The LinkedIn Real-time Messaging Phish of 2019

The LinkedIn Gangsters

A few days ago I received an invite from an old fintech colleague over the LinkedIn messaging service, the message read:

“Hi, I have attached a document for our new business financial proposal for your review. Access the proposal through the extension below and get back to me at your earliest convenience.

https://onedrive.live.com/?authkey=%21AFbNEI4K8RcVpmE&cid=EBDC72C570C985A5&id=EBDC72C570C985A5%21180&parId=root&o=OneUp

Coming from a 1st degree connection made this look like a legitimate communication. But, I haven’t been in touch with my friend for a while or have discussed any business with him recently, so this seemed a bit odd.

I texted him back via LinkedIn to verify that he indeed sent it. To my surprise, he responded in real-time with a confirmation. When I asked him if it was intended for me, he again confirmed it via the messenger application (Image 1).

LinkedIn RT Message Phish
Image 1: LinkedIn texting session

By all phishing standards, this one takes the cake. The attacker was actually conducting his exploit in real-time using my colleague’s compromised LinkedIn account. This was alarming because (1) the relatively high degree of trust that exists between you and your 1st degree network opens the door to a wide range of trust based attacks and (2) the real-time text messaging helped validate that the person that I was talking to was the sender.

I switched to a sandboxed machine, clicked on the link, and went down the rabbit hole…

LinkedIn Link to OneDrive PDF
Image 2: Link from texting session to a OneDrive hosted PDF with a secondary login required to “View Message Folder”

The link to the business proposal routed me to a PDF file that was hosted on a publically accessible Microsoft OneDrive folder (Image 2).

The PDF medatada indicated that it was created recently and dynamically using an Office365 MS Word. The file name was based on my colleague’s LinkedIn profile and the subject of the proposal was also related to his line of work. The author name of the PDF document had the wishful name “Incoming Wire”.

LinkedIn Phish PDF Metadata
Image 3
: The phishing PDF metadata

In order to “Continue reading your messages from OneDrive for Business”, I had to click on a second link titled “VIEW MESSAGE FOLDER”.  

The second link routed me to the URL: ”https://normaav.ga/review”. This appeared to be a general access portal that aggregated different email systems and allowed the user to select their email provider of choice in order to view the “business proposal”.

LinkedIn Phish Login Portal
Image 4
: The logion portal loaded after clicking the PDF link

Clicking on the Office365 button option loaded a sign-in page and prompted me to enter my email address and the password for my Office365 account.

Normaav GA Office 365 Login
Image 5
: The fake Office365 logion page

Clicking on the other buttons resulted in the same functionality but with different email client login screens.

LinkedIn Phish Logins
Image 6
: The other login pages

The amount of details built into the site was impressive. Where most phishing login pages deactivate superfluous links and features for efficiency reasons, this site was fully functional and even included the ability to reset your password–which came with a functional glyph generator and voice word reader.

Password Reset
Image 7
: Sample password reset screen

Next, I checked the .GA domain for some clues. It came back as a Gabon based account, however, the details of the registrar had the following Netherlands address:

Domain name:NORMAAV.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

After a little more digging, I found that the same owner also registered several other phishing domains that included sites like:

Domain name:TECHGURUHELP.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

So, from the look of it, this phishing site was just an elaborate email address and password collection utility. It wasn’t used for malware distribution or payload delivery.

The structure Narmaav.ga was made-up of several directories each comprised of PHP, html, images, Zip file, and some JavaScript files. The zip file housed all of the executable and site code and also provided an additional layer of obfuscation from the anti malware scanners that would be running on the hosting server.

Normaav GA File
Image 8: Sample content of one of the Narmaav.ga website “file” directory

LinkedIn Phish Directory Content
Image 9: The content of the “assets” directory showing the images and icons used to create the fake login screens

As far as the mechanics of the user data collection, clicking the “Next” button on the email login screen executed the following post function:

if (isset($_POST[‘username’]) && isset($_POST[‘password’])) {
    if ($_POST[‘username’] !== “” && $_POST[‘password’] !== “”) {

        $date = date(‘l d F Y’);
        $time = date(‘H:i’);
        $user = $_POST[‘username’];
        $pass = $_POST[‘password’];
        $source = $_POST[‘from’];
        $ip = $_SERVER[‘REMOTE_ADDR’];
        $systemInfo = systemInfo($_SERVER[‘REMOTE_ADDR’]);
        $VictimInfo1 = “| Submitted by : ” . $_SERVER[‘REMOTE_ADDR’] . ” (” . gethostbyaddr($_SERVER[‘REMOTE_ADDR’]) . “)”;
        $VictimInfo2 = “| Location : ” . $systemInfo[‘city’] . “, ” . $systemInfo[‘region’] . “, ” . $systemInfo[‘country’] . “”;
        $VictimInfo3 = “| UserAgent : ” . $systemInfo[‘useragent’] . “”;
        $VictimInfo4 = “| Browser : ” . $systemInfo[‘browser’] . “”;
        $VictimInfo5 = “| Os : ” . $systemInfo[‘os’] . “”;
        $data = “
+ ————- Scampage ————–+
+ Account Details
| Username : $user
| Password : $pass
| Source: $source
+ ——————————————+
+ Victim Information
$VictimInfo1
$VictimInfo2
$VictimInfo3
$VictimInfo4
$VictimInfo5

| Received : $date @ $time
+ ——————————————+

Its evident from the comments that the developer didn’t even bother anonymizing the variables, they just matter-of-factly named them: “Victim Information”, “Victim1”, “Scampage”, etc. Apparently, in the scammer industry, ripping off people is just another dehumanized banal job, not much different than stuffing hot dogs into a box on a production line.

Phish Victims
Image 10: Phishing victims as hot dogs

The data upload logic was also rudimentary without any fancy command and control architecture. Once all of the user information was collated, the content was simply posted to a “boxoffice794@gmail.com” email address. This Gmail account turned out to be just one of over 8134 emails used for data collection. The phishing site itself also came in a number of variations, with different version utilizing one or more of the listed email addresses (see a few samples below).

Password Collection Email Addresses

adamandeve10000@gmail.com

emailresult1000cc@gmail.com

boxresult81@gmail.com

johnbeng95@gmail.com

tingyangting111@gmail.com

sharoncute48@gmail.com

mrtrqbing@gmail.com

chingy555@gmail.com

cleverin15@gmail.com

edu.logs1@gmail.com

Table 1: A sampling of 10 emails out of the 8134 used by the phishing sites.

From a linguistic and semantic point of view, the creator of the site and the email accounts is most likely a a native American English speaker who pays close attention to details. The verbiage on site has no spelling or major grammar issues. The composite names used in the email accounts demonstrate cleaver wordplay and use of contemporary idioms. The word generation algorithm also takes into account human readable combinations such as:

sql-injection
alibaba-reloaded
blood-money
call-me-ghost
extremely-blessed-007

Another interesting observation about the code is that it utilizes defensive strategies and countermeasures. For example, it uses a blacklist of IP addresses to stop the data uploader from running on high risk networks (like Fortinet, Kaspersky, Avg Technologies, etc.) where this activity would most likely be quickly detected and stopped. So in essence, this is a signature based form of reverse malware protection.

# _blacklist.dat  — contains address ranges to always be blocked.
#   Only IPv4 addressing is supported.
#
#   legal range formats are:
#
#   255.255.255.255                             Single address
#   255.255.255.255/16                       CIDR Mask
#   255.255.255.255/255.255.0.0       address w/mask
#   255.255.*.*                                        wildcards
#   255.255.255.0-255.255.255.255   low to high address
#
#   Comments may be added to a line starting with ‘#’ character
#   and inline comments may be added starting with ‘#’ character.
#


#  TOR SERVERS IP RANGES

96.47.226.16-96.47.226.23
74.120.15.144-74.120.15.159
96.44.189.96-96.44.189.103

 

#  AMAZON IP RANGES

54.219.0.0-54.219.255.255
54.193.0.0-54.193.255.255
204.236.128.0-204.236.255.255
54.242.0.0-54.243.255.255
107.20.0.0-107.23.255.255

Table 2: Extract from the blacklist used by the application in order to avoid high risk networks

It’s noteworthy that several of the PHP functions (see sample below) contain a reference to “MADEMEN CYBER TEAM”. The code also contains references to a specific developer who is using the alias “Sage The Hurt Ice”, this name is also associated with an active PayPal account called “payp algent” and “paya_ldirect”. 

Paypa_ldirect
Image 11: The author “SAGE THE HURT ICE”

 <TABLE>
    <tr><td>________MADEMEN CYBER TEAM_________</td></tr>
    <tr><td><STRONG>$domain I.D: $login<td/></tr>
    <tr><td><STRONG>Password: $passwd</td></tr>
    <tr><td><STRONG>IP: $ip</td></tr>
    <tr><td><STRONG>Date: $server</td></tr>
    <tr><td><STRONG>country : $country</td></tr>
    <tr><td>Browser : $browserAgent</td></tr>
    <tr><td>____HACKED BY SAGE THE HURT ICE (SKYPE =PAYP ALGENT)____</td></tr>
    </BODY>

What makes this exploit so potent is that the operation is combining machine generated content, large degree of automation, and the creation of near real-time customized payloads that are based on LinkedIn account user data. Just like with a traditional mail merge operation where the customization of each letter is done by pulling content from different databases, the same takes place here, with a slight variation that the database is the user’s LinkedIn profile and the ‘mail to’ is his entire LinkedIn network.

With all of these dynamic orchestration capabilities, the cheery on the cake is that there was also a human in the loop that chatted with the target in real-time in order to confirm the authenticity of the phish.

This exploit should be a major concern for LinkedIn and its users. in 2016, LinkedIn lost 117 million user accounts (they were breached in 2012 but didn’t discover it until 2016). Many of these passwords have not been changed by the users who are still unaware of the breach. This means that the perpetrators of the current phishing expedition are essentially shooting fish in a barrel.

Based on the Narmaav.ga site uptime of 4 days (before it was flagged as ‘deceptive” by the search engines), the volume of recovered passwords, and the number of concurrent phishing campaigns (about 10K), a conservative estimate for this campaign’s yield is over 100K new breached accounts.

So what can you do to avoid getting your LinkedIn account hacked? Obviously, don’t click on any links sent to you via the messenger. You should stop reusing the same password for multiple accounts and make it more complex. You should also consider using a password management system. In the long run though, your best bet is to enable two factor authentication (using your phone) for all of your accounts. Most ecommerce sites like Amazon, PayPal, and email providers already offer this as a free service and activating it is just a simple two step process.

Notes
Soon after detecting the exploit, I notified LinkedIn about the details of the breach. It took LinkedIn more than 48 hours to reply. The response I got was “We have provided this information to the correct team to review further and act based on their results.”  I haven heard back from them since. I have also followed up with several of the victims, who were completely unaware that someone took over their LinkedIn account and was using it to mount a phishing expedition.

If you haven’t done this for a while, It may also behoove you to login to your LinkedIn and other social media accounts just to make sure that it’s still accessible.

References
2019 State of the Phish Report (page 11-19 cover estimated recovery rates) – Proofpoint.com
The complete phishing kit  (source code and files)
The phishing email addresses directory (where the stolen credentials are sent after harvesting)
LinkedIn Breach Exposed 117 Million User Accounts – eSecurity Planet
Facebook stored 200-600 millions of Instagram passwords in plain text – IT ProPortal
Password Safe – A free and open source password management system

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The Great Password Storage Survey

Find Milton's Password

The idea for the password survey came about more than fifteen years ago when I managed a security team in a large fortune 500 organization. While designing a new fraud detection platform, we discovered that a relatively large number of previous security breaches and incidents were attributed to compromised user passwords and and credentials. The data suggested that this problem effected all business divisions and departments across the company and our partners. After a successful campaign to launch a corporate-wide root cause initiative, we ran a pilot that examined the password storage and retrieval practices in one of our regional offices with about 900 employees. After concluding the initial survey, we expanded the sampling to three other corporate locations.

The results of the first survey were supplemented by data I collected a few years later while working for a managed security service company that provided hosted proxy, firewall, IDS, and anti-malware service to several hundred credit unions and community banks. The focus of the second survey was on small to medium size U.S. based financial institutions.[1]

The total population examined in this study was about 3700 individuals and accounts and included the development, IT, administration, and various business units. The companies sampled reflect a typical cross-section of large (20K-40K) and small to medium (20-750) sized organizations and represent a historical snapshot of a typical regulated financial service company circa 2003-2010.

Introduction and Background
Knowledge-based authentication that utilizes passwords is different from other access control methods because it promotes the idea that by increasing the password entropy we can resist and discourage a brute force password recovery attack.

For many security practitioners this seems like a panacea. Policies calling for additional password complexity appear attractive at first but their practical enforcement on a multi-platform and enterprise scale are difficult to implement.

This is especially the case when we prohibit users from writing their passwords down or reusing them. The user’s inability to manage numerous complex and frequently expiring passwords can eventually compromise even the most secure environments that support multi-tiered firewalls and utilize the most advanced IDS, and robust VPN connectivity.

Paradoxically, it seems that when it comes to passwords, the user is caught between a rock and a hard place; the more secure the password is, the less so is the user.

Heterogynous Environments
The never ending cycle of M&A continues to create heterogynous platforms within the enterprise. This phenomenon results in the proliferation of systems with different rules for password lifecycles, login procedures, and authentication standards. The impact on the users has been overwhelming as they need to deal with an ever increasing number of login challenges.

Even in well consolidated environments that utilize state of the art Active Directory and Single Sign-On, there are a handful of work issued standalone devices and online accounts that are not tied to the central login infrastructure. Even in these integrated environments, the expiration of individual passwords is rarely synchronized, often causing a cascade of resets on other systems with significant user lookouts and loss of productivity.

To further complicate this, all employee also maintain dozens of non work-related passwords that they use during their work day. This significantly increases their cognitive burden, so in an effort to conserve energy, some resort to consolidating their private and work passwords into a single file. The survey suggests that if we tally the work and private accounts, the average number of user passwords each person has can exceed 60 (Chart 1).

The number of work related accounts varied with the user’s corporate responsibility (Chart 2), but on average, each had between 10-20 passwords.

1-Average number of passwords per user

Chart 1: Average number of passwords per user

Information Overload
The human factor plays a significant role in the challenge of creating, storing, and retrieving complex passwords. A number of psychological experiments have demonstrated that subjects are able to repeat accurately around eight meaningful combinations of letters, numbers, and words.[2]

When a user is given several random passwords that are eight characters long, most will remember only one. If a user is required to remember two or more such passwords, he or she will likely resort to writing them down.

When asked how many IDs and passwords did they have to keep track of, the immediate answer was “way too many!” The majority of users have also stated that it was bad enough when they only needed a handful of passwords to access e-mail, the network and mainframe accounts. But now, every internal and external application required a complex password.

2-Average number of passwords per user type
Chart 2:
Average number of passwords per user type        

3-Reason for writing passwords down

Chart 3: Reasons for writing passwords down

So how did the users resolve the problem of maintaining dozens of strong passwords? When pressed, most admitted—as the research suggested—that they resorted to keeping a written list or that they have been using the same password or a variant of it for multiple systems. 

On the record, administrative staff denied that they followed this practice but off the record they admitted that they were powerless to stop it and that they themselves were guilty of these same offenses. Other industry sources suggest that this is indeed a widespread phenomenon.[3]

When questioned about their memorization techniques (the policies require that passwords be memorized), many of them indicated that utilizing mnemonics, backronym, and other techniques were tiresome and this resulted in forgetfulness, mistakes, and system lockouts. 

The majority of users (75%) stated that they could not memorize complex passwords and when they attempted to achieve this in the past it always resulted in password resets. It is interesting to note that as much as 10% of the users felt that the high frequency of the password expiration did not warrant the investment in memorizing it. Another 10% of the users felt that actually writing the password down made them more productive.

4-Password found by unit

Chart 4: Password found by unit

5-Password issued vs. password memorized

Chart 5:
Password issued vs. password memorized

Password Storage Strategies
The password searches identified the existence of two types of password storage strategies. The first group (1) which consisted of 27% of the recovered passwords was made-up of data that was either handwritten or printed and stored in the user’s immediate work area. 

The written documents included artifacts such as post-it notes, legal pads, notebooks, and text on dry erase board. The second category (2) consisted of 73% of the recovered passwords found on electronic storage in the form of digital files on portable storage devices, smart phones, hard drives, and network shares.

7-Password hiding locations

Chart 6
: Password storage areas

The large percentage of electronically stored password suggests that users are somewhat security conscious and they do look for the middle ground between the two evils of keeping passwords out in the open and memorizing them.

The high rate of spreadsheet utilization (35%) for password storage suggests that without a proper company sponsored tool for managing passwords like the password safe, users will instinctively gravitate toward the next ‘best’ technology available in-house.

Password Hangouts
The majority (5% each) of users hid passwords either under a mouse pad or on sticky notes that were kept in a book or folder somewhere in the user’s immediate work area. The total percentage of passwords hidden ‘under’ various items (Table 1) was 27%.

Password Locations Office Work Area

# Found

% of Total

Under mouse pad, stapler, or tape dispenser

174

5%

Under keyboard

86

2%

Under desk calendar

77

2%

Under flower pot

32

1%

Under garbage can

11

0.3%

Under printer

29

1%

Under phone or phone reference card

51

1%

Under carpet or mat

7

0.2%

Under bookshelf

38

1%

Under paper tray

30

1%

Under or on whiteboard or clipboard

61

2%

Under trivet, coaster, paper weight, or pencil holder

18

0.5%

Interior door of coat cabinet

18

0.5%

Sticky note on the monitor

40

1%

Note inside a book or wallet

180

5%

Note in music CD box

67

2%

On whiteboard obfuscated using letter or number padding

72

2%

Total

1058

        27%

Table 1: Hidden password locations – Office work area

 

Password Locations on Electronic Storage

# Found

  % of Total

On floppy disk inserted in drive

15

0.4%

On USB, flash drive, or other device

80

2%

Protected spreadsheet on a password protected network share

613

17%

MS Access database on a network share

216

6%

Spreadsheet on a network share

620

17%

Text file located on a network share

281

8%

e-mail file (user would create and e-mail himself the new password)

408

11%

MS Word document

103

3%

File stored on an Intranet web site

300

8%

File stored on an Internet web site

26

1%

Total

2662

73%

Table 2: Hidden password locations – Electronic storage

 

The majority (73%) of the hidden passwords were kept on electronic storage (spreadsheets, documents, and e-mails) on a variety of locations, the most common being (1) 34% on network drive, and (2) 11% on the e-mail server (Table 2).  

Only 1% of the users openly placed the latest password on their monitor (Figure 1). It is interesting to note the password generation algorithm used. The first password on the list (which was complex) was used as the seed for all future passwords permutations. Each time the system required a new password; the user wrote the new one down and erased the previous one.

Whenever the system permitted the re-use of old passwords, we found a high degree of password recycling via password variances and sequential use. This included 62% of developers, 86% of administrators, 97% of business users, and 94% of admin and facility staff.  

8-User Passwords Written on a Sticky Pad 

Figure 1: User passwords written on a sticky note

 

Is there a Method in the madness?
75% of the user interviewed cited poor memory as the main reason (1) for writing and hiding passwords. The second (2) reason cited was the unspoken legitimacy of this practice and its widespread use. The third (3) reason was that the password was shared by several users and so having it written in a central location was the most convenient way to synchronize it and keep all users informed of any changes. This was primarily the case amongst DBAs, system administrators, and developers (87% combined). The majority of interviewees also acknowledged that they were aware of existing security policy that clearly discouraged such practices.

From conversations with administrative staff, ignorance of the law was not a factor in writing down passwords (Chart 8). Over 90% of the admins acknowledged that they knew that writing their system password down was against policy and information security directives, but they did it because they were located in a physically “secure area” that had strict access controls roles and that it was a calculated risk.

9-Percent of administrator told not to write down passwords
Chart 7: Percent of administrator told not to write down passwords

An interesting usage relationship shows that systems which periodically require users to change passwords actually trigger more people to ‘hide’ them in written form near their workstations. We estimated that the likelihood of finding written passwords near a workstation subjected to frequent password changes was 35% to 55%. At the same sites, the likelihood was only 10% to 20% for workstations connected to systems that did not enforce frequent password changes.

In many cases, over a third of the users created sequential passwords (Chart 8) such as changing Pa$$w0rd_1 to Pa$$w0rd_2. The stats for administrative users show that this practice was higher than 80% when permitted by the system. This information again is confirmed by other studies that show the user’s tendency to avoid constantly memorizing new, complex passwords and writing them down.[4]

 10-Used sequential passwords


Chart 8
: Used sequential passwords

Social Factors that Contribute to Password Mismanagement
The password security relies on the premise that passwords are kept secret at all times. This is not a trivial requirement because in a typical password life cycle, there are many opportunities for compromise whenever a password is created, used, transmitted, or stored. Passwords are always vulnerable to compromise because:

  1. They need to be initially created and assigned to a user
  2. They need to be transmitted
  3. They need to be changed
  4. They need to be stored and retrieved

In this context, sharing passwords among a group of users would completely negate the need to keep it secret. When we asked the users about the practice of sharing passwords, the unanimous response was that this was a common practice exercised by all. In fact, the system and database administration and InfoSec teams which should have led the charge in fighting this phenomenon, were the largest practitioner of group password sharing (Charts 9-10).

11-Password sharing among administrators

Chart 9
: Password sharing among administrators

12-Password sharing among developers

Chart 10: Password sharing among developers

This contradictory situation raised some questions. When we asked our users about the clearly prohibited practice of password sharing they provided the following reasons:

  1. Friendliness––Users normally try to avoid behavior that would put them in a negative social light. Individuals who strictly protect their passwords by steadfastly refusing to write them down or share them with colleagues can be seen as anti-social.
  2. Conformity––Due to strong emphasis placed on “being a team player” and the importance of collaboration, many individuals determine that conformity is important and work hard to be sure that others see them as easygoing and trustworthy. For example, if a system administrator (an authority figure) asks a user for his log-in password, he is likely to reveal it because he doesn’t wish to seem suspicious of an authority figure.
  3. Trust––Sharing passwords between team members can be seen as a sign of collegial affiliation. If a user refuses to share a password with a co-worker, especially where such practice is commonplace, it could be seen as a sign of distrust.
  4. Unwritten work procedures––A team of co-workers will develop ‘informal’ procedures and workarounds to deal with occasional situations that impact their productivity (sharing workstations, using each other’s e-mail program, etc). Some of these workarounds may contradict official policies. Users who follow such informal procedures are normally acting in good faith; they are trying to be helpful and practical in an effort to get the job done.
  5. Responsibility––Users are aware of password policies, but continue to violate them nevertheless because they do not expect to be held accountable for breaking the rules, because “everyone” regards the regulations as unrealistic.
  6. Management Privileges––Senior employees believe that they are too busy to be expected to follow what they perceive as petty rules (which often the information security department itself is known to disregard).
  7. Relevancy––Some users believe they and their systems are not important enough to merit serious attention from an attacker. Some users also believe that rigorous passwords are neither truly realistic nor necessary and they do not see following information security policies as being relevant to their job requirements and/or professional reputation.
  8. Security, Perception vs. Reality
    Another interesting piece of information that can be gleaned from the survey points to a number of key factors affecting user perception of password security. When questioned about the practice of resetting passwords to previous ones, a large number of administrative users and developers stated that whenever the system permitted they did reset the new password to an older familiar one. In some cases administrator deliberately disabled password expiration policies in order to avoid the hustle. Clearly, this practice completely defeats any advantages associated with frequent password changes. 

12-Changed passwords back to original password left administrators, right developers

Chart 11:
Changed passwords back to original password

When we asked the users for their rationale for ignoring security policy directives and making this and other judgment calls, the answer clustered around the following subjects:

  1. Lack of account privacy affected work habits and user confidence in the system––When a user was forced to write down his password regularly because he lacked a tool to manage them properly, he also tended to justify keeping other sensitive information in the clear.
  2. Mandates and edicts concerning security elicited strong emotional reactions––Users often spoke in emotional terms about unrealistic password mandates, using terms such as smoke and mirrors, lip service, and window dressing. Further, they often said they wanted their information to be secure and private but they often had a fatalistic attitude towards security. That is, they felt resigned to accepting security breaches and privacy compromises.
  3. Users didn’t differentiate between security and privacy—They did not distinguish between these two concepts and focused on the outcome of a security breach and its impact on their work product. In one example, an administrator did not consider the common practice of shared usage of passwords by a fellow administrator to be a privacy or a security issue, but when their password was discovered by us, they simply mitigated the damage by resetting the password and continuing the sharing practice.
  4. Multi-user applications and social interactions affect information sharing—Collaborative work assignments and certain group business process promoted password sharing. When it comes to account and password privacy, users working in a collaborative environment tended to have a more liberal and collective sense of account ownership.
  5. Few differences exist between home and business account management practices––User’s lack of concern with account privacy did not depend on their work environment. They were consistent in their practices whether at home or on-site. Remote users working via VPN were less concerned about the security of their work files because they consider the likelihood of someone getting to their work at home to be minimal despite the fact that their off-site network was often much less secure (many had no firewalls or up to date anti-malware protection). Also, most users working from home did not consider themselves to be the potential target of an attack.

Conclusion
The evidence suggests that the widespread practice of users writing down passwords and keeping them in unsecured locations is a natural response to unrealistic security mandates. Users in general are concerned with productivity and view passwords and their management as unproductive and wasteful activity. 

A useful password security depends on the availability of a password management and enforcement mechanisms. It is clear that any password policy must on one hand balance the benefits of password protection and enforcement and on the other minimize user impact. Without maintaining this careful balance, you run the risk of your users coming to view password mandates as tyrannical decrees that should be cleverly circumvented.

If a good overall corporate IT security strategy depends on strong passwords—and few people will argue that it does not—then a key strategy to achieving good password security must focus on establishing an enterprise wide solution that will either completely eliminate passwords or facilitate the management of the entire password’s life cycle via an on-line, mobile, and off-line secure storage and retrieval capability.

Notes and References
Authentication in Internet Banking: A Lesson in Risk Management – FDIC (2007)
Uncovering Password Habits – Are Users’ Password Security Habits Improving?
The death of passwords is premature – Keeper (2016)

[1] Due to the sensitive nature of password surveys, conducting password storage searches should be planned and executed carefully and discreetly. Before conducting any searches, you should secure written approval from your IT, InfoSec, HR, and legal team. You should also coordinate all such activities with the local facilities team. Another good rule of thumb is to conduct all surveys in a team composed of representatives from HR and building security, this will eliminate the perception that some unknown individual is just pillaging and violating the privacy of employees after hours. Follow-up conversations with users regarding their password storage and recovery habits should be done in a private setting in a non-threatening or confrontational manner. You should make it clear to the interviewee that their cooperation is appreciated, that this will not reflect poorly on their evaluation, and the ultimate goal of this exercise helps improve the both personal and corporate data security and privacy. A $20 gift certificate to Starbucks or another popular outlet would go a long way towards easing the tensions.

[2] C. Coombs, R. Dawes, and A. Tversky, Mathematical Psychology: an Elementary Introduction. Prentice-Hall Press, (1970). And  The study by Yan, Blackwell, Anderson, and Grant “The Memorability and Security of Passwords-Some Empirical Results” (research paper, Cambridge University Computer Laboratory, 2001).  And Miller, George A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63, 81-97.

[3] Schneier on Security Write Down Your Password (2005)
Write Down Your Password

[4] Spafford, Eugene H. (1992). “Observations on reusable password choicesProceedings of the 3rd Security Symposium. Usenix, September.

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

Two and Two Makes Five

It’s the 70th anniversary of Orwell’s 1984.

“There will be no curiosity, no enjoyment of the process of life. All competing pleasures will be destroyed. But always— do not forget this, Winston— always there will be the intoxication of power, constantly increasing and constantly growing subtler. Always, at every moment, there will be the thrill of victory, the sensation of trampling on an enemy who is helpless.
If you want a picture of the future, imagine a boot stamping on a human face— forever. ”
― George Orwell, 1984 – Part 3, Chapter 4

Field Guide to the Progressive Movement Medals

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

Literary Devices in the Book of Isaiah

Book of Isaiah Scroll
View interactive version of the scroll here

The Book of Isaiah is the first of the Latter Prophets in the Hebrew Bible. It was written circa 8th-7th century BCE and is the work of Isaiah ben Amoz. The book is a prophetic vision and historical discussion about the destiny of the Jews, Jerusalem, and Judea prior, during, and after the Babylonian exile. Many of the book’s passages such 9:5 form the foundation of Messianism and eschatology in Judeo-Christian movements.

Outside of the Masoretic version of the Hebrew bible, there are several versions of the book of Isaiah. One of the more interesting ones is the Great Isaiah Scroll (pictured above). This document is one of the seven Dead Sea Scrolls discovered in 1947 near the ruins of Qumran in the Judean desert in Israel and is the largest and best preserved of all the scrolls and parchment fragments of several biblical books (1st-2nd century CE) discovered in places like Masada, Wadi Murabba’at, Nahal Hever, and Nahal Tze’elim. The scroll contains some minor variations from the Masoretic version, but Its 54 columns contain all of the 66 chapters of the version found in the Hebrew Bible. The Great Isaiah Scroll is dated to circa 125 BCE.

For many years, I’ve been reading Isaiah contextually, but have just recently started parsing it for structure. Here are a few interesting stylistic and literary devices that I found in the book. 

Note on language proficiency
Isaiah is a mix of poetry and prose. In general, translated poetry tends to loses more of its meaning than prose. If you don’t read Hebrew, you may miss some nuances such as rhyming, letter geometry, and diction. To help capture these nuances, I’ve included several recording of the Hebrew passages in the rhyming section. To those of you who would like to pronounce the Hebrew text there is an alphabet and vocalization chart at the end of the post.

Epigraphs (a reference to another composition to help the reader understand the work).

Isaiah 11:15 (reference to splitting the sea Exodus 14:21)
And the LORD will utterly destroy the tongue of the Egyptian sea; and with His scorching wind will He shake His hand over the River, and will smite it into seven streams, and cause men to march over dry-shod.
וְהֶחֱרִים יְהוָה, אֵת לְשׁוֹן יָם-מִצְרַיִם, וְהֵנִיף יָדוֹ עַל-הַנָּהָר, בַּעְיָם רוּחוֹ; וְהִכָּהוּ לְשִׁבְעָה נְחָלִים, וְהִדְרִיךְ בַּנְּעָלִים.

Isaiah 37:8 (cross reference to 2 Kings 20:8–11)
behold, I will cause the shadow of the dial, which is gone down on the sun-dial of Ahaz, to return backward ten degrees.’ So the sun returned ten degrees, by which degrees it was gone down.
הִנְנִי מֵשִׁיב אֶת-צֵל הַמַּעֲלוֹת אֲשֶׁר יָרְדָה בְמַעֲלוֹת אָחָז בַּשֶּׁמֶשׁ, אֲחֹרַנִּית–עֶשֶׂר מַעֲלוֹת; וַתָּשָׁב הַשֶּׁמֶשׁ עֶשֶׂר מַעֲלוֹת, בַּמַּעֲלוֹת אֲשֶׁר יָרָדָה.

Isaiah 45:7 (reference to Genesis 1-3)
I form the light, and create darkness; I make peace, and create evil; I am the LORD, that doeth all these things.
יוֹצֵר אוֹר וּבוֹרֵא חֹשֶׁךְ, עֹשֶׂה שָׁלוֹם וּבוֹרֵא רָע; אֲנִי יְהוָה, עֹשֶׂה כָל-אֵלֶּה.

Allegory
(A metaphor in which a character, place, or event is used to deliver a broader message)

Isaiah 40:8
The grass withereth, the flower fadeth [people/life]; but the word of our God shall stand for ever.
יָבֵשׁ חָצִיר, נָבֵל צִיץ; וּדְבַר-אֱלֹהֵינוּ, יָקוּם לְעוֹלָם.

Isaiah 40:11
Even as a shepherd [G-d] that feedeth his flock, that gathereth the lambs in his arm, and carrieth them in his bosom, and gently leadeth those that give suck.
כְּרֹעֶה, עֶדְרוֹ יִרְעֶה, בִּזְרֹעוֹ יְקַבֵּץ טְלָאִים, וּבְחֵיקוֹ יִשָּׂא; עָלוֹת, יְנַהֵל.

Similes (A figure of speech that directly compares two things)

Isaiah 55:10
For as the rain cometh down and the snow from heaven, and returneth not thither, except it water the earth, and make it bring forth and bud, and give seed to the sower and bread to the eater;
כִּי כַּאֲשֶׁר יֵרֵד הַגֶּשֶׁם וְהַשֶּׁלֶג מִן-הַשָּׁמַיִם, וְשָׁמָּה לֹא יָשׁוּב–כִּי אִם-הִרְוָה אֶת-הָאָרֶץ, וְהוֹלִידָהּ וְהִצְמִיחָהּ; וְנָתַן זֶרַע לַזֹּרֵעַ, וְלֶחֶם לָאֹכֵל.

Aphorisms (A concise, terse, laconic, memorable expression of a general truth or principle)

Isaiah 40:21
Know ye not? hear ye not? Hath it not been told you from the beginning? Have ye not understood the foundations of the earth?
הֲלוֹא תֵדְעוּ הֲלוֹא תִשְׁמָעוּ, הֲלוֹא הֻגַּד מֵרֹאשׁ לָכֶם; הֲלוֹא, הֲבִינוֹתֶם, מוֹסְדוֹת, הָאָרֶץ.

Isaiah 49:15
Can a woman forget her sucking child, that she should not have compassion on the son of her womb? Yea, these may forget, yet will not I forget thee.
הֲתִשְׁכַּח אִשָּׁה עוּלָהּ, מֵרַחֵם בֶּן-בִּטְנָהּ; גַּם-אֵלֶּה תִשְׁכַּחְנָה, וְאָנֹכִי לֹא אֶשְׁכָּחֵךְ. 

Isaiah 49:24
Shall the prey be taken from the mighty, or the captives of the victorious be delivered?
הֲיֻקַּח מִגִּבּוֹר, מַלְקוֹחַ; וְאִם-שְׁבִי צַדִּיק, יִמָּלֵט.

Allusions (A figure of speech, in which an object or circumstance is referred to indirectly)

Isaiah 44:28 [the term “My shepherd” is alluding to Moses]
That saith of Cyrus: ‘He is My shepherd, and shall perform all My pleasure’; even saying of Jerusalem: ‘She shall be built’; and to the temple: ‘My foundation shall be laid.
הָאֹמֵר לְכוֹרֶשׁ רֹעִי, וְכָל-חֶפְצִי יַשְׁלִם; וְלֵאמֹר לִירוּשָׁלִַם תִּבָּנֶה, וְהֵיכָל תִּוָּסֵד.

Isaiah 45:3 [alluding to Nebuchadnezzar’s stolen treasures from the the temple of Salomon]
And I will give thee the treasures of darkness, and hidden riches of secret places, that thou mayest know that I am the LORD, who call thee by thy name, even the God of Israel.
וְנָתַתִּי לְךָ אוֹצְרוֹת חֹשֶׁךְ, וּמַטְמֻנֵי מִסְתָּרִים:  לְמַעַן תֵּדַע, כִּי-אֲנִי יְהוָה הַקּוֹרֵא בְשִׁמְךָ–אֱלֹהֵי יִשְׂרָאֵל.

Wordplay, Parables, and Puns (A didactic prose or verse that illustrates instructive principles)

Isaiah 5:7
For the vineyard of the LORD of hosts is the house of Israel, and the men of Judah the plant of His delight; and He looked for justice, but behold violence; for righteousness, but behold a cry.
כִּי כֶרֶם יְהוָה צְבָאוֹת, בֵּית יִשְׂרָאֵל, וְאִישׁ יְהוּדָה, נְטַע שַׁעֲשׁוּעָיו; וַיְקַו לְמִשְׁפָּט וְהִנֵּה מִשְׂפָּח, לִצְדָקָה וְהִנֵּה צְעָקָה.

The Song of the Vineyard describes how G-d had done everything to make his vineyard “the nation of Israel … the people of Judah,” 5:7a) fruitful. He expected luscious, plump, juicy grapes at the time of harvest, but instead, the vineyard  “brought forth wild grapes.” (5:2). So G-d pronounces judgment on his people (5:3–6). In this context, verse 5:7 uses the following wordplay: “And he looked for justice (משׁפט), but behold violence (משׂפח); for righteousness (צדקה) but heard a cry (צעקה)”. In addition to the wordplay, these words in Hebrew also sound similar.

Isaiah 2:3
And many peoples shall go and say: ‘Come ye, and let us go up to the mountain of the LORD, to the house of the God of Jacob; and He will teach us of His ways, and we will walk in His paths.’ For out of Zion shall go forth the law, and the word of the LORD from Jerusalem. 
וְהָלְכוּ עַמִּים רַבִּים, וְאָמְרוּ לְכוּ וְנַעֲלֶה אֶל-הַר-יְהוָה אֶל-בֵּית אֱלֹהֵי יַעֲקֹב, וְיֹרֵנוּ מִדְּרָכָיו, וְנֵלְכָה בְּאֹרְחֹתָיו:  כִּי מִצִּיּוֹן תֵּצֵא תוֹרָה, וּדְבַר-יְהוָה מִירוּשָׁלִָם.

There are many passage that use double entendres. For example the passage: “for out of Zion shall go forth the law, and the word of the LORD from Jerusalem.” can have multiple meanings and it depends on how we interpret the terms “Zion”, “Jerusalem”, the “law”, and the “word of the LORD”. 

If the reference to “Jerusalem”, “Zion” (City of David), “mountain of the LORD” (Temple mount), and to the “house of the God” (Solomon’s Temple), are just parallel forms, then the meaning of the whole passage is that the future word of G-d will emanate from this general location. 

On the other hand, if we read “Jerusalem”, “Zion”, “mountain of the LORD”, and “house of the God” as distinctive locations with an ascending levels of holiness (which they had historically), then each one of these places has a unique messianic purpose, and in the future, the righteous will go through a sequence of: (1) pilgrimage to Jerusalem, (2) visit to the temple, (3) attendance of service, (4) spread the law and the inspired word of G-d throughout the world.

Encryption

Isaiah 7:4
Let us go up against Judah, and vex it, and let us make a breach therein for us, and set up a king in the midst of it, even the son of Tabeel.
נַעֲלֶה בִיהוּדָה וּנְקִיצֶנָּה, וְנַבְקִעֶנָּה אֵלֵינוּ; וְנַמְלִיךְ מֶלֶךְ בְּתוֹכָהּ, אֵת בֶּן-טָבְאַל.

This passage describes the scheming of Rezin, the king of Syria, and Pekah, the son of Remaliah, king of Israel (the united monarchy had split by that time to the kingdoms of Judah and Israel), who conspired against King Ahaz of Judah and plotted to replace him with the “son of Tabeel”. 

Tabeel is an known biblical figure. But Tabeel, (spelled T-B-L without vowels) could be an encrypted name. Decrypting it using the “ALABM” cypher yields R-M-L- Remala (for Remaliah), a possible reference to Pekah’s father.

 

Row-2

א

ב

ג

ד

ה

ו

ז

ח

ט

י

כ

Row-1

ל

מ

נ

ס

ע

פ

צ

ק

ר

ש

ת

Row-1

A

B

C

D

E

F

G

H

I

J

K

L

M

Row-2

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

The ALABM (אלבם) cypher employs a substitution system in which the 22 letter Hebrew alphabet is split into two halves and lined up in two overlapping rows. In this way, the first letter of the first top row, Aleph (א), is substituted with the first letter of the second row, Lamed (ל), the second letter of the first row, Beth (ב), is substituted for the second letter of the second row, Mem (מ), and so on. The name of the “ALABM” cypher is derived from the first four letters of this arrangement; AlephLamed & BethMem.

The equivalent English would be the first letter of the first top row A, substitutes for the first letter of the second row N, the second letter of the first top row B, substitutes for the second letter of the second half row O, and so on

Encoding the message: “DEATH IS NOT THE WORST OF EVILS” with the English version of ALABM would yield the code: ”DEAGH IF ABG GHE JBEFG BF EIILF”.

Palindromes
(A sequence of characters which read the same backward as forward)

Isaiah 11:10
And it shall come to pass in that day, that the root of Jesse, that standeth for an ensign of the peoples, unto him shall the nations seek; and his resting-place shall be glorious.
וְהָיָה, בַּיּוֹם הַהוּא, שֹׁרֶשׁ יִשַׁי אֲשֶׁר עֹמֵד לְנֵס עַמִּים, אֵלָיו גּוֹיִם יִדְרֹשׁוּ; וְהָיְתָה מְנֻחָתוֹ, כָּבוֹד.

Isaiah 40:4
(a perfect palindrome if we substitute: ”וְהָרְכָסִים” which is a Hapax legomenon with “וְרוְשׁים”)
Every valley shall be lifted up, and every mountain and hill shall be made low; and the rugged shall be made level, and the rough places a plain;
כָּל-גֶּיא, יִנָּשֵׂא, וְכָל-הַר וְגִבְעָה, יִשְׁפָּלוּ; וְהָיָה הֶעָקֹב לְמִישׁוֹר,[וְרוְשׁים] וְהָרְכָסִים לְבִקְעָה.

Isaiah 40-4 Every valley shall be lifted up

Interestingly, the great Isaiah scroll has alternate spelling for several words in verse 40:4 (see grayed out section). The word “גֶּיא” (valley) for example, is spelled without the Alef as “גֶּי” and the word “וְהָרְכָסִים“(rough places or mountain tops) is spelled with an extra Vav between the letters Resh and Kaf “וְהָרְוְכָסִים” (the word is located in the dotted rectangle in image above).

Word Variation (using verb conjugation)

Isaiah 33:1  
Woe to thee that spoilest, and thou wast not spoiled; and dealest treacherously, and they dealt not treacherously with thee! When thou hast ceased to spoil, thou shalt be spoiled; and when thou art weary with dealing treacherously, they shall deal treacherously with thee.
הוֹי שׁוֹדֵד, וְאַתָּה לֹא שָׁדוּד, וּבוֹגֵד, וְלֹא-בָגְדוּ בוֹ; כַּהֲתִמְךָ שׁוֹדֵד תּוּשַּׁד, כַּנְּלֹתְךָ לִבְגֹּד יִבְגְּדוּ-בָךְ.

Homographs (Words that use the same root but have different meanings)

Isaiah 29:9
Stupefy yourselves, and be stupid! Blind yourselves, and be blind! ye that are drunken, but not with wine, that stagger, but not with strong drink.
הִתְמַהְמְהוּ וּתְמָהוּ, הִשְׁתַּעַשְׁעוּ וָשֹׁעוּ; שָׁכְרוּ וְלֹא-יַיִן, נָעוּ וְלֹא שֵׁכָר.

Metaphors and Analogies (Figure of speech that for rhetorical effect, directly refers to one thing by mentioning another)

Isaiah 24:20
The earth reeleth to and fro like a drunken man, and swayeth to and fro as a lodge; and the transgression thereof is heavy upon it, and it shall fall, and not rise again.
נוֹעַ תָּנוּעַ אֶרֶץ כַּשִּׁכּוֹר, וְהִתְנוֹדְדָה כַּמְּלוּנָה; וְכָבַד עָלֶיהָ פִּשְׁעָהּ, וְנָפְלָה וְלֹא-תֹסִיף קוּם.

Isaiah 29:18
And in that day shall the deaf hear the words of a book, and the eyes of the blind shall see out of obscurity and out of darkness.
וְשָׁמְעוּ בַיּוֹם-הַהוּא הַחֵרְשִׁים, דִּבְרֵי-סֵפֶר; וּמֵאֹפֶל וּמֵחֹשֶׁךְ, עֵינֵי עִוְרִים תִּרְאֶינָה.

Isaiah 41:18
I will open rivers on the high hills, and fountains in the midst of the valleys; I will make the wilderness a pool of water, and the dry land springs of water.
אֶפְתַּח עַל-שְׁפָיִים נְהָרוֹת, וּבְתוֹךְ בְּקָעוֹת מַעְיָנוֹת; אָשִׂים מִדְבָּר לַאֲגַם-מַיִם, וְאֶרֶץ צִיָּה לְמוֹצָאֵי מָיִם.

Isaiah 54:16 
Behold, I have created the smith that bloweth the fire of coals, and bringeth forth a weapon for his work; and I have created the waster to destroy.
הן אָנֹכִי, בָּרָאתִי חָרָשׁ–נֹפֵחַ בְּאֵשׁ פֶּחָם, וּמוֹצִיא כְלִי לְמַעֲשֵׂהוּ; וְאָנֹכִי בָּרָאתִי מַשְׁחִית, לְחַבֵּל.

Juxtapositions (Placing two elements side by side in order to compare and or contrast them)
Isaiah 42:18
Hear, ye deaf, and look, ye blind, that ye may see.
הַחֵרְשִׁים, שְׁמָעוּ; וְהַעִוְרִים, הַבִּיטוּ לִרְאוֹת.

Isaiah 42:20
Seeing many things, thou observest not; opening the ears, he heareth not.
ראית רַבּוֹת, וְלֹא תִשְׁמֹר; פָּקוֹחַ אָזְנַיִם, וְלֹא יִשְׁמָע.

Isaiah 52:3
For thus saith the LORD: Ye were sold for nought; and ye shall be redeemed without money.
כִּי-כֹה אָמַר יְהוָה, חִנָּם נִמְכַּרְתֶּם; וְלֹא בְכֶסֶף, תִּגָּאֵלוּ.

Parallelism (Balance within one or more sentences using similar phrases or concepts)
Isaiah 1:2
Hear, O heavens, and give ear, O earth, for the LORD hath spoken: Children I have reared, and brought up…
שִׁמְעוּ שָׁמַיִם וְהַאֲזִינִי אֶרֶץ, כִּי יְהוָה דִּבֵּר:  בָּנִים גִּדַּלְתִּי וְרוֹמַמְתִּי

Isaiah 1:3
The ox knoweth his owner, and the ass his master’s crib; but Israel doth not know, My people doth not consider.
יָדַע שׁוֹר קֹנֵהוּ, וַחֲמוֹר אֵבוּס בְּעָלָיו; יִשְׂרָאֵל לֹא יָדַע, עַמִּי לֹא הִתְבּוֹנָן.

Isaiah 28:23
Give ye ear, and hear my voice; attend, and hear my speech.
הַאֲזִינוּ וְשִׁמְעוּ, קוֹלִי; הַקְשִׁיבוּ וְשִׁמְעוּ, אִמְרָתִי.

Isaiah 9:1
The people that walked in darkness have seen a great light; they that dwelt in the land of the shadow of death, upon them hath the light shined.
הָעָם הַהֹלְכִים בַּחֹשֶׁךְ, רָאוּ אוֹר גָּדוֹל:  יֹשְׁבֵי בְּאֶרֶץ צַלְמָוֶת, אוֹר נָגַהּ עֲלֵיהֶם.

Rhyming (Repetition of similar sounds in the final stressed syllables)

Isaiah 17:12
Ah, the uproar of many peoples, that roar like the roaring of the seas; and the rushing of nations, that rush like the rushing of mighty waters!
הוֹי, הֲמוֹן עַמִּים רַבִּים, כַּהֲמוֹת יַמִּים, יֶהֱמָיוּן; וּשְׁאוֹן לְאֻמִּים, כִּשְׁאוֹן מַיִם כַּבִּירִים יִשָּׁאוּן.

Isaiah 24:3
The earth shall be utterly emptied, and clean despoiled; for the LORD hath spoken this word.
הִבּוֹק תִּבּוֹק הָאָרֶץ, וְהִבּוֹז תִּבֹּז:  כִּי יְהוָה, דִּבֶּר אֶת-הַדָּבָר הַזֶּה.

Isaiah 24:4
The earth fainteth and fadeth away, the world faileth and fadeth away, the lofty people of the earth do fail.
אָבְלָה נָבְלָה הָאָרֶץ, אֻמְלְלָה נָבְלָה תֵּבֵל; אֻמְלָלוּ, מְרוֹם עַם-הָאָרֶץ.

Isaiah 24:17
Terror, and the pit, and the trap…
פַּחַד וָפַחַת, וָפָח

Isaiah 24:19
The earth is broken, broken down, the earth is crumbled in pieces, the earth trembleth and tottereth;
רֹעָה הִתְרֹעֲעָה, הָאָרֶץ; פּוֹר הִתְפּוֹרְרָה אֶרֶץ, מוֹט הִתְמוֹטְטָה אָרֶץ.

Isaiah 27:7
Hath He smitten him as He smote those that smote him? Or is he slain according to the slaughter of them that were slain by Him?
הַכְּמַכַּת מַכֵּהוּ, הִכָּהוּ:  אִם-כְּהֶרֶג הֲרֻגָיו, הֹרָג.

Isaiah 28:10
For it is precept by precept, precept by precept, line by line, line by line; here a little, there a little.
כִּי צַו לָצָו צַו לָצָו, קַו לָקָו קַו לָקָו–זְעֵיר שָׁם, זְעֵיר שָׁם.

Symmetry and Mirroring (Sentences of similar parts and meaning that face each other)
A number of passages retain their meaning even if read in different directions. From right to left, left to right, or from the center outwards to either right and left.  In other passages the meaning on left and the right side of the sentences balances.

Isaiah 11:2
And the spirit of the LORD shall rest upon him, the spirit of wisdom and understanding, the spirit of counsel and might, the spirit of knowledge and of the fear of the LORD.
וְנָחָה עָלָיו, רוּחַ יְהוָה רוּחַ חָכְמָה וּבִינָה, רוּחַ עֵצָה וּגְבוּרָה, רוּחַ דַּעַת, וְיִרְאַת יְהוָה.

Isaiah 22:22 (chapter and paragraph numbers are mirrored)
And the key of the house of David will I lay upon his shoulder; and he shall open, and none shall shut; and he shall shut, and none shall open.
וְנָתַתִּי מַפְתֵּחַ בֵּית-דָּוִד, עַל-שִׁכְמוֹ; וּפָתַח וְאֵין סֹגֵר, וְסָגַר וְאֵין פֹּתֵחַ.

Isaiah 27:5
Or else let him take hold of My strength, that he may make peace with Me; yea, let him make peace with Me.
אוֹ יַחֲזֵק בְּמָעוּזִּי, יַעֲשֶׂה שָׁלוֹם לִי; שָׁלוֹם, יַעֲשֶׂה-לִּי.

Isaiah 29:2 
…Ariel, and there shall be mourning and moaning; and she shall be unto Me as a hearth of God.
לַאֲרִיאֵל; וְהָיְתָה תַאֲנִיָּה וַאֲנִיָּה, וְהָיְתָה לִּי כַּאֲרִיאֵל.

Isaiah 5:20
Woe unto them that call evil good, and good evil; that change darkness into light, and light into darkness; that change bitter into sweet, and sweet into bitter!
הוֹי הָאֹמְרִים לָרַע טוֹב, וְלַטּוֹב רָע: שָׂמִים חֹשֶׁךְ לְאוֹר וְאוֹר לְחֹשֶׁךְ, שָׂמִים מַר לְמָתוֹק וּמָתוֹק לְמָר.

Isaiah 10:11
Shall I not, as I have done unto Samaria and her idols, so do to Jerusalem and her idols?’
הֲלֹא, כַּאֲשֶׁר עָשִׂיתִי לְשֹׁמְרוֹן–וְלֶאֱלִילֶיהָ:  כֵּן אֶעֱשֶׂה לִירוּשָׁלִַם, וְלַעֲצַבֶּיהָ. 

Isaiah 13:15
Every one that is found shall be thrust through; and every one that is caught shall fall by the sword.
כָּל-הַנִּמְצָא, יִדָּקֵר; וְכָל-הַנִּסְפֶּה, יִפּוֹל בֶּחָרֶב.

Not bad for a 2800 year old document.

References:

1. The Book of Isaiah
2. Chapter-by-Chapter Recordings of the Hebrew Bible
3. The Aleppo Codex
4. The Dead Sea Scroll Collection
5. Hebrew verb conjugation application 

Hebrew Alphabet Chart

Hebrew verb conjugation table
Source: Language Learning Beta

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The Dust Bunny Emporium

Yaacov Apelbaum - Olga The Dust Bunny Fairy

Is your artistic potential inhabited by a lack of talent, financial resources, or ideas? Don’t despair! Read-on and find out how you too can fully realize your creative dreams—and even make some money in the process—without the need to attend the Royal College of Art.

Several years ago, I noticed that everyone seemed to be selling something on Etsy. To the uninitiated, Etsy is a sort of a hybrid between Facebook and eBay. You can find almost anything there, from handmade jewelry to vintage items to second-hand 1960s underwear.

Yaacov Apelbaum - Etsy Old Shoes              Yaacov Apelbaum - Etsy 1960 Underwear

Etsy promotes itself as an eco-friendly marketplace, a commune of collaborative artisans who use poetic language to describe their goods. For example a seller offering a bunch of torn out pages from an old book describes his product as:

A beautiful selection of over 150 gorgeous leafs from inspirational vintage manuscripts… to be used for absolutely anything! These antique sheets are in a lovely aged condition and I include a generous range of different colors of patina and intriguing imperfections. From mysterious dark latte to beautiful French cream to a enchanting country antique white! Oh they’re just gorgeous!

This got me thinking, how much of this phenomenon was attributed to memetic propagation and  groupie Theory? Or was this just a question of using hip langue to sell your thrift store inventory?

I decided to open an Etsy store to find out for myself. The first problem was what to sell. I like all of my old stuff, but I thought maybe I’d find some vintage items I could part with for the sake of the experiment. In the process of looking around the house, I noticed some dust bunnies behind one of the doors and it suddenly hit me…this was it! I would create a store dedicated to the fine art of house dust, lint, and miscellaneous cat hair.

I launched my “Dust Bunny Emporium” store under the nom de plume of Olga Schematova, a middle aged lady from one of the former soviet union Republics. To comply with the terms of service and agreements, I composed and published all required store policies such as About, Return & Exchange, and FAQs. To achieve the right artistic and literary balance, I dialed-up my continental accent by a few notches. 

Yaacov Apelbaum - Olga's Dust Bunny Fairy Store
Store Keywords: famous Russian general portraits, hair, lint, dust, crumbs, ear wax, petroleum jelly, anti freeze, dust, Vaseline, grease, belly button fluff.

About Olga’s Store:
Welcome Friend! No job too big for Olga!
My name is Olga Schematova. After many years working in the Bolshoi Circus as as deputy manager of sanitation department, I now have own Etsy shop!

Olga’s philosophy is simple; I produce best possible reproductions of famous historical Russian generals using highest quality dust bunnies available.  Each piece is hand made and lovingly crafted with great attention to details.

Few artists in entire world have touched lives of fine art collectors like Olga’s creations do. My mission is to become leading creator of works of fine dust bunny art, magnificent objets d’Art, and treasured collectibles not only will bring you joy, but enhance your life as you share their beauty with family and friends for many generations to come.

Return and Exchange Policy
Olga prides herself on the quality and artistic composition of her dust bunnies. If you are not satisfied with your purchase for any reason, I will gladly exchange your dust bunny for another one of similar value.  Just mail back the dust bunny in its original zip lock bag. 

Unfortunately, I can’t afford to pay for your shipping, so you will have to do it yourself.  All returns are also subject to a 15% processing fee.

FAQ
Q: What exactly is a dust bunny?
A: Dust bunnies (or dustbunnies) are small clumps of dust that form magically under furniture, in corners of rooms, and behind doors. They are made of hair, lint, crumbs, dust, and debris. Dust bunnies are held together by static electricity and felt-like entanglement. They can actually be harmful if swallowed by your pet and are excellent breading grounds for house dust mites and other parasites.

Q: What is the difference between dust bunnies and the contents of any vacuum cleaner bag?
A: Some enterprising and unscrupulous dealers sell cheap, imitation dust bunnies using the contents of vacuum cleaner bags (there is a thriving black market in the U.S.A). You can tell the high quality dust bunny by its fluffy texture, good clumpinees, and low DtH (Dust to Hair ratio). Some other indications are lack of foreign objects like dental floss, buttons, nail clippings, cat whiskers, and small change.

Q: Is your art for real, or is this just a bad joke?
A: Yes it is, I consider myself to be an artistic trail blazer and an innovator (perhaps years ahead of my time). Before criticizing my creations, consider that Jackson Pollock and Andrew Warhol were also initially treated with disdain and mockery before becoming very famous (and rich).

Q: What do you use dust bunnies for?
A: I have always been interested in sanitation and rubbish disposal. Since I was little, I enjoyed taking the garbage out. I am fascinated by objects like used toothpicks and incrustations of various sorts.  I am an expert on organic discoloration ( I authored the
“The Russian Guide to Food Stains” ) and believe that recycling dust bunnies is beneficial for our planet. As my friend Alexi Steponitovich the poet once said, “Переработка кролика превращает растение в зеленый мед” – Recycling a bunny makes the plant a green honey.

The Collection
Once the store was up and running, it was time to create the inventory. I collected some dust bunnies and other lint, mixed it with petroleum jelly and proceeded to use it to enhance the appearance my collection of 18th-19th century Russian generals. In addition to a new coiffure and upgraded mustache, each General also received an enhanced personal biography and a brief description of the artwork.

Yaacov Apelbaum - Dust Bunny Fairy Etsy Listings
The dust bunny art catalog and pricing

The Collection
The following is a sampling of some of the masterpieces from the gallery:

Viscount Vladimir Eczemanov Petrovitch
Viscount Boris Eczemanov Petrovitch

Wonderful reproduction of Viscount Vladimir Eczemanov Petrovitch,Tsar Nicholas II’s beloved Chief of Staff. This artistic masterpiece captures the cunning courtier and his love of life, beets, and large parties. Viscount Eczemanov’s accidental invention of borscht and his introduction in 1905 of adult jokes into the Russian court has won him a special place in Russian folklore.

The hairpiece is made of a large and rare imported (from Uzbekistan) hair ball and is reinforced with petroleum jelly. The mustache is made from a clump of drain hair I recovered from the bathroom sink on the train on my way to the farm animal exhibit in Vladivostok.

This magnificent portrait edition is numbered and comes printed on acid free card stock.

Admiral Evgeny Stphanivich Raskolnikov
Admiral Evgeny Stphanivich Raskolnikov

This magnificent likeness captures the essence of imperial majesty of Russia’s Far East Fleet commander in 1905. Admiral Evgeny Stphanivich Raskolnikov, who in real life never set foot on a vessel prior to the famous and short marine battle fought against the Japanese fleet, is presented here with a replica of his original toupee.

The hairpiece is made of a mixture of lint clumps that came from my friend Sasha’s bellybutton and a large and fluffy hair ball that I found on the floor mat in the entrance to the youth center where I also work as a part time cook.

This magnificent portrait edition is numbered and comes printed on acid free card stock.

Duke Gregory Alexander Samovarov
Duke Gregory Alexander Smearvarov

This portrait perfectly captures the image of one of imperial Russia’s greatest cavalry heroes, Duke Gregory Alexander Smearvarov, the hero of Kazakhstan, Turkistan, and Uzbekistan. The hairpiece of this fascinating portrait is made of a large dust bunny I found in the communal laundry room of my apartment building.

The mustache is made of a hairball I got from my black cat Lenin.

This magnificent portrait edition is numbered and comes printed on acid free card stock.

General Boris Michail Schmatanovich
General Boris Michail Schmatanovich

This portrait perfectly captures the genius of one of the most capable and well connected military strategists, General Boris Michail Schmatanovich. The winner of the prestigious white neck medal and 2 chest medals was known for his passionate love of life as much as for his well known book “Introduction to Cassock Dancing.”

The hairpiece of this intriguing portrait is made from an aged and hard to recover dust bunny under the radiator that I got by using a straightened coat hanger. The mustache is made of drain hair I found in the town’s Stalin Youth Center swimming pool shower room.

This limited edition, numbered portrait is printed on acid free card stock.

Count Vladimir Ivanovich Smarkovsky
Count Vladimir Ivanovich Smarkovski

This enhanced portrait is an excellent and clever rendition of the famous military philosopher, Count Vlamimir Ivanovich Smarkovsky, who was the first one to introduce the finger pointing style of command to the Russian imperial army.  He is also the only general ever awarded the three vertically overlapping medal set.

In the creation of his new and magnificent coiffeur, I used a combination of several dust bunnies and some drain hair.

This limited edition, numbered portrait is printed on acid free card stock.

Brigadier General Sergai Vasili Booboyvitch
Brigadier General Sergai Vasili Booboyvitch

A rare portrait of Imperial Russia’s greatest military sanitation engineer, Brigadier General Sergai Vasili Boboyovitch. His numerous contributions to the modernization of sanitation in the Kremlin include: the abolishment of the usage of office curtains for personal hygiene and the introduction urinals and zippers in military uniforms (portrait predates his invention). For these and other important contributions Brigadier General Boboyvitch was awarded posthumously (after his death) the 8 corner and four cornered medals, two very important medals!

The hair piece is made of a mixture of dust bunny, dust, crumbs, and premium filler materials. The mustache is made of a mixture of drain hair and antifreeze I received as a gift from my good friend, Mischa, who works in the cooperative glue factory.

This magnificent portrait edition is numbered and comes printed on acid free card stock.

And for the do-it-yourselfers and creatively inclined, I even added a listing for some bulk raw materials:

Bag-O-Bunny
Bag-O-Bunny

Premium Closet Dust Bunny Supplies
This 12” x 6” Zi-p-loc bag of high quality dust bunnies is the perfect gift for any craft lover. It is made from perfectly balanced mixture of hair, dust, crumbs, and lint. This extra large and luxurious dust bunny has been perfectly aged for over 6 months and has smooth, and slickly texture.

If you are looking for bulk dust bunny supplies, look no further!

The quality dust bunnies is second to none and it has beautiful form and luxurious texture. Great for your home made hair, beard, and mustache extensions, or general weaving projects.

Summary
Within one week of opening my store, I showed up in dozens of treasuries. An Etsy treasury is a collection of 16 listings. These listings may be your favorite things or maybe items that relate to a particular theme, say, dust bunnies or birds or the color red. You can then share this list with the larger Etsy community on the treasuries page. That was a good sign of traction…

Then came the recognition, in no time, I became the rave of the Etsy artistic community. 

Yaacov Apelbaum - Etsy Feedback
Sales and feedback

After comments such as “Olga’s dust bunnies are a fresh marriage of art and utility”, I knew I was on my way to commercial success. Or as one comment stated:

I find Olga’s work menacing/playful because of the way the mechanical bunny hair and the gesture verges on codifying the distinctive formal juxtapositions of the figures.

So, there you have it. In the end, I didn’t rake in the millions, but still, it was an interesting exercise that proved that even sarcasm in its extreme form can be interpreted as artistic genius depending on who you ask.

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.