Maslow’s Hierarchy of Security Controls

You’ve probably heard of Maslow’s Hierarchy of Needs. It’s a useful way to think about human needs and the priority in which we tend to fulfill them. Somebody dealing with a physiological crisis such as lack of food and water is unlikely to improve their situation much by focusing on self-actualization issues like finding opportunities for their artistic expression.

When thinking about an organization’s security stance or security controls, I find that there is a very close parallel to Maslow’s Hierarchy of Needs. I call it Maslow’s Hierarchy of Security Controls. If an organization is struggling to contain known viruses exploiting patched vulnerabilities, they are unlikely to improve their situation much by trying to address zero-day attacks that operate in a "forensically clean" stealth mode.




When it comes to system defenses and security controls, there are many controls and mitigations you can employ:

  • Antivirus
  • AppLocker in "Deny" Mode (or another technology that does Application Blacklisting)
  • AppLocker in "Allow" Mode (or another technology that does Application Whitelisting)
  • Auditing (especially of implemented security controls)
  • Forensic capture and analysis of host-based artifacts (filesystem, network, registry, etc.)
  • Forensic capture and analysis of memory-only artifacts

Each control depends on the protection of those below it in the hierarchy of security controls. If you only add security controls near the top of the hierarchy, attacks can trivially avoid those controls by exploiting weaknesses lower in the hierarchy.

Here’s a deeper look at these controls, and how they build on each other:



Impact Without Control


Antivirus / Antimalware

Can limit the execution of malware known to the AV industry.

Attacker can write and run any code, custom C++ applications, internet tools, etc.

Can be disabled by administrators. AV signatures can be evaded if the attacker is capable of recompiling or modifying an application.

Applocker in Deny Mode

Can limit the execution of malware known to your organization.

Attacker can write and run any code, custom C++ applications, etc., as long as they aren’t well known attack tools or exploits.

Can be disabled by administrators. Only blocks known evil / undesirable malware, can be bypassed with only minor application changes.

Applocker in Allow Mode

Can prevent the execution of unknown / unapproved applications.

Attacker can write arbitrary custom applicatons, as long as they are not detected by AV or Applocker Deny rules.

Can be disabled by administrators. Attacker can still leverage in-box tools like VBScript, Office macros, HTA applications, local web pages, PowerShell, etc.

Auditing of protections (AppLocker registry keys, AV settings, etc.)

By implementing and watching for registry / filesystem audit events generated when an attacker disables protections like AppLocker, attackers become more visible.

Attacker can disable most built-in controls, and then compromise a system without being impacted by that control.

Auditing is a reactive technology, not a preventative technology. An attack might still be successful, but proper audit monitoring can help you detect it.

Forensic capture / examination of host-based artifacts

Can help detect attacks based on in-box applications that modify the system in some way (such as putting a .VBS / .HTA file on disk).

Attacks that leverage in-box tools may not be detected.

Requires significant expertise and custom tooling to capture and forward all “interesting” forensic artifacts. Can be avoided by in-box components (such as Internet Explorer, VBScript “stagers”, PowerShell, and debuggers) that have the ability to invoke in-memory commands.

Memory forensics / application-specific logging

Can detect forensic artifacts that do not touch disk.

Memory-only attacks may go undetected.

Not all components that have the ability to invoke in-memory commands expose application-specific logging. Memory-only forensics require significant expertise and custom tooling.


So if you find yourself or an organization considering mitigations or security controls at a high level in Maslow’s Hierarchy of Security Controls, be sure that you’ve covered your bases at the lower levels, too. Otherwise, your return on investment will be exceedingly low.

Saving yourself from Sender’s Remorse with Outlook

tl;dr summary: Create an Outlook rule to “delay outgoing mail by <5> minutes”, “unless body contains: ì”, where the character used for the body exclusion comes from typing ALT+141.

“When it comes to email, it seems that I always do my best proof reading immediately after I press the Send button.”

Perhaps you’ve been in the situation before, where you immediately regret sending an email in anger. Or realize after a few more moments of reflection that the email you just sent was well and truly wrong. Or you accidentally hit the “Send” button, and now have an incomplete thought floating around in everybody’s mailbox.

Fortunately, you’re not the first to run into this issue. And if you’re using Outlook, there’s a simple way to prevent it.

The first time somebody told me how they solved the problem, they pointed out that Outlook Rules Wizard lets you set the following condition on all outgoing mail:


In that, they select “Delay sending by 5 minutes”. The next screen in that wizard is the “Except when” conditions, where they said, “Unless sent with high importance”:


That sounds really handy: high-importance mail goes out immediately, while all the rest is delayed for 5 minutes. And it seemed to work – I never noticed hasty / incomplete mails from him, but he did seem like kind of a rager because you’d sometimes get mails marked urgent for totally non-urgent things.

Unfortunately, the issue with that system was that mails are sometimes time sensitive but not urgent. If you take a look at the other exclusion alternatives, nothing seems reasonable. Message size? Subject? (Who wants to tag subjects with things like: “FAST: “).

In search of a solution, I found another useful feature: configuring Outlook to send and receive every 10 minutes, even when connected to a fast network. That way, your mails wait for 5 minutes on average before leaving your outbox. You still get your incoming mail immediately, so it seems like it’s the best of all worlds.

Unfortunately, there were plenty of situations where I went to fish a mail out of my Outbox, only to find it missing.

The issue with this solution is that 5 minutes is only an average. 10% of your mails will leave your Outbox in less than a minute. 5% will vanish in less than 30 seconds. And then of course there’s the 5-10% of mails that feel like they take an entire working day to leave – so basically you’re unhappy about 20% of your outgoing mail J

After some more fiddling, I finally landed on a pretty useful solution, and have been using it ever since. This one goes back to the “Delay sending by 5 minutes” approach, but with one twist. Since the main issue with exclusions in the subject / body of your mail is that externalizes your rules onto your readers, what if they didn’t notice?

Fortunately, there are a handful of characters that look like spaces, but aren’t. To type a special character in Windows, you hold down the ALT key, type the character code on the number pad of your keyboard (not the numbers on the top row of your keyboard), and then let go of the ALT key.

The one I use is ALT+141. It is easy to remember and reminds me of my BBS days.

You have two main options here:

"Except if the subject contains specific words"


When you click on "specific words", press ALT+255, and now every mail you send with this in the subject goes out immediately. This looks like a blank space.

"Except if the body contains specific words"

This is the best – you can replace an ‘i’ with ALT+141 (ì) pretty much anywhere in the content of the mail, and nobody will know.


If you use ALT+255 in that dialog (like with the subject), the rule doesn’t seem to work. It works fine for plain-text mails, but HTML mails don’t seem to pick this up properly. I think that perhaps Outlook auto-correct replaces it with a space.

So instead, ALT+141 is a good substitute for an ‘i’. If you REALLY care about not being intrusive, change it to be white-on-white text.


All in all, I only have two minor gripes with these techniques for Sender’s Remorse:

  1. (In the ‘Body’ case): ALT+141 doesn’t work on a laptop that has no number pad. If this is a big issue, you can copy and paste it from another mail, a "snippets" file, or add an international keyboard that lets you do this without the number pad.
  2. (In the ‘Subject’ case): If you use this technique when responding to an existing mail thread, the subject line change makes Outlook treat your mail as a fork of the thread. This is why I prefer the ‘Body’ approach.
  3. Outgoing mail rules are applied when you press ‘Send’ the first time. If you decide that a mail is time-sensitive after sending it, you can’t add ALT+141 to the content to make it leave your outbox any quicker. If you decide that your mail is time sensitive after pressing send, you need to create a new mail. You can take all the content from the one in your Outbox so it’s not a huge problem, just a slight annoyance.

Repairing a NatureBright SunTouch Plus


I recently had the misfortune of having my relatively unused NatureBright SunTouch Plus break down:




It’s a "Light Therapy" box that is very popular on Amazon, but a recurring problem among the disappointed reviews seems to be that it turns on, but then just immediately clicks and then turns off again. My lamp was out of warranty, so I decided to look into whether it was possible to fix it myself. One thing I noticed was that holding the "On" button would make it repeatedly turn on and turn off – but after a while, you could see that at least all of the bulbs were working. So it wasn’t the bulbs.

Opening up, it’s really a simple device electrically:


Power comes into the box in the middle right of the picture via the grey power cord. It gets split into two parts:

  1. Power for the bulbs, fed into (and fed by) the large grey box on the left.
  2. Into the transformer on the middle right, which brings the 120V down to 12V to feed the circuit at the bottom right.

With the power unplugged, there is nothing to be scared of inside (unlike TVs or cameras that have huge capacitors that can hurt you unless you discharge them properly).

Taking a close look at the circuit board, it was pretty simple. The board was marked "RG1100E", but there was nothing on the internet talking about it.


It has a power button ("K2"), a button to switch the countdown timer ("K1"), and a button to enable the ionizer. My initial hypothesis was that the timer circuit was somehow broken, but that was just a guess. I tested the fuse ("F1") at the bottom left with a multimeter, and it was fine. It showed no resistance – whereas if it was blown, it would show infinite resistance.

One component was very suspicious. Capacitor C1 (missing in the picture above) looked like it had blown / leaked – one of the legs was pretty dirty, and there was slight white residue on the top and bottom. I asked both my daughter and my wife for their opinion of which part might be bad (without telling them my opinion), and they both thought it was the capacitor, too. So I desoldered it to replace it.

Soldering and desoldering takes a soldering iron, solder, and little bit of skill. If you’ve got these already, this was a pretty simple process. The solder pads were large, and the existing solder wasn’t the high-temperature stuff that takes industrial soldering irons to melt. If you don’t have this stuff already, soldering irons are pretty cheap – and soldering doesn’t take much practice to learn. Starting with this $9.99 solder practice kit (which includes the soldering iron!) should let you build all the skill you need.

Here’s how the suspicious capacitor looked after removing it:


This capacitor is 470uf, and rated for 16V. RadioShack had it for $1.49. The primary thing that you have to pay attention to when replacing a capacitor is the polarity (making sure the + and – leads go where they did before). This board had the polarity labeled nicely, so that wasn’t a concern. The C1 capacitor was mounted on its side, so you also need to make sure to leave enough wire below the bottom of the capacitor that you can bend it over as well. Otherwise, the board won’t mount correctly when you go to attach it again. If you bend the capacitor to its side before soldering it, you don’t have to worry about leaving enough room.

Evidently, capacitor issues are a fairly common problem in electronics. The RadioShack reviews have people talking about repairing their SlingBox Solo with new capacitors. When I was doing research, there’s even – a site dedicated to capacitor repair in motherboards / etc. – including identifying bad capacitors, and instructions on "recapping".

If replacing the capacitor didn’t work, my intention was to just bypass the board entirely. The circuit board is really just a fancy way of controlling power delivery to the lights – with an on / off switch, timer, etc. If something more fundamental about the board was broken, it should be possible to just bypass it all with a simple switch rated for 12 volts, and then try to mount that nicely.

However, after replacing the capacitor, it worked! $1.49 to save $100 of electronics.


Absolute Positioning in Autodesk 123D Design

If you’re looking for a way to position an object in an exact spot in Autodesk 123D Design, you might have stumbled on forum topics like:







The last meaningful response was:



It doesn’t appear to have been added yet. Or it has been newly added, and the usability leaves something to be desired. In any case, it’s not as easy as you might think, but here’s a technique that works in version 1.6.41:

1) Click on the Ruler tool under the "Adjust" menu



2) Place the ruler on the origin



3) Select your object

You can now see lots of measurements about it, including how far it is from the origin.



4) Click on a Manipulator (thick arrow)



5) Enter your position in the measurement box that appears


Playing with Classes in PowerShell v5 Preview

One of the features we’re working on in the latest version of PowerShell is the ability to define custom classes.

If you’ve ever used a PSCustomObject or a Hashtable in a script for storing related data, you’ll probably find classes to be a useful addition to your scripting toolkit.


$point = @{ X = 0; Y = 0 }
$point.X = 10
$point.Y = 20


While PSCustomObjects and Hashtables let you group related data, what if you want to perform actions on that data? For example:

$point = @{ X = 0; Y = 0 }
$point.Move(10, 20)


This is the kind of scenario that classes really excel at. You use classes for holding “buckets” of related data, and operations on that date.

While the release notes in the V5 Preview (and of course, upcoming actual documentation) give an overview of how to define a class in PowerShell, here’s what they end up looking like:

class Point
    ## Define two properties, using PowerShell’s regular
    ## variable syntax. You can limit variables to a type
    ## using regular type contraints, toos:
    ## [type] $VarName = initialValue
    $X = 0
    $Y = 0

    ## Define a method (that returns void), and takes
    ## two parameters. You can limit the types on these
    ## parameters, of course.
    [void] Move($xOffset, $yOffset)
        $X += $xOffset
        $Y += $yOffset

## Create a point and use it
$point = [Point]::new()
$point.Move(10, 20)


And in use:

PS C:\temp> c:\temp\point.ps1 | Format-Table -Auto                                                                      
 X  Y                                                                                                                   
 -  -                                                                                                                   
10 20                                                                                                                   

Now, if you wanted to extend this concept far further than you would ever want to, you might get this :)



And Show-BoxDemo in all of its glory. TAB switches between objects, and there are a few other hotkeys in the source.

And if you’re curious:


Creating an Easy PowerShell Uptime Monitor

In a recent post, I blogged some data based on an uptime monitor I put together when I started having problems with my (then) web hosting platform.

Here’s how it works.

The first step is a script, Test-Uri. This essentially runs the Invoke-WebRequest cmdlet and captures the important details: Time, Uri, Status Code, Status Description, Response Length (so you can detect drastic content changes or incomplete responses), and Time Taken.


## Test-Uri
## From Windows PowerShell Cookbook (O’Reilly)
## by Lee Holmes (

Connects to a given URI and returns status about it: URI, response code,
and time taken.
PS > Test-Uri
Uri :
StatusCode : 200
StatusDescription : OK
ResponseLength : 34001
TimeTaken : 459.0009

## The URI to test

$request = $null
 = try
## Request the URI, and measure how long the response took.
$result = Measure-Command { $request = Invoke-WebRequest -Uri $uri

## If the request generated an exception (i.e.: 500 server
    ## error or 404 not found), we can pull the status code from the
    ## Exception.Response property
    $request = $_.Exception.
$time = -1

$result = [PSCustomObject] @{
= Get-Date
= $uri
= [int] $request.
= $request.
= $request.
= $time



The second step automates the invocation of the Test-Uri command, sending its output into a CSV. To do this, you use the Register-ScheduleJob cmdlet. Here’s an example to test your blog every hour:

$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) `
-RepetitionInterval (New-TimeSpan -Hours 1
) `
-RepetitionDuration ([TimeSpan]::MaxValue)

Register-ScheduledJob -Name blogMonitor -Trigger $trigger -ScriptBlock {
$myDocs = [Environment]::GetFolderPath("MyDocuments"
$outputPath = Join-Path $myDocs blogMonitor.csv
    Test-Uri | Export-Csv -Append $outputPath


As long as your computer has internet connectivity, this is a very reliable approach. And it’s not exactly “big data” – I’ve been monitoring my blog every hour since September 1, 2012 and the CSV is only 1.3MB.

Arvixe Status Report

In 2010, I posted about my woes with WebHost4Life (which I’m shocked is still around.) I looked around for another host, and ended up going with Arvixe. I’ve been happy with them ever since.

In the comments, Sebastian wrote:

Sebastián Cañizares writes:

Arvixe is the same problem … they say “We are currently facing network issues across at least one of our facilities The packet loss is disrupting service” and after 3 months my site still has the problem … the site going up and going down …

I was wondering if I was blind to a problem, so I thought I’d do a bit of digging.

Since learning my lesson with WebHost4Life, I’ve been using a simple PowerShell script to monitor my blog uptime and response time. It’s been running since 9/1/2012.

Caveat: This is running from my house – so the data is actually a combination of:

  • How fast and reliably Arvixe responds to requests
  • How fast and reliably my home connection (Comcast, router, etc.) responds and transmits those requests

In any case, the data I have doesn’t seem to back up what Sebastian says.

Uptime: Out of 12,978 samples, my combined data only failed to get a "200 OK" response code 154 times. So that’s about 99% uptime.

Response times:

  • Until about October 2013, the response times were usually less than 2 seconds. This includes the time that WordPress takes to render the content / etc.
  • After October 2013, most of the response times are still usually less than 2 seconds. However, there has been a secondary band of response times around 5 seconds.




For $6 a month, Arvixe continues to be a great investment.

Handle Hitch Knot for Pulling Thin Rope

If you’ve ever tried to pull hard on thin rope (maybe to tighten slack in a line), you’ve probably wrapped the rope around your hand and felt it dig in as it constricted around your fingers.

Here’s a knot that solves the problem – I call it the Handle Hitch. I couldn’t find it anywhere else – if you’ve heard of it and it has a name, I’d love to know.

With slippery rope (i.e.: paracord), it isn’t suitable for massive loads due to its similarity to the sheepshank. However, it unquestionably improves your ability to grip a line.

Wrap the cord around your hand

The first step is to wrap the cord around your hand. I find it useful to wrap from the outside in.




Create a bight in the exiting rope

And tuck it between your fingers and the series of strands on the back of your hand.




Pull the bight forward



Create a loop in the standing end

Create this loop in a similar way that you create the loop in a sheepshank. The bight we previously created is on the right, the sheepshank loop is on the left.



Pass the bight through the sheepshank loop

As you do with the bight in either end of a sheepshank.



Tighten the sheepshank loop



Let go of the standing end, and pull



Once the rope is under tension, it can accommodate medium loads. With paracord, I found the bight would slip out of the sheepshank loop with about 100lbs of pulling force – a similar failure mode to the sheepshank, but far greater than what is comfortable to pull by just wrapping the rope around your hand.

For loads greater than that, you really would want something more secure – for example, using a strong stick or your pocket knife in a Marlinspike hitch.

Here’s a video of tying this knot:

Gregg Shorthand from a regular QWERTY Computer Keyboard


Download – Gregg Shorthand Keyboard:

ShorthandKeyboard.exe, 720kb.
ShorthandKeyboard.ahk (AutoHotkey script source, 19kb)



If you’ve got an interest in languages, writing, and computers – you may have stumbled into the crazy world of Shorthand and stenography. Pitman, Gregg, Teeline, and others.

File:Gregg shorthand A Christmas Carol.jpg

(Image courtesy of Wikipedia)

Pitman shorthand isn’t very practical in modern society because it relies heavily on thick vs. thin lines. Today’s writing instruments offer very little variation in that regard – because the days of the flexible fountain pen have tragically long since passed. (Of course, you could argue that shorthand in general isn’t practical in modern society, but then you wouldn’t be reading this post.)

Gregg shorthand is entirely possible in today’s world of boring pens and pencils. The speed of Gregg Shorthand comes primarily from:

  1. Alternative letter forms that are faster and easier to write than our traditional alphabet.
  2. A list of “brief forms” (abbreviations) for common words. For example, “men.” instead of “morning”.

For the first step, learning the letter forms is quite easy and takes very little practice. For the second step, most of the refinement in Gregg Shorthand over time has primarily been tweaking the brief forms: how many, and what they are. Learning the brief forms is not easy, and takes a lot of memorization and work.

Since shorthand is a skill subject, it requires REGULAR practice, preferably on a daily basis.  Forty-five minutes to an hour a day would be a good goal if you can squeeze it in.

A person writing regular "longhand” can reasonably get to 50 WPM just writing out regular words as fast as they can. Add in a more efficient symbol system, and then you’re maybe at 70 WPM.

Most speed improvement in Gregg Shorthand comes from the second step – learning the brief forms. That’s what will take a stenographer from 50 WPM to 200 WPM.

Now, you may look at these numbers and think – “I can already type 80 WPM longhand!" In that case, you’ve elevated the symbol system speed improvements from our traditional alphabet to another level. Instead of writing the entire outline of letters (or even faster swooshy shapes), you just flick your fingers in a certain way.

To improve either your Gregg Shorthand skills, or regular typing skills, you may be able to increase your speed even further through regular learning and use of brief forms. But how? By integrating it into your regular daily typing, that’s how.

Attached to this post is a simple “Shorthand Keyboard” application to let you do exactly that.

This application converts the 147 Gregg Shorthand Diamond Jubilee brief forms into their longhand equivalents. You can type shorthand all day, but your [email | blog | Twitter | whatever] readers get the English equivalent. If you type the longhand equivalent of a brief form on accident (or you didn’t know it), the application gives you a simple on-screen reminder.


So when you type: “Ths application converts the 147 Gregg shorthand diamond jubilee brief forms into their longhand equivalents. U k type shorthand all day, bt u-r [email | blog | Twitter | whatev] readers get the English equivalent. If u type the longhand equivalent o a brief form on accident (or u didn’t know t), the application gives u a simple on-screen reminder”, you get the paragraph above.

The application doesn’t replace the brief forms by default, since that tends to conflict too often with stuff you type regularly. Instead, you press your Caps Lock key, enter the brief form, and then any non-alphabetic character (such as a space or a period).

Minor notes:

  • If you want to combine brief forms (such as You + r = Your), use a dash character: [Caps]u-r[Space] = “your ”
  • If you want your replacement to be capitalized, end it with a right-shift. [Caps]u[Right-Shift][Space] = “You “
  • The Gregg Shorthand dot symbol (to add an “ing” to whatever word you just wrote) isn’t supported, since that conflicts with ending sentences. It is implemented for “men. = morning” and “th. = think”, though, as these are the common ones. “A” and “an” are so quick to type anyways that the dot equivalent is not a useful speed gain.

Fixing KeePass’ Slow Startup Performance

If you don’t use a Password Manager to store your login information for websites, first go read this:

I’ve been using KeePass for my password manager for years, but noticed that their Professional Edition had a pretty brutal startup delay. As in – launch KeePass and wait 80 seconds for the window to open. While password security is important, that kind of delay will make even the most security-conscious person start thinking about using ‘123456’ for their password instead.

Surprisingly, I hadn’t seen many complaints online (and certainly no solutions), so I decided to see what Process Monitor might say. After setting an application filter for ‘keepass.exe’, here was the answer:


At 7:14 and 10 seconds, it starts enumerating the files in the directory where it is installed. And then doing this for every subdirectory. On my machine, that results in processing over 1600 files – as it was a random ‘Tools’ directory with all kinds of junk and support files.

At 7:14 and 55 seconds, it finally completes. And then creates a PluginCache file.


If I were a betting man, I’d say that it was looking at each of those 1600 files trying to figure out if they were some sort of KeePass plugin or not. Which takes a long time. This seems even more likely when you load the program a second time. It doesn’t take nearly as long to start because computers are quicker to read files a second time with the assistance of filesystem and hard drive caches.

Fortunately, this is simple to verify:


After rebooting to clear the caches (there are more elegant ways), our suspicions are confirmed. Only 2 seconds to launch – the highlighted line is when Keepass brought up its UI:


So there are two solutions:

Disable Plugins

If you don’t need plugins, you can just disable them.

Move KeePass

If you need / want plugins, create a subdirectory in your Tools directory for KeePass. For example, c:\Users\Lee\Tools\KeePass. When KeePass launches, it will still scrub through that whole directory and its subdirectories – but there will only be a few files there. Then, put a launcher script in your Tools folder:

:: keepass.cmd

start %~dp0\keepass\keepass %*