Is Your Friendship Or Relationship Nothing More Than The Result Of A Saviour, Martyr or Victim Complex?

This article deals with the second of two very emotional subjects and states which whilst are separate conditions/issues are extremely closely related, and in my unqualified non professional opinion, one can lead to the other and can be exploited by abusive people intentionally or unintentionally. The first article covers Trauma Bonding.

The Victim Complex

At its core, the victim complex involves someone viewing themselves as a victim of their life events. They often express that bad things always happen to them, claim that they have no control over their life, and don’t take responsibility for things they do. The motives for a victim mentality are often unconscious, but can also be conscious and deliberate as a method of manipulation and/or path to Trauma Bonding.

The victim mentality provides people with a sense of safety and validation. As the victim, they don’t have to take the blame for their actions, they get attention from the people around them, and they are validated by support from others. However, by putting the responsibility on others, they sacrifice their own control and ability to act. They rely on others for their self-worth.

For example a claim I heard that strikes of this very issue:

A claim was made the “victim” had a “traumatic miscarriage” because they were at a music concert and got pushed around/crushed by the crowd. They claim to have a diagnosis of PCOS, and claim they were being raped by their “husband” on a regular basis. However one has to ask the following questions of the “victim”:

  • If you’re being raped, why didn’t you report said rape to the authorities?
  • Why didn’t you leave?
  • Is the alleged rapist the father of the child?
  • Does the father even know about the pregnancy or the miscarriage?
  • If you knew you were pregnant why were you there?
  • As a “professional photographer” why were you in the crowd and not in front of the barriers like other photographers?
  • Why did you tell the pop stars/artists and not those supposedly close to you?
  • Does the father even know about the pregnancy or the miscarriage?
  • In the 6 months past said incident and you have moved some 5 hours (by road) from the alleged rapist, why have you voluntarily been back for sex on more than one occasion?
  • Why after finding a new place to live a new partner and a new job why have you still not reported the rape to the authorities… 6 months later?

I did ask some of these questions, the answers got I still do not understand and for privacy I will just say, the “victim” abused me for questioning their events and spent a great deal of time and effort lying about their new job, their new partner, where they are living, studying etc. I have no clue to why they lied so persistently as I wasn’t the “rapist” however, by the time of me asking some of the questions i had come to the realisation I needed to make changes in my life, and they didn’t involve this person. Since then it has been suggested I might have or be suffering from a Martyr Complex.

As a discerning reader you probably realise i might know a little more about this “victim” personally than just it being some random claim, well they were a close friend and are now an ex-friend, and that is the way they will permanently stay. I may have a touch of Martyr Complex dealing with them, I’m working on that.

With both martyr and victim complexes, a person relies on others for their validation and reward.

They constantly sacrifice resources against their own self-interest. A martyr takes on the role of the hero. People who use martyr behavior tend to have good motives for doing so. Sometimes, they may be forced into the role of a martyr because of their environment. People in service-based professions may develop a martyr complex.

The Martyr Complex

Martyr complex behavior differs depending on the cause.

Minimizing accomplishments

They may dismiss their actions, saying it’s not important when they make sacrifices. They do it for the good feeling of making the sacrifice and not for the praise of being recognized.

Being the hero

The idea of the “hero syndrome” can serve as a sign of the martyr complex. They may often play the hero and do everything theirselves, solving everyone’s problems without complaint.

Lacking self-care

No one can pour from an empty jug. If they’re in a situation where they are constantly giving and letting their own personal health slip away, they are likely exhibiting the patterns of a martyr complex.

Seeking chances to sacrifice

Similar to the victim complex, a martyr looks for opportunities to step into harm’s way. They may search for instances or create ways to make those sacrifices.

Having unrealistic values

A martyr may view their actions as an expression of how much they care. They may feel that if they’re not working hard for people every day, it means they don’t love them enough.

Getting Help

The martyr complex is often deeply embedded into their lifestyle. This makes it hard to address and care for. They can take steps to shift their thinking away from being a  martyr and toward taking care of themselves. For example:

  • Find/Join or start a support group (this doesn’t have to be complex specific.)
  • Invest in themselves by setting aside time and resources for things they enjoy.
  • Devote time for their physical health.
  • Devote time for their appearance and well being.
  • Journal and express gratitude for themselves and others.
  • Spend time with friends and family in environments where they don’t need to help anyone and can just enjoy each other’s company.

From a personal perspective I joined a number of Social Media chats, and started going out to concerts and events, started putting on make up again, bought some new clothes, even bought a new car. I gave up smoking (1st Sept 2023) and mostly gave up drinking (from 7th Sept 2023) – mostly being a glass of wine with dinner some nights instead of before which was a bottle of wine every night without fail.

This has mostly helped, however the “victim” which my “martyrdom” was intertwined with has severe narcissistic traits and took it upon themselves to continuously bait and attack me in the very Social Media Chat groups that I was using to help break said bond. This resulted in me voluntarily leaving “Queers Down South” as i found the administrators of the group to be friends with the perpetrator of the abuse, which enabled further abuse, and therefore made the space not safe for anyone like me (breaking their own first rule.)

The Savior Complex

According to the blog PeopleSkillsDecoded.com, the savior complex can be best defined as:

“A psychological construct which makes a person feel the need to save other people. This person has a strong tendency to seek people who desperately need help and to assist them, often sacrificing their own needs for these people.”

Many individuals who enter into caring professions such as mental health care, health care and even those who have loved ones with addictions may have some of these personality characteristics. They are drawn to those who need “saving” for a variety of reasons. However, their efforts to help others may be of an extreme nature that both deplete them and possibly enable the other individual.

What Is The Saviour Complex?

The savior complex is a psychological construct which makes a person feel the need to save other people. This person has a strong tendency to seek people who desperately need help and to assist them, often sacrificing their own needs for these people.

There are many sides to a saviour complex and it has many roots. One of its fundamental roots, in my experience, consists in a limiting belief the saviour person has that goes something like this:

“If I always help people in need, I will get their love and approval, and have a happy life.”

This is of course, a nice sounding fairytale, because often, in real life, a saviour will have such an unassertive way of helping others that instead of becoming grateful, they get used to it and they expect it. They feel entitled to receive help from this person, simply because they need it and they’ve always got it.

On top of this, similarly to the Martyr Complex they’re always putting other people’s needs first, this makes a saviour not take care of their own needs. So while they may feel happy because they are helping others, at some level, they feel bitter and frustrated at the same time.

The underlying belief of these individuals is: “It is the noble thing to do.” They believe they are somehow better than others because they help people all the time without getting anything back. Do you have any idea how dim-witted this is? There is nothing noble in sacrificing yourself for others while you are starving at a psychological level. If our ancestors would have willingly done so 50,000 years ago, our species would be extinct.

While motives may or may not be pure, their actions are not helpful to all involved. The problem is that trying to “save” someone does not allow the other individual to take responsibility for his or her own actions and to develop internal motivation. Therefore, the positive (or negative) changes will likely only be temporary if at all.

Getting Help

So how do you avoid the “saviour” trap with relationships and friends?

  • Slow down decision making and/or responses to issues enough to be mindful of choices and/or responses.
  • Say “maybe” or “no” before saying yes in order to give yourself time to weigh options.
  • Process emotions with friends, and family, reach out to support services if you don’t have friends or family you can process emotions with.
  • Set boundaries with other individuals that allow you to balance caring for them and helping them vs trying to “save” them.
  • Reach out for support from a therapist or coach in order to receive an objective assessment of your interpersonal issue.
  • Let your loved one or friend take responsibility for their actions.
  • Do not work harder trying to help/resolve the issue than your friend or loved one.
  • Do the best that you can do to support the individual and then “let go” of the results.

Possibly as important if you are the person being “saved” by someone and you recognise they are trying to “save you“, you may need to review the above and suggest to your potential saviour that you appreciate them trying to help but that is not the best way forward.

Being a saviour is neither noble nor practical.

Final Notes

This is the second article dealing with Victim Mentality, Victim, Saviour and Martyr Complexes which narcissists can also use as a method of manipulation and pulling you into their control (See: Covert Narcissism) I have been on the receiving end of at least two narcissists in my life, and have ended up even questioning myself to see if I am a narcissist.. I know I was accused of being one by one of the two i have had relationships in my life. However, a favourite quote of mine in relation to this very issue and usually where i face up to having seen this behaviour and explained it away multiple times (never learning it seems):

Whereas a typical narcissist thinks she is better than others because of her innate qualities, a covert narcissist with a martyr complex (aka a Martyr Narcissist) justifies her sense of superiority with the “good deeds” she does for others.

So she gets to be on a high horse at all times, seeing other people as selfish ingrates who are ultimately unworthy of her “gifts.”

More often than not, covert narcissists with a martyr complex seriously overestimate their goodness. They exaggerate the importance of things they do for others, and resent people for not measuring up to their twisted standards.

They think they’re selfless and giving, when in fact they are completely self-serving.

They are also master maniuplators.

Finally, if the above, any of the above rings alarm bells with you, or you get that deep feeling in your gut that something is disturbingly similar. Get a second opinion, get help, talk to a professional, and above all you need to be honest with yourself and the professional you are getting help from. If you are the perpetrator of the narcissistic behaviour just being honest with professional help is the first step to a better life for you and those around you. If you continue lying to others, you are just lying to yourself and you are writing a future of pain, and loneliness as narcissists never find true love. If you are the victim of a narcissist, you can try to get them help, but ultimately they have to get the help themselves, if they are not willing to do so… RUN!

Abuse in relationships…

Introduction.

A friend recently asked about abuse in relationships, and didn’t know whether they had wandered into abad relationship. So after a discussion with them I pointed out a number of factors that could point to control or manipulation and therefore abuse.

The things discussed I decided I’d share with all, this therefore is the first part of many that I will write about over the next year, it is a personal view and certainly not the be all and end all, so if you find yourself thinking, “am I being controlled” have a read of the articles and if they ring alarm bells with yourself, talk to professional help about how you can get yourself to a better place.

If anyone finds these useful but would like to me to write on a specific topic, feel free to drop me an email here: michelle@shellsshots.com and I will attempt to provide general insight and research on the particular topic. First topic… financial control.

Abuse by Financial Control

The is very easily perpetrated both deliberately and accidentally where one person in a couple earns money and the other does not… e.g. husband and wife.

There are three main types a couple will control finances:

  • All money earned by both parties goes into a ‘joint account’ (and maybe a personal account each that money is shared out into.)
  • All money earned by both parties goes into their own personal account and some of that is shared
  • All money earned by both parties goes into their own personal account and financial responsibilities are shared but no money is shared.

Depending on where in the world you live will depend on whether one is more common than another, and indeed your relationship status (e.g. married or living together) will also have baring on your choice of sharing.

The list should be fairly self explanatory why each is used and how it does, but in the event of it not being quite ‘your fit’ I will explain:

All money earned is shared.

Quite simply all money you and your partner earns will go directly into a joint account, and from there all the bills are paid, shopping and groceries are paid etc. Some couples will also have their own (savings) accounts where a fixed amount (either directly or percentage of earnings) will be transferred out to their own accounts for ‘special items’.. e.g. treats for themselves, birthday presents for their partner, habits (like smoking) etc…

This type of arrangement is the most ideal as it gives full financial freedom to both parties whilst ensuring responsibilities to the household are met.

The two ways these are usually abused:

  • Where one partner will require the statements of the other’s personal account to checkup what money is being spent and where.
  • When the relationship breaks down, and either the account is emptied or frozen by one party to abuse the other.

The second reason given is the most common why people seem not to use joint accounts in this way.

All money is kept separate with a join responsibilities account.

This is the method where your wages/earnings are paid into an account that is your sole responsibility and you have an agreement to pay either a fixed amount or percentage of your earnings into a shared account.

This type of arrangement has a distinct advantage over the ‘All money is shared‘ method in that should things go wrong the other party cannot freeze your access to money. However, it also has the disadvantage that if you are not earning anything, you have no money that is not also shared. Of course it also suffers like all three methods if one partner is demanding details on payments made from personal accounts.

Personally I have had most of my relationships in this type of arrangement, those that weren’t where I was not living with the other person and the relationship had not gotten to the level where finances could be shared. This has been suggested at times that I could be controlling my partner (and indeed in some cases I was, blatantly, but with their full knowledge and reason (which is where I consider it not abuse.))

In my case, my partner was not earning any money and I was putting in a non insignificant amount of money into the joint account for them to take care of responsibilities, like paying for food, petrol, buying clothes etc. The problem for my partner of the time was that there was not enough money to get a lot of clothes, or to buy designer items etc.. I had to point out to them on multiple occasions, that out of my personal account, I was paying the rent/mortgage, car loans, personal loans for joint items, household bills (water/electricity/phone etc) and the actual amount of left over money after putting money into the joint account was less than the money I put in the joint account. This was very controlling and I was constantly aware of it and even though I knew they had the better end of the deal I constantly felt guilty about it. The situation changed after a couple of years as loans got paid off and my partner got work (and therefore started contributing) and the situation ended up with spare money in the joint account and several thousand in savings in each of our personal accounts.

I never ask my partner what they are spending their personal money on, and they never ask what I am spending on either, however, to give an idea of how it works… I smoke and drink, I buy all of my vices from my personal account. I buy presents from my personal account. If I want a new phone or computer I buy it out of my personal account (well not exactly.. but will explain towards the end.) My partner does the same, except they rarely drink and don’t smoke but they do like their designer label clothes, so they buy them from there.. they also want plastic surgery so again, they are saving money to pay for it from there.

Completely separate finances.

This type of financial arrangement is usually what you see at the beginning of any relationship, but often it continues even after marriage. When it is mutual agreement (as in both parties have said, they want it this way, not one wanting it and the other not or being persuaded against it) it is fairly safe from abuse. Like the other two arrangements the classic abuse sign is when one partner will demand the see what the other is spending money on.

It does have an advantage in that at the end of a relationship everything becomes quite easy to separate and its difficult if not impossible to abuse the other by ‘cutting them off from their own money’… however it is also the most easily abused where one partner is working and the other not (regardless of whether the relationship has ended or is ongoing.)

The problem and abuse, quite surprisingly to many, can come from either side of the relationship:

  • The partner not earning can demand, manipulate, control the person earning by constantly playing on the fact they have no money of their own and how they are doing things for their partner all the time. This ‘doing things’ can be anything, like cooking, cleaning, looking after children or even sexual favours.
  • The partner earning can control and manipulate the person not earning into doing things they don’t want/like to do by withholding money unless their wishes are fulfilled (this you, the reader, probably guessed already.)

A note on business accounts.

To add a complication to these seemingly simply ways to abuse are when there is a business account brought into the equation. Business accounts are used for business things (obviously) however in many countries (e.g. Australia) they are also used in a legal tax avoidance method, and illegal if you don’t know the rules. In Australia, there are two main types of business an individual or couple will own, either a straight ‘ABN’ which is basically the same as being self employed, or a ‘ACN’ which is where there is a legal company entity. Any ACN will also have an ABN, an ACN is where the company name is followed by ‘Pty Ltd’ and is similar to the UK where you have ‘limited companies’ these are companies that have been setup with shares and have limited liability, but are privately owned and not on the stock market. ABNs are used more like a ‘trading as’ so the money earned and any liabilities come back to those listed as the owners. Each has its advantage and disadvantage when it comes to tax and responsibilities in regards to those with financial interests… talk to a financial advisor and accountant about what is better/safer for you and your circumstances. However, something to beware of and can result in some extreme forms of abuse is where one of the couple owns the shares in the business and the other does not work for the company but gets tax breaks from it. This is mostly illegal and can result in severe penalties including jail.

For example if one partner has a company car, phone, computers etc and uses them for personal use they have a FBT (Fringe Benefits Tax) liability. It is not uncommon for the abuser to fail to mention it, and then use it as leverage at a later date. Similarly if one spends money from a business account (that are not wages of employees), the law requires the money is viewed as a loan and has to have a specific payment plan with interest specified etc.

The biggest lesson here, and something my accountant warned me of just last week, if your partner gives you a corporate card (credit or debit) you MUST ensure you only use it for things directly related to the company.. and you must be ready to prove it to the tax office. You could end up in court facing fraud and/or embezzlement charges (both of which carry jail time for first offenders) if you cannot. Charges can even be laid if you have used the card for company business if you are not an official employee, though it is rare for this to happen, and usually will only occur when the ‘owner’ says the payment was unauthorised. An example of how you can cross the line is if you own a car dealership, purchasing a camera and computers would be completely expected, however expensing food and travel to locations that don’t relate to the delivery or purchase of a vehicle for the business will be questioned. Similarly running an online business (such as mine) purchasing $2000-3000 worth of designer clothes would probably be ignored the first time as I would need professional clothing for meeting business partners and customers, however if I was doing it every month, I would expect to be audited very quickly. In summary, if you are in a relationship where your partner has a business and you are spending company money, make sure it’s on only company related stuff and you are either a shareholder or employee of the company otherwise you could be in serious trouble when you don’t do as you are told.

Finally…

The key to knowing whether there is manipulation and therefore abuse when it comes to finances is communication. If one person is controlling the money and examining where it is going, it doesn’t automatically mean there is abuse… especially if the finances are tight. However, if money is plentiful (who has this nowadays?!??!) and a person finds them having the explain every purchase or beg for money its at the other end of the spectrum and most likely abuse. If you communicate with each other and things are explained and you know where and why purchases can and cannot be made then even if money seems ok it maybe your partner is just trying to keep it there.

Dive gear – The Do’s And Don’ts

Some of you will know I’ve been a diver for many years, the more astute of you will know of my love of underwater photography.

So a little about my policy on gear.. I tend to choose a manufacturer after doing a bit of research and stick with it, for everything. Its called brand loyalty…

Photographic equipment, I went with Nikon, and have gear worth in excess of €25,000, underwater housings, Sea and Sea worth a not insignificant amount. Dive gear, Oceanic, even my computer gear, all Apple (and no I’m not a “fan boy”.). I have just found if you stick to a brand everything “just works”.

Well unfortunately it seems I was wrong to trust brand loyalty is not a great thing for some brands as they have no customer loyalty.

This, therefore, is the story of Oceanic. Regulators, BCD, computers (three of them), masks, fins, even wetsuits, all of which I have despite certain items being better with other manufacturers I was sucked in by the “lifetime warranty” initially, and the deal was sealed when their “medium large” size for the wetsuit fit me perfectly.

Oceanic – Australia

Without fail in Australia I took my gear back to Nautilus SCUBA of Brisbane an authorized service center/dealer for Oceanic and all was fine. I then moved from Brisbane to Canberra and found myself visiting Norm Green from Indepth SCUBA who is both a good friend and great dive shop though this is where my problems started. They serviced my regulators one year and some mixup resulted in the Warranty being voided because I had supposedly no serviced the regulators one year… of course this I balked at and persisted in chasing Norman over the issue and after showing receipts and numerous emails from him to Oceanic the Warranty was reinstated due to me keeping to the service records over the years (turns out it was a late submission of paperwork that caused the problem.)

Oceanic – Malta

Then in 2009 I moved to Malta, and searched out a local Oceanic dealer.. world wide warranty? Pfft! From day one they told me there was no world wide warranty and I would have to pay in full for all servicing and parts, so I did, even when I had to stop diving because of a bout of cancer… Every year the regs, computer and BCD was serviced.

8 years later I returned to Australia and went to Dive Jervis Bay to get my gear serviced … especially after getting wet and finding my regs started free flowing. After waiting months for servicing and repair I was informed that the regulators were missing 2 parts, one of which was a critical O-ring and, in the words of Dive Jervis Bay, I was lucky to be alive as the regs could have failed at anytime.

The battery died on my Oceanic OC1 (not the first time), so I took it to Dive Jervis Bay and asked them to replace, test and service it. A couple of weeks and a few hundred dollars later it was returned to me and I booked a dive.

30 seconds into the dive I found the computer going into “calibrate compass” mode and buttons failing, then the dreaded water droplets. Dive aborted, and waited the first dive out, second dive I went with a backup. On return to shore I gave the computer back to the shop and asked them to look at it, they said they sent it back to Oceanic.

Weeks later (6-8 weeks) I was informed the computer was out of warranty and it was a write off as they were an obsolete model and $1000+ would need to be paid for a replacement. I suggested they should reconsider, and several weeks later received the reply that no, that was that, new computer at $1000 or I should go with another manufacturer. In shop I was asked to consider the Suunto range.

Well upshot of all this, after months of asking for the return of my now dead computer it was returned to me, and finally tonight I got around to opening it up. To my astonishment I found the computer very obviously had not even been opened, as it was still full of water, and the reason for the flood was the seal on the battery cover was both damaged and had debris on it.

So the do’s and don’ts …

Don’t trust a world wide warranty particularly by Oceanic, it’s not, and it will be cancelled at the drop of a hat, even if it is not your (the consumers) fault.

Don’t trust authorized service agents (particularly in Europe) to actually safely service your gear, let alone honor service agreements.

Don’t trust the manufacturer or their authorized service agents to care about you respecting brand loyalty (they don’t give a crap, it’s all money to them.)

Do research what you’re buying.

Do research “authorized service centers” to see if they have mandatory training.

Do learn how to service your own gear so you can at least check the work done by the agent.

Don’t assume because you are paying top dollar for gear you’re getting top quality.

Don’t bother with brand loyalty, it used to be worth something, but nowadays its worth nothing, the only thing brands care about are the number of greenbacks you can give up.

Footnote

So as I don’t expect to hear anything from Oceanic or any other Dive gear manufacturer, I’m now ridding myself of Oceanic stuff and going with what ever suits the purpose by which ever manufacturer I feel is not offering the best deal/value for money… Starting with a new air-integrated Computer.

The IoT should really be IoSI (Internet of Security Issues)

The Internet of Things

So here I am seeing issues, reading about issues and trying to stop issues in the Internet of Things…  Everyday someone seems to be publishing articles on the issues, people are getting more aware (you’d think!) but there seems to be no real movement.

Some of my readers will know what I do for my day job, for those that don’t I wrote the SORBS Anti-spam system.. not quite the most hated, but some who should know better have said they just want me dead, then SORBS dead, then me killed again just to be sure I’m actually dead.  Several years ago I spent Christmas sitting in front of my computers rewriting part of the system, particularly that part that finds “bad stuff” and reports it (eg Open-Relay Servers) and whilst scanning hosts that were actively trying to send spam and/or viruses to me I came across the web page of a fridge.  The page half loaded before it became completely unresponsive and tracing it I found it on an IP address that appeared to be in Rome (Italy)….  When I reported my finding of a ‘Fridge Spamming’ to my boss all hell broke loose, blog articles were written, front pages were held and suddenly the world knew about ‘Fridges Spamming‘.  Shortly there after we got debunked by our main competitor of the time who asserted it wasn’t possible, the article however sparked off massive research and watching of the technology from a security stance.

In July of the same year a bunch of researchers at a University found that the premise of the ‘debunking’ was actually false and that with a specific sequence of commands it was possible to get the fridge concerned into a system ‘admin/debug’ mode that allowed a remote attacker to use the device as a simple proxy server and install other “apps”.  This largely went unnoticed in IoT industry with respect to the original report, I never understood why… perhaps someone can explain that to me? 🙂

3 years later…

One would think we have learned something, we certainly have seen more of these types of attacks, not always for spam but just as a device to get into a network, to provide the door way.  Indeed the attackers have pretty much made an art out of it, using combinations of direct hacks, social engineering to gain access or persuade users to install things and even stealing devices…  The lists and lengths seems endless, especially when you consider who is doing this sort of thing and even who is paying who…   We’ve all heard about Trump and Russia and the controversy, well there are teams of hackers in Russia who’s sole income is to break into systems and steal secrets.  Its not a stretch to imagine that they are not unconnected…  Personally I don’t go into the conspiracy theories but I can tell you there are companies and persons of interest that do pay for services of such teams and not just Russian ones, there are European teams, Chinese teams and American etc..

The result is a lot more tech out there, all with security issues and all trying to keep market share, by innovating or by destroying the competition.

So why are we helping these people along?  Why are we allowing companies to circumvent privacy laws?  Why are they even trying?  Why are there more and more companies dealing with security remediation rather than companies dealing with the actual problem…?

All questions for you the reader (and hopefully some people that can effect change.)

So what is this blog post about? Why did you write it?

Well quite simply I chase down security patches for my services…  You see I still manage SORBS and recently we moved some of the servers around to a new Datacenter and as a consequence I changed a lot of security settings to make the systems more secure.  The fall out of this was I completely re-wired my home office network and the only thing on my network now that is not ‘secured’ (ie may have issues) was my wireless network.

Originally I had an OpenVPN connection for every service over the wireless that was an ‘authorised machine’ and a straight session login for controlling access.  I deliberately set the whole network to ‘Open’ (ie unencrypted) to remind people using it that everything can be watched so if it’s important, use HTTPS (or use the OpenVPN) etc.

I decided to switch the network to WPA2-Enterprise for authorised users, and to use a Juniper NAC to provide a captive portal and control the logins etc…  I didn’t account for the ridiculous cost of the licenses of the Juniper NAC so even though I picked up a brand new IC4500 for less than €70 I couldn’t use it because the most basic license (to allow 25 devices to login) is over €1200 and using the Captive Portal aspect (which is what I actually wanted) it was going to cost over €4500…   I pulled it apart… I found that the IC4500 is just a Dual Core, 1-RU server with a couple of gigs of RAM, an 80G hard drive and 2 Gigabit Ethernet ports… so changing the drive to something larger and a bit of fiddling and I put the OS I have been developing on it (BSD Server UNIX -BSDSUX for short) and now I have a captive portal of my own making…  so last thing was to get the Access Points able to do both Open Security and WPA2-Enterprise at the same time, and when logged in get forced off the open wireless and allowed onto the secure wireless.

So finally to the point…

The Internet of Security Issues

Not so long ago a number of security vulnerabilities were hitting the headlines, and in particular ‘ShellShock’ so running Amped Wireless AP20000G‘s around my home which I happen to know run Linux I was a little concerned.  I had the latest firmware on the devices and this was dated  few years earlier (13 Dec 2012) so I emailed Amped Wireless about the issue and wasn’t actually told anything about the issue except they’d review the bug.  Time went by and more and more issues came up, and still no firmware… the latest one is CVE-2017-6074 which was introduced to the Linux Kernel way back in 2006, in fact the vulnerability description states this:

The oldest version that was checked is 2.6.18 (Sep 2006), which is
vulnerable. However, the bug was introduced before that, probably in the first release with DCCP support (2.6.14, Oct 2005).

Now the clueful of you would know that this is a local privilege escalation issue and when it comes to routers, APs etc you’d actually have to get on the device to exploit it.  The same clueful will know that’s not as difficult as it might sound.

So figuring that I’m never going to get the firmware update I need/want I might as well go about hacking the router myself and building my own firmware that can indeed work with the IC4500 and finally finish securing my network to the level I want.

(and for those fed up with reading… if you haven’t worked it out… it’s 2017, the Access Point is classed as one of the ‘Internet of Things’ it is vulnerable to hacking on multiple fronts and 5 years later and I can’t get an update to the firmware – even though they are still selling these devices in shops!!!! … the gory horror for the techs is coming, so keep reading if you want…)

First things first when going down this path… Research the hardware and see what’s available… the Website ‘WikiDevi‘ is great for this and provides the following details

CPU1: Realtek RTL8198 (620 MHz)
FLA1: 8 MiB (Macronix MX25L6406EM2I-12G)
RAM1: 64 MiB (Hynix H5PS5162GFR-S6C)

WI1 chip1: Realtek RTL8192DR
WI1 802dot11 protocols: an
WI1 MIMO config: 2×2:2
WI1 antenna connector: RP-SMA
WI2 chip1: Realtek RTL8192CE
WI2 802dot11 protocols: bgn
WI2 MIMO config: 2×2:2
WI2 antenna connector: RP-SMA

ETH chip1: Realtek RTL8198
Switch: Realtek RTL8198
LAN speed: 10/100/1000
LAN ports: 4
WAN speed: 10/100/1000
WAN ports: 1

Which also tells me that normal OpenWRT support is not available (they don’t support RealTek devices mostly).. but more looking (and the WikiDevi page now says it) there is RealTek support by some authors.  Looking up the chips I also get information there is JTAG support (which is basically a serial port for debugging) so I got to work with my screwdriver and soldering iron and this was the result…

Which applying power produced the following in a minicom session.

Booting...?
========== SPI =============
SDRAM CLOCK:181MHZ
 ------------------------- Force into Single IO Mode ------------------------ 
|No chipID  Sft chipSize blkSize secSize pageSize sdCk opCk      chipName    |
| 0 c22017h  0h  800000h  10000h   1000h     100h   86   30   MX6405D/05E/45E|
 ---------------------------------------------------------------------------- 
Reboot Result from Watchdog Timeout!

---RealTek(RTL8198)at 2012.04.12-16:11+0800 version v1.2 [16bit](620MHz)
no sys signature at 00010000!
no sys signature at 00020000!
no sys signature at 00030000!
no sys signature at 00140000!
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 00240000!
Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003640
RTL8192C/RTL8188C driver version 1.6 (2011-07-18)



Probing RTL8186 10/100 NIC-kenel stack size order[3]...
chip name: 8196C, chip revid: 0
NOT YET
eth0 added. vid=9 Member port 0x1...
eth1 added. vid=8 Member port 0x10...
eth2 added. vid=9 Member port 0x2...
eth3 added. vid=9 Member port 0x4...
eth4 added. vid=9 Member port 0x8...
[peth0] added, mapping to [eth1]...
init started: BusyBox v1.13.4 (2012-12-13 11:08:29 CST)
Init Start...
Init bridge interface...
killall: smbd: no process killed
killall: nmbd: no process killed
basename(1)
basename(2 /sys/block/sda)
basename(2 /block/sda)
basename(2 /sda)
basename(3 sda)
basename(1)
basename(2 /sys/block/sda)
basename(2 /block/sda)
basename(2 /sda)
basename(3 sda)
basename(1)
basename(2 /sys/block/sda/sda1)
basename(2 /block/sda/sda1)
basename(2 /sda/sda1)
basename(2 /sda1)
basename(3 sda1)
basename(1)
basename(2 /sys/block/sda/sda1)
basename(2 /block/sda/sda1)
basename(2 /sda/sda1)
basename(2 /sda1)
basename(3 sda1)
try_mount(1) sda1, /var/tmp/usb/sda1
CMD: /bin/ntfs-3g /dev/sda1 /var/tmp/usb/sda1 -o force

Error opening '/dev/sda1': No such device or address
Failed to mount '/dev/sda1': No such device or address
Either the device is missing or it's powered down, or you have
SoftRAID hardware and must use an activated, different device under
/dev/mapper/, (e.g. /dev/mapper/nvidia_eahaabcc1) to mount NTFS.
Please see the 'dmraid' documentation for help.
Init Wlan application...

WiFi Simple Config v2.3 (2011.11.08-13:04+0000).

Register to wlan0
Register to wlan1
route: SIOCDELRT: No such process
iwcontrol RegisterPID to (wlan0)
iwcontrol RegisterPID to (wlan1)
$$$ eth1 & eth0 up $$$
IEEE 802.11f (IAPP) using interface br0 (v1.7)
#

As one can see straight in at a root prompt (no login – but hey, needs to physically connect to it with a soldering iron…), and we can see it’s running BusyBox (which means it’s running ash not bash so not vulnerable to Shellshock – nice of the company to tell me!??!?!)…  But confirmed….

# x='() { :;}; echo VULNERABLE' ash -c : 
#

So what about the latest bug that goes back to 2006… well…

# cat /proc/version   
Linux version 2.6.30.9 (kevinlin@localhost.localdomain) (gcc version 3.4.6-1.3.6) #603 Thu Dec 13 15:14:20 CST 2012

That would be a yes then…  In fact we can see that this OS was made with the old version of the RealTek SDK

# cat /etc/version
RTL8198 v1.0 --  Thu Dec 13 15:13:43 CST 2012
The SDK version is: Realtek SDK v2.5-r7984
Ethernet driver version is: 7953-7929
Wireless driver version is: 7977-7977
Fastpath source version is: 7873-6572
Feature support version is: 7927-7480

So my next trick is to work out which GPIO pins I need to manipulate to get the power output control of the Skyworks (SiGe) SE5004L / 5004L power amplifiers under my control but that’s digressing from the topic of this post.  Poking around looking for the details and I found something else rather interesting…

# ps -ax
  PID USER       VSZ STAT COMMAND
    1 root      1576 S    init      
    2 root         0 SW<  [kthreadd]
    3 root         0 SW<  [ksoftirqd/0]
    4 root         0 SW<  [events/0]
    5 root         0 SW<  [khelper]
    8 root         0 SW<  [async/mgr]
   61 root         0 SW<  [kblockd/0]
   71 root         0 SW<  [khubd]
   88 root         0 SW   [pdflush]
   89 root         0 SW<  [kswapd0]
  649 root         0 SW<  [mtdblockd]
  870 root     13760 S    /bin/smbd -D -s /var/smb.conf 
  878 root     13808 S    /bin/smbd -D -s /var/smb.conf 
  882 root      6508 S    /bin/nmbd -D -s /var/smb.conf 
  902 root       960 S    iapp br0 wlan0 wlan1 
  913 root      1260 S    wscd -start -c /var/wsc-wlan1.conf -w wlan1 -fi /var/
  917 root       984 S    iwcontrol wlan0 wlan1 
  942 root      1008 S    dnrd --cache=off -s 168.95.1.1 
  951 root       956 S    reload -k /var/wlsch.conf 
  984 root      2168 S    webs 
  985 root      1584 S    -/bin/sh 
 1021 root      1576 R    ps -ax 
#

.. That little thing that says, “dnrd –cache=off -s 168.95.1.1” .. What this program is is a DNS relay server ie something to help you resolve addresses from the names we know and are used to like “www.microsoft.com” into the quad octet that the computers can deal with called an ‘IP Address’.  Now the reason I’m pointing it out is that 168.95.1.1 is not something I have configured and it is not something on my network, so it tweaked my curiosity.  Turns out it belongs to a Taiwanese company “Chunghwa Telecom Co., Ltd”

$ host 168.95.1.1
1.1.95.168.in-addr.arpa domain name pointer dns.hinet.net.
$ whois hinet.net

.
.
.

   Server Name: HINET.NET.TW
   Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
   Whois Server: whois.melbourneit.com
   Referral URL: http://www.melbourneit.com.au


   Domain Name: HINET.NET
   Registrar: NETWORK SOLUTIONS, LLC.
   Sponsoring Registrar IANA ID: 2
   Whois Server: whois.networksolutions.com
   Referral URL: http://networksolutions.com
   Name Server: ANS1.HINET.NET
   Name Server: ANS2.HINET.NET
   Status: ok https://icann.org/epp#ok
   Updated Date: 02-feb-2017
   Creation Date: 19-mar-1994
   Expiration Date: 20-mar-2018

.
.
.

Domain Name: HINET.NET
Registry Domain ID: 2854475_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2017-03-05T15:11:26Z
Creation Date: 1994-03-19T05:00:00Z
Registrar Registration Expiration Date: 2018-03-20T04:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller: 
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: 
Registrant Name: Internet Dept., DCBG, Chunghwa Telecom Co., Ltd.
Registrant Organization: Internet Dept., DCBG, Chunghwa Telecom Co., Ltd.
Registrant Street: Data-Bldg, No. 21 Sec.1, Hsin-Yi Rd.
Registrant City: Taipei
Registrant State/Province: Taiwan
Registrant Postal Code: 100
Registrant Country: TW
Registrant Phone: +886.223444720
Registrant Phone Ext: 
Registrant Fax: +886.223960399
Registrant Fax Ext: 
Registrant Email: vnsadm@hinet.net
Registry Admin ID: 
Admin Name: Internet Dept., DCBG, Chunghwa Telecom Co., Ltd.
Admin Organization: Internet Dept., DCBG, Chunghwa Telecom Co., Ltd.
Admin Street: Data-Bldg, No. 21 Sec.1, Hsin-Yi Rd.
Admin City: Taipei
Admin State/Province: Taiwan
Admin Postal Code: 100
Admin Country: TW
Admin Phone: +886.223444720
Admin Phone Ext: 
Admin Fax: +886.223960399
Admin Fax Ext: 
Admin Email: vnsadm@hinet.net

So the not only is this Access Point vulnerable to hacking it’s also sending details of every site I’m going to back to a server in Taiwan…  Well not quite, because unlike most home users I am using my own DNS servers and have specifically blocked the access points from talking to the Internet… I am not your average home user though.  That leads me to the following conclusion that some will find scary…

The Conclusion…

The biggest current threat to our networks, our privacy, and our electronic identities (including funds) is the threat of the Internet of Things that have not been patched. 

This threat is massive as the clueful people out there often can’t patch because the companies selling the devices are not providing security fixes because their profit is about getting new devices out there, not fixing old devices. 

It’s even bigger because most of the world are not techs, they don’t even know how to update the firmware or where it would even be available if they did. 

…Yet we’re all connecting up to the Internet, we’re all buying these boxes from household temperature controls available on your phone to Smart TVs and Fridges… even ‘Smart Bulbs‘!

All of which have the ability to run code, all of which have potential security issues, and all of which can provide the unethical people out there, ‘doorways into you home’.

 

Social Engineering on Social Networking…

Its been a long while since I’ve posted anything, but in todays news how many of you out there are on Facebook and how many of you like to respond to these little gems:

“Red mushroom burger”

Or perhaps statuses that ask you to cut/paste in your answers:

Thursday Night fun… Six names.

Real Name: Michelle Sullivan

Soap opera name (middle name and street you live on): Isabelle Hemel

Star Wars name (first 3 letters of your last name, first 2 of middle, and last 2 of first): Sulisle

Superhero name (colour of shirt and item to your right): Grey mouse

Goth name (Black and pet name): Black Melody Pond

Rapper name (Lil and last thing you ate): Lil mushroom burger

Copy, paste and change if you wish to play too!

 

Both of these two things together often give enough information to people like me to enable me to steal from you, like stealing your Facebook account or your Hotmail account, or perhaps your iCloud account which then gives me access to your phone, location and photos… Maybe even your bank accounts….

Consider how many sites you visit and put in a load of details to ‘sign up’ and how many of those sites ask for additional security questions incase you forgot your password, then consider how much information you put in your Social Networking accounts that others can view…

One of the favourite questions always used to be ‘What is your mothers maiden name?’, and still is for many banks.  Here’s the problem in a nutshell: many people now have Facebook accounts and the parents of those people usually have Facebook accounts as well and how many of you have seen friends’ parents with names on Facebook such as, “Mary Johnson (nee Knowles)”.  Then how many look at the profile under the ‘About’ and see, “Sister, Dad, Mum” entries… because by default this information is viewable by fiends of friends….

Now taking all that in above along with friends posting “Happy Birthday, 40 today, can’t believe how old we all are now, congrats mate” etc (‘today’ being 24/2/2017) and that the ‘picture questions’ when shared from a page the answers are shared with the people on the page… consider what most people can see about you.  In the example I have written/posted above lets recap:

  • Real Name: Michelle Isabelle Sullivan
  • Date of birth: 24 Feb 1977
  • Favourite Colour: Red
  • My Address: Triq il-Hemel, Swieqi, Malta
  • My pets name: Melody Pond
  • What sort of pet: Cat
  • Mother’s Maiden name: Knowles
  • Brother’s Name: Stephen

Sound familiar?  What a bank might ask you on the phone for ‘confirming your identity’ by any chance?

How did I get all this you might ask… because not all is that obvious, well

“Name” is an easy one, but hey, need to know the full name, so my “Soap Opera name” gave me two details “Isabelle Hemel”, one of which was middle name.  That was verified because we also asked, the “Starwars Name” which use initials from each part of our name.

“Date of Birth”, easy but you might have missed it, I said I got wished a “Happy 40th Birthday” today (and probably got several hundred best wishes) all of which are posted with the permissions of the poster, *NOT* what permissions you have on your ‘Timeline’.  So being that I said “today” is 24th Feb 2017 and I’m getting “Happy 40” wishes that makes my Date of Birth 24 Feb 1977.

“My Favourite colour”, trivial, what was my “wand’s magic name” again? Oh that’s right, “Red mushroom burger“.

Social Engineering tip: ask other irrelevant details with the detail you want, people don’t spot they are giving something away that they might otherwise not, how many of you would answer truthfully if a stranger came up to you in the street and asked you, “What’s your favourite colour, and how old are you?”

“My Address” little more tricky this one, I’m sure you got the first one, my ‘Soap Opera name’ is “Isabelle Hemel but how did I get to “Triq il-Hemel, Swieqi, Malta”..?  Simple take a look at your timeline and look for the location information on most posts, on mine it says, “Swieqi” on a vast number of posts, if you look at Google maps and search for “Hemel Swieqi” that will give you the rest of the address (and even the postal code in many cases.)

How many of you have seen the “What’s your pet’s name?” as a ‘security question’ … well guess what… My “Goth Name” was “Black Melody Pond” and that just gave it to you!  How did I get to the pet being a “cat” though?  Well just go look at my photos, especially for ones with pets in them and you find I own a cat, and it takes very little to tie “Melody” to “a Cat“.

Mother’s Maiden name and Brother’s Name – well I told you that already, it’s on the “About” page of Facebook, not to mention that many people have mums that interact with them on Facebook and usually by sharing posts.  For example, how many of you have photos of you and your mum?  How many of those photos did you “tag” your mum in?

You might be asking, “But what about the ‘Rapper Name’ where does that fit in?” .. well remember what I said about, “ask other irrelevant details”.  It is bogus information, but it makes you feel better about giving me details you wouldn’t normally share…

Some of these details Facebook encourage setting better permissions on, but even with these ‘security checkups’ often the details are already leaked or are available to ‘Friends of Friends’… A study a while ago found most people in the world are 7 people away. What that means is if you go down 5 levels of ‘Friends of Friends’ (ie “Friends of Friends of Friends of Friends of Friends of Friends”) you will be linked to most people in the world