studies_the_hacker_mind

Gold, S. (2011). Understanding the hacker psyche. Network Security, 2011(12), 15-17. doi:10.1016/S1353-4858(11)70130-1

Graham, P. (2004, April). The Word “Hacker”. Retrieved May 09, 2018, from http://www.paulgraham.com/gba.html

McAfee. (2018, March 16). 7 Types of Hacker Motivations. Retrieved May 09, 2018, from https://securingtomorrow.mcafee.com/consumer/family-safety/7-types-of-hacker-motivations/

Paramiko. (2018, April 19). Paramiko/paramiko. Retrieved May 09, 2018, from https://github.com/paramiko/paramiko

ServiceNow. (2018, March 09). Find Your Happy Place At Knowledge18. Retrieved from https://knowledge.servicenow.com/sessions/creator-con.html

 

Discussion Response 1

I like how you framed the perspective in which an attacker looks at the system, by stating that “an attacker looks at the system through its most vulnerable entry point.”  I think this was a tricky question because of the nuance between how someone looks at something vs. how some sees or perceives something.  I think both perspective and what attacker sees (perception) once the information is processed is are critical details.  I liked your opening because it got me thinking that different attackers will look at the system differently, their perspective and how they see the system will vary based on who they are.  Some attackers may be more adept at social engineering while others prefer writing malware.  Today we think about attackers as human beings, but this may not be the case in the future, with projects like Deephack (https://www.youtube.com/watch?v=wbRx18VZlYA) and other AI-driven attacks frameworks are adopted.  WIth AI the attacker likely looks at the target based on their motivation, like curiosity, criminal activity, etc… and then just targets the AI-driven attack.

 

Discussion Response 2

I enjoyed reading your post. Do you think the primary motivation of attackers (aka hackers) is malicious intent?  Or do we just tend to only hear about the attackers who have conducted malicious activity?  I suppose the word attacker may imply a blackhat hacker with malicious intent, but I believe that the number of hackers who are more focused on curiosity dwarf the number of hackers with malicious intent.

Maybe the answer here lies in not using the words attacker and hacker synonymously.  Paul Graham’s 2004 essay The Word “Haker” is a great read.  Great innovators have been called hackers, but they attacked nothing more than a problem no one else had or could solve.  Steven Levy’s book “Hackers: Heroes of the Computer Revolution” chronicles hackers such as Bill Gates, Mark Zuckerberg, Richard Stallman and Steve Wozniak.  OK, maybe Zuckerberg attacked our privacy. 🙂

 

Discussion Response 3

I liked your mention of pre-prod, unit and functional testing.  Based on your description doesn’t sound like you are yet doing continuous delivery and blue-green deployments?  You’ll enjoy this read:  http://blog.christianposta.com/deploy/blue-green-deployments-a-b-testing-and-canary-releases/

Regardless, when it comes to security in a world increasingly dominated by developers (“The New Kingmakers“, another great read) the vulnerabilities are entering the system really early, like this weeks issue you with the ssh-decorate Python library, how many developers were leveraging that library, how many apps were impacted, a lot.

References

Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/

 

Discussion Response 4

Very interesting perspective.  It would be interesting to contrast hacker demographics with drug lord demographics (E.g. – Gary McKinnon vs. Pablo Escobar). I haven’t done the research, but I suspect a comparison of hackers and drug lords night reveal some motivations that might provide some insight into how the wealth created through cybercrime might look different than the wealth created by the drug trade. It is my hypothesis that the primary motivations differ, curiosity being the hallmark of the hacker and survival being the hallmark of the drug lord, again I don’t have the data so just hypothesizing. With that said there’s the case of Kim Dotcom and Mega, which supports your argument. 🙂
Kim Dotcom, The Good Life: https://youtu.be/oDiili2Gs-0

Time will tell, it’s likely that the computing power and human intellect will deliver a combinatorial explosion of both good and evil.  Let’s hope there’s more good than evil.

 

Discussion Response 5

Sharing – good read based on last weeks strong password discussion
Hacker Kevin Mitnick shows how to bypass 2FA

Hacker Kevin Mitnick shows how to bypass 2FA

 

Essay Assignment

What are the vulnerabilities in the boot process? What can an attacker exploit?

 

Boot Process Module Assignment

FIT – MGT5156 – Week 1

Discussion Post

What are the implications of Shannon’s work on security?

Claude E. Shannon is referred to as the founder of information theory, a scientist responsible for classical information theory. Shannon’s paper focuses on communication referencing PCM (pulse code modulation) and PPM (pulse position modulation). In the paper, Shannon explores topics which we are all familiar with today, topics such as bandwidth and SNR (signal-to-noise ratio).

When people think about digital security in today’s world they then to think about internet security, internet security is really about the protocols, operating systems, and applications which make up the internet. As I looked at Fig. 1 – Schematic diagram of a general communication system (Shannon, 2001, p. 4), I couldn’t help but think about TCP/IP and a simple topological representation as [HOST] <-> [ROUTER] <-> [ROUTER] <-> [HOST].

All the constructs that Shannon discusses in his 1948 paper, like source and destination (host), the transmitter (router, switch, etc…), and channel (wireless TDMA, CDMA, GSM, 802.11, etc…) all still exist and continue to evolve. Shannon talks about the messages having meaning and being correlated to some system (Shannon, 2001, p. 1), TCP/IP are the protocols that run the internet, moving information using packets. These packets are given meaning using IP (Internet Protocol) header information which contains detail about the source and destination, and a TCP (Transmission Control Protocol) header which includes information that allows data to be segmented, delivered out-of-order and reassembled. This TCP/IP header information is what allows the payload (the actual data we care about) to move between source and destination.

We can surmise that Shannon’s work had a significant impact on the TCP/IP protocols that interconnect us all today. When Bob Kahn and Vint Cert wrote the paper “A Protocol for Packet Network Intercommunication” (Cerf & Kahn, 1974) in 1974, defining the protocols that would become the platform from which the internet would blossom their concepts for a packet communication network were likely rooted in the work of Shannon.

In 1945 Shannon wrote a paper entitled “A Mathematical Theory of Cryptography.” (Shannon, 1945). This paper pre-dates “A mathematical theory of communication” by four years, the cryptography paper was initially a classified document, downgraded three years later, an abridged version was published and followed by the publication of the full article after being declassified twelve years later. Shannon’s paper on cryptography introduces an unbreakable a key-based encryption scheme known as “The Vernam Cipher”. Key-based encryption (“plaintext + key = ciphertext ⇒ ciphertext + key = plaintext”) is widely used today to encrypt and decrypt data at the source and destination, ensuring it’s confidentiality and integrity while in-flight on public networks like the internet. Cryptography is pervasive, from simple applications like MD5 hashing binaries to guarantee their integrity, to PGP public and private key encryption to SSL encryption (What is SSL, TLS and HTTPS?, n.d.). With 3.9 billion (Internet Users, n.d.) people on the internet and pervasive use of SSL and HTTPS, it’s fair to say that > 50% of the world population has benefited from Shannon’s work on communications and security.

References

Cerf, V., & Kahn, R. (1974). A protocol for packet network intercommunication. IEEE Transactions on Communications, 22(5), 637-648. doi:10.1109/TCOM.1974.1092259

Collins, G. P. (2002, October 14). Claude E. Shannon: Founder of Information Theory. Retrieved May 02, 2018, from https://www.scientificamerican.com/article/claude-e-shannon-founder/

Internet Users. (n.d.). Retrieved May 2, 2018, from http://www.internetlivestats.com/internet-users/

PGP, Public and Private Keys, and How PGP Encryption Works. (n.d.). Retrieved May 02, 2018, from http://accc.uic.edu/service/pgp/how-encryption-works

Shannon, C. (2001). A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review, 5(1), 3-55. doi:10.1145/584091.584093

Shannon, C. E. (1945). A Mathematical Theory of Cryptography – Case 20878. Alcatel-Lucent. Retrieved from https://www.iacr.org/museum/shannon/shannon45.pdf

The Vernam Cipher. (n.d.). Retrieved May 02, 2018, from http://www.cryptomuseum.com/crypto/vernam.htm

What is SSL, TLS and HTTPS? (n.d.). Retrieved May 02, 2018, from https://www.websecurity.symantec.com/security-topics/what-is-ssl-tls-https

 

Discussion Response 1

The computational power of RISC based processors like GPUs, TPUs, FPGAs and other ASICs being applied to password cracking has changed the game. Massive hacks and the dictionaries of passwords which have been aggregated and shared all over the internet as a result (e.g., https://wiki.skullsecurity.org/Passwords) along with available and accessible computational power to conduct brute-force attacks has made even strong passwords vulnerable. A 12 character alphanumeric with special characters password is not as hard to crack as many people think (http://www.netmux.com/blog/cracking-12-character-above-passwords). Provision a boatload of GPU capacity from AWS for a week and you would be surprised by the number of hashes per second you can churn out.

Then there is the application of deep learning to hacking. Projects like deephack (https://www.youtube.com/watch?v=Ybyg8WL0F4o) are starting to apply algorithmic thinking and build neural networks to hack systems.

Here is a little demo I put in this weeks assignment, where I used hashcat (https://hashcat.net/hashcat/) to crack five MD5 hashed passwords: https://asciinema.org/a/R4XnaVL0hKPLLrdF04NGQaO0p

Depending on your perspective I may seem like the only crazy person with a 6 x GPU machine. My wife would live if I only hade a single 6 x GPU rig, but the rig I used for the password crack is one of my four GPU rigs. The applicability of GPUs to cryptocurrency mining and machine learning have lots of people with lots of GPU power available either on their rigs or in the cloud.
I ran the password crack demo in the video above on my latest build which I am doing burn-in on in my home office before being added to the farm: https://photos.app.goo.gl/dKKWgB2pENIbTIm33
The interesting part about building GPU rigs for machine learning, mining, password cracking, etc… requires some caution because they pull a lot of power, the components get hot, and many of them are sourced by people like me direct from low-cost component manufacturers. Without exercising caution, you can have a meltdown aka a fire.

Strong passwords are good, but I would highly encourage the use of multi-factor authentication.

 

Discussion Response 2

Ahhhhh… Analog, my younger years as a phone phreak with my TRS-80 and acoustic coupler were the best. 🙂  Long live John Draper aka Cap’n Crunch.
The blue box and black box were a thing of beauty, enable by the simplicity of the analog system.  Let’s face it if you were online in the early 80s and knew how to build a black box you built one because who could afford all those local exchange costs, let alone long distance costs.  Then you had the device (don’t remember what it was called but I remember building it and putting inline between the modem and the wall jack) which ran the analog line through a potentiometer, some resistors and capacitors to clean up the line for you 110 baud acoustic coupler to give you a little more bandwidth, the good old days.
To this day I am still a loyal subscriber to 2600 Magazine and lister of Offf The Hook, I’ve even hit some clandestine 2600 meetups in faraway lands, that’s a treat.

If you are into some leisure (true story) reading about this era I suggest a book called “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker”.
And of course, you have to get yourself a “Free Kevin” t-shirt. 🙂

 

Terminology Module Assignment

 

FIT – MGT5013 – Week 8, Discussion 2

Discussion Post

Please post at least three (3) issues which you have learned or are taking away from this course.

Culture, culture, culture. I have always believed that “fit” is critical. The coursework helped me to formulate more in-depth thoughts on this topic. Focusing on creating a “best-fit” scenario always has been and will continue to be a focus of mine. In all honesty, I am struggling with the juxtaposition of Simon Sinek’s idea that conveys the organization as a family where leadership is like parenting (Sinek, n.d.) vs. Reed Hastings view of an organization as a professional sports team (Hastings, 2009, p. 24). These are concepts I have been thinking about a lot, and I suspect it is something that I will continue to think about for a very long time. My thought after reviewing the Netflix culture deck in the context of parenting, is that Reed Hastings believes in tough love, he parents, but does it from a place of very high expectations.

Bolster and protect the culture with best-fit scenarios (Robbins & Judge, 2018 p. 81). Use scientific tools like the Myers-Briggs Type Indicator (MBTI) or other personality-assessment instruments, as well as discussions with peers and management to assess prospective candidates and better the probability of a best-fit scenario.

Motivation. Understanding motivation is critical to creating high-performance cultures. I experienced a deep sense of personal enlightenment Herzberg’s Motivation-Hygiene (Two-Factor) Theory (Robbins & Judge, 2018, p. 102), I loved the correlation between influencers (hygiene factors) and sentiment. I am big on sentiment analysis, I love using big data and machine learning to determine sentiment so this really appealed to me.  I have quoted McClelland’s statement “that high achievers perform best when they perceive the probability of success to be 50/50”. (Robbins & Judge, 2018 p. 103) at least ten times already.

It should be no secret at this point that I love the “RSA ANIMATE: Drive: The surprising truth about what motivates us” video and pretty much anything authored by Simon Sinek.

Communication. I related to the idea of an organization as communication. This concept made sense to me because I believe my ability to communicate and the ability for people to communicate with each other is what shapes an organization. The organization is just a manifestation of how we communicate with each other, how communication shapes the culture and how people perceive the organization. Our ability to effectively communicate will have a profound impact on our organization’s culture, successes, and failures.

References

Hastings, R. (2009, August 01). Culture. Retrieved March 18, 2018, from https://www.slideshare.net/reed2001/culture-1798664

Koschmann, M. (2012, May 08). What is Organizational Communication? Retrieved April 15, 2018, from https://youtu.be/e5oXygLGMuY

Robbins, S. P., & Judge, T. (2018). Essentials of organizational behavior. New York, NY: Pearson.

RSA ANIMATE: Drive: The surprising truth about what motivates us. (2010, April 01). Retrieved March 16, 2018, from https://youtu.be/u6XAPnuFjJc

Sinek, S. (n.d.). Why good leaders make you feel safe. Retrieved April 27, 2018, from https://www.ted.com/talks/simon_sinek_why_good_leaders_make_you_feel_safe

FIT – MGT5013 – Week 8, Discussion 1

Discussion Post

Considering the art and science of leadership, how have the readings, lectures, and discussions in this course better prepared you for the role of a leader vs. a manager? 

Classmates, sorry for my late post this week, I was in Ireland all week.  It was a busy week, further complicated by the timezone delta and a seemingly endless flow of Guinness. I know, poor me. 🙂  Spent the week in Naas, Ireland working most of the time, but did have some time to hit the Punchestown festival and enjoy some horse racing and Guinness, lots of Guinness.  If you have never seen horse racing in Ireland, it’s very different than the flat track races we are used to in the United State.
Video (click on the video for sound):  https://photos.app.goo.gl/W94B8VQVQP7udXQCA
Photo of me trackside: https://photos.app.goo.gl/ogadFoFg6oM1WGDL8

What I learned is that I have a real interest in both the art and science of leadership. I was familiar with many of the concepts presented in the class, but the level of research which I had to undertake during the course certainly provided me with a deeper understanding of the science. The coursework and research even led me to do some leadership leisure reading. For instance, I read the book “Leadership is hell: How to manage well – and escape with your soul” which was referenced somewhere along the way in my research.  Not only did I enjoy the book, I felt like it helped me better understand a few people who I manage. In particular, this excerpt from the book shed light on a situation I have been dealing with for years.

“If you’re a people-pleaser, you’ll find it impossible to be content merely expressing yourself. You won’t even know what that looks like. You’ve been too busy sensing what would impress other people, then seeking to do that to the exclusion of everything else.” (Asghar, 2014, Kindle Locations 1430-1432)

I plan to leverage some of my new found knowledge to try to better coach the individuals who I believe are afflicted by the people-pleaser scenario above and my hope is that I will be able to help them elevate themselves.

I try to spend my life in a state of objective reality, rather than subjective reality. Not being subjective is something I have to consciously focus on because I am a passionate and committed person and I often expect others to see things my way, and when they don’t, I become very frustrated. I like to believe I have a vision, and that my execution strategy supports this vision. What I have learned about myself over the years is that I have a tendency to expect others to see my vision as clearly as I do, to execute with the same motivations and rigor that I do and this is often not the case. I have always believed that leadership is a way of life, it’s not something that you do from 9 to 5, leaders don’t get time off from the principles and actions that make them leaders. Leaders always “eat last” (Sinek, n.d.), there is no time when a leader can eat first. I enjoyed the topics which focused on job satisfaction, motivation, values and culture, other sections of the course were interesting, but I find these things intrinsically linked.

As a manager, I feel better armed to live my personal goal of objective reality. I have always been anti-negotiation, feeling that negotiation was always a short-term fix, there are still situations where I think this way, but I also recognize that negotiation can be a way to motivate, it’s doesn’t always have to threaten the culture. As a result of things I have learned in this class, I recognize how important fit is, I am more committed to the value of culture, and I realize that I need work on better understanding the motivations of other and increase my focus on communication because communication is what shapes the organization. I now realize that many of my frustrations probably come from a lack of communication, expectations I have which have not been communicated, motivations I possess which are driven by a vision, but I have not effectively communicated my vision to others yet place expectations on them. Improving communication is probably my biggest takeaway.

References

Asghar, R. (2014). Leadership is hell: How to manage well – and escape with your soul. Los Angeles, CA: Figueroa Press.

Sinek, S. (n.d.). Why good leaders make you feel safe. Retrieved April 27, 2018, from https://www.ted.com/talks/simon_sinek_why_good_leaders_make_you_feel_safe

FIT – MGT5013 – Week 7 Assignment

Research Consultant Paper

This research paper allows you to showcase what you have learned from the course and the application within an organization of your choice. Also, it a chance to use theories gained from the course work and how to apply these to an organization to improve effectiveness.

You are to consider yourself a consultant that was just hired by organizational (does not matter if it is nonprofit or public) leadership to assist with a lingering problem that has impacted the organization’s effectiveness. This problem can be related to an area that you want to research and interests you; i.e., employees upset over anticipated change, performance evaluations being over-inflated, unethical practices, leadership not considering personal choices in the decision-making process, or any other similar type problems. Once you identify the organizational problem, you should develop a plan to address the problem, identify reasons why you feel the problem occurred, label reasons you feel the problem is persistent, and develop a means to overcome the problem. Also, integrate a long-term plan to ensure this problem does not happen again or at least is minimized.

You should consider all the main topics, readings, and discussions you have encountered throughout the course. This paper is a critical part of the class and should not be last minute developed.

Grade: 98%

FIT – MGT5013 – Week 7, Discussion 2

Discussion Post

Define organizational culture and ways culture can be transmitted to employees? What are the various way it can be displayed? Discuss and provide examples for each. Considering an organization you know well, have any of these examples surfaced as more important than the others?

The text defines organizational culture as the system of shared meaning held by members that distinguish the organization from other organizations. (Robbins & Judge, 2018, p. 266) This definition strikes me as a bit ethereal.

I like the definition of organizational behavior as “a pattern of basic assumptions—invented, discovered, or developed by a given group as it learns to cope with its problems of external adaptation and internal integration—that has worked well enough to be considered … the correct way to perceive, think, and feel in relation to those problems.” (Martinez, Beaulieu, Gibbons, Pronovost & Wang, 2015, p. 1)

This week I visited a customer, I won’t mention their name (at least not yet), but a picture (https://photos.app.goo.gl/ZsStfaEFkYXXJmH93) from my visit might be a good indicator. If you still have no idea, hint, the company is the most popular gaming company in the world at the moment, packing stadiums around the globe for Esports events. The company has an incredibly strong culture and identity, employees are proud of the culture, and they shepherd it, they are players above all else. One of the things they outlined was an organizational culture expectation; they like many other high-performing cultures have a mindset that places an employee fit and aptitude over discrete skill and the ability to execute.

A quick look at the Amazon Leadership principles reveals things like “Customer Obsession,” “Invent and Simplify,” “Are Right, A Lot,” “Learn and Be Curious,” “Hire and Develop the Best,” “Insist on the Highest Standards,” and “Think Big.” (Amazon’s global career site, n.d.)  Amazon’s culture is everywhere from the published leadership principles tot he domain name relentless.com which Bezos’ registered in the early days as a potential name for the company before deciding on amazon.com.  relentless.com continues to live on as an important aspect of the Amazon story and redirect to amazon.com, but most of all it represents a something known by few about Amazon’s organizational climate.

The well documented NetFlix culture will reveal principles like “People over Process,” “Freedom & Responsibility,” “High Performance,” “Context, not Control,” “Highly Aligned, Loosely Coupled,” and “Promotions & Development.” These principles are guided by values like judgment, communication, impact, curiosity, innovation, courage, passion, honesty, and selflessness. (Culture At Netflix | Netflix Jobs, n.d.)

The company I visited earlier this week defines the culture in a manifesto which has five tenents: “Player Experience First,” “Challenge Convention,” “Focus on Talent and Team,” “Take Play Seriously,” and “Stay Hungry; Stay Humble.” (Who We Are, n.d.)

I love what Reed Hastings says about values “Values are what we Value” (Hastings, 2009, p. 4) and what we value is, in my opinion, is a big determining factor of the organizational climate. (Robbins & Judge, 2018, p. 269)

People are the culture, values define the culture, and if the people do not buy into the values, then the culture begins to become fractured and weak.

The common thread you will find across all these cultures is they protect the culture, and they have a maniacal focus on hiring for fit. Each of these organizations has a rigorous interview process designed to protect the culture.  They all gate the hiring process in one way or another to ensure a cultural best-fit situation.

Amazon uses the “bar-raiser” to gate the hiring process. (Steward, 2016) It is the job of the bar raiser to protect Amazon strong culture, ensuring that Amazon’s core values will be “intensely held and widely shared.” (Robbins & Judge, 2018, p. 268)

NetFlix and Riot Games are not bashful about stating that they have different requirements for contractors vs. employees. Contractors can be incredible executors, they may have a work specialization (Robbins & Judge, 2018, p. 246 – 247) that makes them highly effective within a specific domain, but maybe they don’t possess the intangibles that would allow them to make them a cultural fit. In Netflix’s case this would be “Freedom & Responsibility,” in Amazon’s case maybe this is “Think Big” and in Riot Games case maybe your not a gamer and you can’t be a Rioter because can never embody “Player First.” Netflix and many others are overt in stating that they hold salaried, hourly and contract employees to different standards.

Organizational culture is actively on display and transmitted to employees in a myriad of ways. The organizations I mentioned above intently focus on hiring stewards of their culture, who believe deeply and passionately the values and mission of their respective organizations which makes them cultural evangelists. Riot Games being a gaming company has an immersive cultural experience. An aerial view of Riot Games campus in West Lost Angeles will reveal that it is laid out like the League of Legends game board, each area of the office is named and themed like an area (city-state) within the game, and conference rooms are named after characters from the game. Rioters play LoL in a PC Bang; this is where players in South Korea play the game and if you know anything about gaming you know South Korea is the mecca of gaming. I love this line from their website “…creative people making cool shit faster than a Hadron Collider that’s been chugging energy drinks all day. We think you’ll prolly like it, too.” (The New L.A. Campus, n.d.)

More and more I think we see immersive examples of organizational culture. The Riot Games example was fresh in my mind because I spent time there this week, but there are plenty of other examples like the Lamborghini that sits in Alibaba’s lobby in Hangzhou, China. Two men sourced all the parts for the Lamborghini through Alibaba and assembled the car over a one year period just to prove you could buy anything on Alibaba’s massive online marketplace, and now the car sits in the lobby of Alibaba’s corporate headquarters. (Soper, 2015)

References

Amazon’s global career site. (n.d.). Retrieved April 20, 2018, from https://www.amazon.jobs/principles

Culture At Netflix | Netflix Jobs. (n.d.). Retrieved April 20, 2018, from https://jobs.netflix.com/culture

Hastings, R. (2009, August 01). Culture. Retrieved April 20, 2018, from https://www.slideshare.net/reed2001/culture-1798664

Martinez, E. A., Beaulieu, N., Gibbons, R., Pronovost, P., & Wang, T. (2015). Organizational culture and performance. The American Economic Review, 105(5), 331-335. doi:10.1257/aer.p20151001

Robbins, S. P., & Judge, T. (2018). Essentials of organizational behavior. New York, NY: Pearson.

Soper, T. (2015, November 11). Inside Alibaba: Photos from the Chinese technology giant’s headquarters. Retrieved from https://www.geekwire.com/2015/inside-alibaba-photos-from-the-chinese-technology-giants-headquarters/

Steward, A. (2016, October 27). Former Amazon ‘bar raiser’ offers insight into hiring process: What job seekers, companies can learn. Retrieved April 20, 2018, from https://www.bizjournals.com/seattle/blog/techflash/2016/10/former-amazon-bar-raiser-offers-insight-into.html

The New L.A. Campus. (n.d.). Retrieved from https://www.riotgames.com/en/work-with-us/offices/los-angeles/the-new-la-campus

Who We Are. (n.d.). Retrieved April 20, 2018, from https://www.riotgames.com/en/who-we-are

 

Response Post

Scott, insightful and personalized read as usual. I remember being nineteen and joining a fraternity, learning to say the Greek Alphabet with my pledge brothers, forward, backward and in unison before the match stick which was held upside down burned your fingers was not an easy task, but the idea was to be one. The question always was “how many pledges are there?” The answer was always, “one.” Well, not always because when you said 27 the brother who asked the question would say no “one” and when you said “one” the brother who asked the question would say “can’t you count, there is 27 of you”. Anyway, the entire overarching theme was to assimilate you. During hell week we would have an event called jell-o night, where all the pledges would march to the cafeteria at 4 PM (when it opened). Anyone who has ever been to a cafeteria knows they never run out of jell-o, pudding, cottage cheese and whatever else they put in that area of the buffet (been a while), but hey I was nineteen. The idea was that pledge number 27 would eat first, as much as they could in X amount of time, then pledge 26, etc… etc… The idea was you didn’t want to leave the anchor with all the work. I was the treasurer, so I ate 3rd to last and a guy named Brett, he was a beast, was the president of my pledge class and well deserving because over twelve weeks I watched that guy suck up so much slack in support of others, a true leader. Simon Sinek says “leaders eat last” and this guy ate last for twelve weeks and he ate his share, and the share everyone else couldn’t eat, he put the best interest of others above his interest, because his interest was the success of the team, this is leadership.

When asked by people who didn’t know me at 19, who are usually shocked that I was in a fraternity if I would do it again my answer is, absolutely. It’s not the military, for sure, but I did develop a bond with those 27 guys, we struggled together, and we succeeded or failed together without exception. The strong picked up the slack for the weak and everyone had their opportunity to pull their weight in different areas. Getting through without teamwork wasn’t an option and looking a back on it, while there were some crazy and stupid things that were done, there were a few valuable lessons I walked away with.

Side note I have an uncle who is an enlisted veteran with 37 years in the Marine Corp with a rank of Sergeant Major, he’s a pretty hardcore individual. He’s been out now for quite a few years, and he struggled to assimilate into civilian life, so he did what felt natural, went to work as a civilian contractor at Camp Lejeune. 🙂

Probably a topic for a different forum (like around the fire with a six pack), but cultures with extreme assimilation typically aren’t very good at adapting to diversity. With a world that is becoming increasingly diverse, I wonder how these cultures will adapt, feels like we are only at the beginning.

FIT – MGT5013 – Week 7, Discussion 1

Discussion Post

“Organizational structure defines how job tasks are formally divided, grouped, and coordinated.” (Robbins & Judge, 2018, p. 246) There are seven key factors which influence organizational structure:

Work Specialization: The division of activities into small, distinct, specialized tasks. The assembly line is an ideal example of work specialization, where a worker performs a specialized and repetitive task. (Robbins & Judge, 2018, p. 246 – 247) The text provides the auto assembly line example; another example would be an Amazon warehouse packer who repeatedly packs boxes.

Departmentalization: Groupings of jobs by function, product or service, geography or process. Functional departmentalization would include grouping by departments like sales, human resources, engineering, etc… Grouping by geography would be something like sales regions. (Robbins & Judge, 2018, p. 247 – 248) I’ll stick with the Amazon example, well Whole Foods. Whole Foods stores stock different items based on regionalization; this is an example of departmentalization by geography or territory. Departmentalizing by geography allows Whole Foods to make decisions within a region that appeals to the preferences of consumers with a region.

Chain of Command: The flow of ascribed authority within an organization. (Robbins & Judge, 2018, p. 248 – 249) Chain of command naturally or unnaturally organizes the reporting structure of an organization; superiors direct the work of subordinates and subordinates execute the work at the direction of their superiors. Chain of command created a clear demarcation between those creating direction and those executing tasks.

Span of Control: The number of subordinates a superior can manage, or I’ll say the number of mentees a mentor can mentor. Flat organizations tend to have few managers with a larger span of control while hierarchical organizations tend to have a narrower span of control. (Robbins & Judge, 2018, p. 249 – 250) Both models have pluses and minuses. I prefer a flat organization where management’s has a larger span of control, but there are cases where a narrower span of control is required. I believe that when a narrow span of control is needed a hierarchal structure with additional management is not always required, the mentor and mentee approach with team leads can be an effective way to maintain a flat organizational structure while addressing the need for a narrower span of control.

Centralization and Decentralization: Where power resides in the organization and how decisions are made. (Robbins & Judge, 2018, p. 250 – 251) I think forms of governments provide an excellent example of this. I grew up in Pennsylvania, and as young adult things auto registration and driver license issuance had to be couriered by a private sector company (Best Auto Tag is the one I remember) to Harrisburg, PA, this was the pinnacle of inefficiency. When I moved to New Jersey, I thought the decentralized DMV, where each county had a DMV and could issue auto tags and licenses were incredible and efficient. It’s all relative, who likes the DMV, but after living the centralized Pennsylvania system, New Jersey was a dream.

Formalization: How standardized and rigid is the job role? (Robbins & Judge, 2018, p. 251) A highly formalized job means the position is standardized and the employee is given no latitude to make subjective or objective decisions. Formalization values the job over the individual, execution of the standardized process is valued over innovation and free thought.

Boundry Spanning: The crossover of an individual or individuals between organizational groups. (Robbins & Judge, 2018, p. 251 – 252) Cross-functional teams are often assembled to ensure that initiatives which impact the entire organization, consider critical stakeholders and are positioned for adoption and success by the broader organization. An example of this is an ERP system roll-out. Because an ERP system will impact every group within the organization the assembly of a cross-functional team consisting of representatives from finance, sales, engineering, HR and IT would be an approach to encourage interaction, develop cross-functional consensus, define product requirements and prioritize initiatives. These individuals then become subject matter experts and evangelists within their respective organization and increase the probability of success of the project.

The factors discussed above are the influencers of organizational structure. By mapping adherence to the seven factors, an organization can be classified as having specific structure types, such as simple structure, a bureaucracy or a matrix structure.

As I researched the factors which influence organizational structure I was intrigued by a peer-reviewed article which discussed the impact of work specialization and departmentalization on job satisfaction. Not hard to see the benefits and drawbacks of job specialization, while small, simple tasks may increase proficiency and lower training costs the finite nature of the job can lead to boredom, job dissatisfaction, which can result in absenteeism and low-quality deliverables. The article also drew a correlation between departmentalization and chain of command, stating that functional departmentalization provided a clear reporting structure, while this seems apparent it highlights that while there are seven factors, they are entwined in such a way that one dominant factor is likely to influence other factors. (Adeyoyin, Agbeze-Unazi, Oyewunmi, Adegun & Ayodele, 2015)

References

Adeyoyin, S. O., Agbeze-Unazi, F., Oyewunmi, O. O., Adegun, A. I., & Ayodele, R. O. (2015). Effects of job specialization and departmentalization on job satisfaction among the staff of a nigerian university library. Library Philosophy and Practice, , 1.

Robbins, S. P., & Judge, T. (2018). Essentials of organizational behavior. New York, NY: Pearson.

 

Response Post

Logan, good explanation of each organizational structure. I’ve seen organizations use a combination of structures, where one division of the organization might be bureaucracy while another follows a matrix structure. One of my first jobs was in big pharma, and the organization was split into two major groups, corporate and R&D. The corporate side of the business was a bureaucracy, and the R&D side of the business was a much flatter matrix structure. These model make sense when you think about the flow of the drug pipeline, the R&D (drug discovery) business is comprised of researchers looking for compounds that will attack viruses, bacteria, diseases, etc., this area of the organization favors velocity and innovation with a fail fast mentality. Once a compound shows promise it moves to drug development, still in R&D but rules get a little tighter as they convert the drug from a compound into a drug (a pill) they can send to the corporate side of the business for clinical trials. Once the drug moves into clinical trials the bureaucracy kicks in, the focus is now on standardization, methodology, and documentation, if the drug passes clinical trials, then it’s on to FDA submissions and if the documentation is not pristine all the dollars invested in the previous phases could be lost.

Both of these models make sense in the context I described above, overall though pharmaceutical companies are bureaucracies, and from what I understand this has gotten worse in the twenty years I have out of this business.

I have heard the argument the text outlines between the production manager, R&D manager, marketing executive and the accounting manager more than a few times. (Robbins & Judge, 2018, p. 253)

References

Robbins, S. P., & Judge, T. (2018). Essentials of organizational behavior. New York, NY: Pearson.