Research

As I sit down to write the last Incite of the year I cannot help but be retrospective. How will I remember 2013? It has been a year of ups and downs. Pretty much like every year. I set out to prove some hypotheses I had at the beginning of the year, and I did. I let some opportunities pass by and I didn’t execute on others. Pretty much like every year. I had low lows and very high highs. Pretty much like every year. I have gotten introspective over the second half of this year. And that’s been reflected in my weekly missives. It’s been a period of learning and evaluation for me. Of coming to grips with who I really am, what I like to do, and what I want to be in the next stage of my life. Of course there are no real answers to such existential questions, but it’s about learning to live in a way that is modest, sustainable, and kind. As I look back, the most important thing I have learned this year is to flow. I spent so many years fighting against myself, pushing to be in a place I wasn’t ready for, and to meet unrealistic expectations for achievement. It has been a process but I have let go of those expectations and made a concerted effort to Live Right Now. And that’s a great thing. The mental lever that flipped was actually a pretty simple analogy. It’s about being in the river. Sometimes the current is slow and you just float along. You are still moving, but at an easy pace. Those are the times to look around, enjoy the scenery, and catch your breath. Because inevitably somewhere further down river you’ll hit rapids. Things accelerate and you have no choice but to keep focused on what’s right in front of you. You have to hold on, avoid the rocks, and navigate safely through. Then you look up and things calm down. You have an opportunity at that point to maybe wash up on the shore and take a rest. Or go in a different direction. But trying to slow things down in the rapids doesn’t work very well. And trying to speed things up in a slow current doesn’t work any better. Appreciate the pace and flow with it. Simple, right? It’s like being in quicksand. You can’t fight against it or you’ll sink. It’s totally unnatural, but you have to just relax and trust that your natural buoyancy will keep you afloat in the denser sand. Resist and struggle and you’ll sink. Accept the situation, don’t react abruptly or unthinkingly, and you have a chance. Yup, a lot like life. So in 2013 I have learned about the importance of flowing with my life. Appreciate the slow times and prepare for the rapids. Like everything else, easy to say but challenging to do consistently. But life seems to give us plenty of opportunities to practice. At least mine does. Onward to 2014. From the Securosis clan to yours, have a happy holiday, and the Incite will return on January 8. –Mike Photo credit: “Flow” originally uploaded by Yogendra Joshi Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. What CISOs Need to Know about Cloud Computing Adapting Security for Cloud Computing How the Cloud is Different for Security Introduction Defending Against Application Denial of Service Building Protections In Abusing Application Logic Attacking the Application Stack Newly Published Papers Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U The two sides of predictions: It’s entertaining when Martin McKeay gets all fired up about something. Here he rails against the year end prediction machine and advises folks to just say ‘no’ to their marketing teams when asked to provide these predictions. Like that’s an option. Tech pubs need fodder to post (to drive page views) and marketing folks need press hits to keep their VPs and CEOs happy. Accept it. But here’s the deal: security practitioners need to make predictions continuously. They predict whether their controls are sufficient given the attacks they expect. Whether the skills of their people will hold up under fire. Whether that new application will end up providing easy access for adversaries into the inner sanctum of the data center. It’s true that press friendly predictions have little accountability, but the predictions of practitioners have real ramifications, pretty much every day. So I agree with Martin that those year-end predictions are useless. But prediction is a key aspect of every business function, including security… – MR The Most Wonderful Time of the Year: This time of year it’s really easy for me to skim security news and articles. All I need to do is skip anything with the words ‘Prediction’ or ‘Top Tips’ in the title, and I can cull 95% of the holiday reading poop-hose. But for whatever reason I was slumming on Network World and saw Top Tips for Keeping Your Data Safe on The Cloud, an article directed at the mass market rather than not corporate users. Rather than mock, in my merry mood, I’ll go one better: I can summarize this advice into one simple actionable item. If you have sensitive data that you don’t want viewed when your cloud provider is hacked, encrypt it before you send it there. Simple. Effective. And now it’s time for me to make sure I have followed my own advice: Happy Holidays! – AL Sync and you could be sunk: Cool research on the Tripwire

I’m pretty lucky – my most recent memories of a long commute were back in 1988, when I worked in NYC during my engineering co-op in college. It was miserable. Car to bus to train, and then walk a couple blocks through midtown to the office. It made me old when I was young. I only did it for 6 months, and I can’t imagine the toll it takes on folks who do it every day for decades. Today you can be kind of productive while commuting, which is different than in the late 80s. There are podcasts and books on tape, and if you take aboveground public transportation, you can get network connectivity and bang through your email and social media updates before you even get to the office. But it still takes a toll. Time is not your own. You are at the mercy of traffic or mass transit system efficiency. I was recently traveling to see some clients (and doing some end-of-year strategy sessions), and the first day it took me over 90 minutes to go 35 miles. For some reason I actually left enough time to get there and didn’t screw up my day by being late for my first meeting. Getting back to my hotel for a dinner meeting took another hour. I was productive, making calls and the like. And amazingly enough, I didn’t get pissy about the traffic or the idiocy I saw on the roads. I had nowhere else to be, so it was fine. The next day was more of the same. I was able to leave after the worst of rush hour, but it still took me 65 minutes to go 40 miles. A lot of that was stop and go. I started playing my mental games, pretending the highway was a football field and looking for openings to squeeze through. Then I revisited my plans for world domination. Then I went back in time to remember some of my favorite football games. Then I got around to preparing for the meeting a bit. So again, I didn’t waste the time, but I don’t commute very often at all. So when I was on my way to the airport Monday morning again, and it took me 65 minutes to get there, I was running out of things to think about. 3 long commutes in less than a week took its toll. How many times can you take over the world? How many meetings can you mentally prepare for, knowing whatever I decide to do will be gone from my frontal cortex before I board the plane? Then I revisited my unwritten spy thriller novel. The plot still needs work, especially because I forgot all the great ideas I had during the commute. Ephemeral thoughts for the win. So when my father in law expressed a desire to stop commuting into Washington DC and move to an office closer to his home we were very supportive. Not just because he really shouldn’t be driving anywhere (he is 80 años, after all), but also he seems to have finally realized that he could have been talking to clients during the 60-90 minutes he spent in the car each way every day for the past 35 years. I’m decent at math, but I’m not going to do that calculation and I’m certainly not going to put a dollar figure on an opportunity cost comparable to the GDP of a small Central American nation. Which means the next time my biggest morning decision is which coffee shop to set up at for the day, I will be grateful that I have the flexibility to spend my time working. Not commuting. -Mike Photo credit: “Traffic in Brisbane” originally uploaded by Simon Forsyth Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. What CISOs Need to Know about Cloud Computing Adapting Security for Cloud Computing How the Cloud is Different for Security Introduction Defending Against Application Denial of Service Building Protections In Abusing Application Logic Attacking the Application Stack Newly Published Papers Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U It comes down to trust: In the world of encryption we try to use advanced math to prove or disprove the effectiveness of ciphers, entropy collection, and the generation of pseudo-random numbers. But in some cases you simply cannot know the unknown, so it comes down to trust, which is why I think the developers of FreeBSD removing “RDRAND” and “Padlock” pseudo-random number generation (PRNG) facilities – provided by Intel and VIA respectively – is a good idea. There is concern that these routines might not free of NSA adaptation. Even better, they chose Yarrow as a replacement – a PRNG which John Kelsey and Bruce Schneier designed specifically because they neither trusted other PRNGs nor could find one that provided good randomness. Yarrow, like Blowfish, is an effective and trustworthy choice. Bravo! – AL Doing the web app two-step: I’m a big fan of 2FA (two factor authentication), especially for key web apps where I store stuff I’d rather not see on WikiLeaks. Like anything I have access to would be interesting to the conspiracy crowd, but let me dream, would ya? So I was pretty early to use Google’s 2FA for Apps, and at this point I have it set up on Twitter, Facebook, and Evernote. Why not? It’s easy, it works, and it makes it quite a bit harder for someone who isn’t me to access my accounts. But there is a

One of our esteemed colleagues to the North, Dave Lewis, summed up a danger in almost everything in his recent CSO post, We need to be uncomfortable. Dave talks about realizing he could check out of a job and no one would notice, and how he knew it was time to find the next challenge. He’s right. The builders give way to the maintainers. Not that there is anything wrong with that per se. What I have seen happen in a few organizations is that they get used to doing things a very specific way and are not typically seen to think beyond the confines of their box. They have their infrastructure and governance framework to operate within and not a whole lot of incentive to approach things differently. They had become comfortable. Complacency kills innovation. It kills forward motion. If you are in a role for too long and you get too good at it, you can check out. That kills your motivation. And that’s fine for some folks. As Dave says, some people are maintainers. At the other end of that scale are builders. If you want any chance to be happy in this life, you had better know where you lie on that continuum. You put a builder into a maintainer role, and the dental treatment from Marathon Man would be a walk in the park. Likewise, you put a maintainer into a builder role and they quickly get paralyzed. So what to do? Embrace who you are and act accordingly. I learned that security teams cannot sit on their laurels and enjoy the ride. We as security practitioners as well as at an organizational level need to be uncomfortable. Let me explain what I mean. If your security practice or even you yourself have become stuck in a rut there needs to be a change. Whether that is moving on to a new job or simply reviewing the way security is being managed in the organization it should be clear that inertia kills. I’ll differ a little because I don’t think sitting on laurels and enjoying the ride are mutually exclusive. The role of building and improving and optimizing provides tremendous enjoyment for a guy like me. Whereas some folks fall in the opposite camp and sitting on their laurels is the ride. But Dave is right. If you are miscast in your current role you need to get back to who you are and what you do. Or it will get messy. You have to trust me on that one. So why did I call this post Poor Man’s Immortality? I know you are wondering. One of my mentors taught me that comfort can be viewed as a poor man’s immortality. Comfort intimates the desire for things to say the same to achieve a form of immortality. I’m not interested in that. As I look back, I live for the discomfort. That’s not a choice for everyone, but it is for me. And evidently for Dave as well. Share:

The methods by which applications and supporting infrastructure are developed and deployed are undergoing fundamental change. Avoiding the predictable hyperbole, new methods including DevOps and Cloud Computing promise to disrupt most of IT over the next 5-10 years. But embedded infrastructure and legacy applications are not going away. IT professionals need to walk a fine line between delivering critical services at the lowest price for acceptable performance, and doing it quickly and reliably. As usual, security is at the end of the tail being wagged. It’s hard enough to get developers to run a security scan on their code before it’s deployed into production. The idea of integrating security into these integrated development and operational processes (something Rich calls ‘SecOps’) seems like a pipe dream. It may be a dream today, but it needs to become reality sooner rather than later. IT has little choice. Adversaries continue to innovate and improve their tactics at an unprecedented rate. They have clear missions, typically involving exfiltrating critical information or impacting the availability of your technology resources. They have the patience and resources to achieve their missions by any means necessary. And it’s your job to make sure deployment of new IT resources doesn’t introduce unnecessary risk. With this need to move faster and to have more agile infrastructure, it is increasingly difficult to ensure proper testing for infrastructure and applications before they go live. You have all heard the excuses that emerge when something goes wrong with a deployment. We didn’t hit it with that much traffic. We didn’t get around to testing those edge cases. The application wasn’t designed to do that. Ho hum. Just another day in the office, and it’s security’s problem when the new application is compromised, data is lost, or the application falls over under the onslaught of a denial of service attack. It doesn’t need to be this way. Really – it doesn’t. Although in light of common experience, many security folks don’t believe this. The root cause of these issues is surprise. That’s right – when an application goes live (or a major change goes into production), you don’t really know what is about to happen, do you? You haven’t been through a rigorous process to ensure the application (and its infrastructure) is ready for prime time. And calling the application ‘Beta’ won’t save you. If the application has access to critical (regulated) information and is accessible – whether internally or externally – a security mindset is required, along with a way to put the application through its paces. As I wrote in the Pragmatic CSO, Basically you are trying to eliminate surprises. So by doing a full battery of tests before the new system is deployed, you reduce the likelihood that you are missing something that you’ll learn about later – the hard way. Technological disruption is not about to stop. If anything it will accelerate, so we need to get over our idea of a discrete security function maybe doing some testing and/or risk assessment at the tail end of a project. So what can and should security folks do? And how can they get both the development and operations teams on board with the necessary changes to ensure the protection and survivability of the application? To prevent surprise we suggest a security assurance and testing process for ensuring the environment is ready to cope with real traffic and real attacks. This goes well beyond what development organizations typically do to ‘test’ their applications, or ops does to ‘test’ their stacks. It also is different than a risk assessment or a manual pen test. Those “point in time” assessments look at what can happen but aren’t necessarily comprehensive. The testers may find a bunch of issues but not all the issues. So remediation decisions are made with incomplete information about the true attack surface of infrastructure and applications. So that is the topic of our next blog series, titled Eliminating Surprises with Security Assurance and Testing. We will dig into this process, discussing which devices and infrastructure components to test and how to consistently and reliable ensure you are testing the key functions. We will also focus on assuring the readiness and resilience of applications because they are often the path of least resistance for attacks. We would like to thank Ixia for agreeing to potentially license this content at the end of blog series. We will be developing it objectively, using our Totally Transparent Research methodology. We can provide this research to you at this most excellent price because our clients support our unconventional research model. Remember – your adversaries don’t need to hit an arbitrary deadline. They will take the time needed to find the chinks in your armor. Maybe it’s within the application, maybe it’s within the computing stack, maybe it’s the underlying equipment that gets data from one place to another. You can’t eliminate all the defects and security holes in your environment. But you can find out what they are and put a plan together to protect your environment. Deploying a security assurance and testing process to do just that is what this new series is all about. Share:

My friend Shimmy must have taken his nostalgia pills over the long weekend – on Monday he tweeted: Doesn’t it suck getting older I didn’t realize how truly carefree life was All is good here thinking about some new stuff Besides the fact that it’s Twitter-english (half sentences/thoughts to fit into 140 characters, punctuation not required), I disagree with that sentiment. I don’t think it sucks getting older. Aging is awesome. I’m not sure I would recognize my 24-year old self if I ran into him on the street. If I take a rare moment to reflect, almost every aspect of my life is better now. My main gripe is that my body is 20 years older, so my knees ache from time to time and it takes me a bit longer to kick a hangover. But on the list of potential issues, those are pretty minor. There is nothing saying that a carefree life is a better life. Or maybe I just never had a carefree life. When I was younger I was always striving. I had a timetable for success and wanted to hit my dates. A few years ago I dropped the timetable. I could do that because I changed my view of success, which is still evolving as I learn more about myself and what I’m really about. To be fair, there are Saturdays I would like to stay in bed until 2pm like I did 20 years ago. And there was something liberating about fitting pretty much all my possessions into a duffle bag or two. I had nothing to lose. But I don’t buy into the notion that having responsibilities (family, kids, expenses) is worse. In fact all I could think about when I had no responsibilities was my timetable to gain them. I searched for a partner and found the Boss. I worked hard at a number of jobs and then stumbled into research. Same old story. Lots of folks think the grass was greener in the past. Or will be greener in the future. They would rather be anywhere else but here. Any other time but now. Which is a shame. All we have is right now. The past is gone. The future hasn’t happened yet. What I want to do is enjoy the time I have, as long as it lasts. To age gracefully like a good single malt (and I don’t even like scotch). To leverage my experience and help people improve. To connect those I value to resources or knowledge I can access. Just thinking about it gets me fired up about the road ahead. But I shouldn’t beat Shimmy up too badly – he got it right in the last part of his tweet. All is good here. It sure is, brother. I wouldn’t trade my experiences, which have been a critical part of the journey. As I said in Live Right Now: “You could choose to live in the past. We need to be respectful of history, and learn the lessons of those that came before us.” I also said, “Think to the future not in fear and worry, but in hope and grace.” I’m choosing to live right now because I am finally old enough to appreciate the challenges of the alternatives. As Steve Jobs would say, this approach allows you to “Stay Hungry. Stay Foolish.” Which seems pretty carefree to me… –Mike Photo credit: “The Maltman Bowmore 21 Years” originally uploaded by Sven Cipido Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. What CISOs Need to Know about Cloud Computing Adapting Security for Cloud Computing How the Cloud is Different for Security Introduction Defending Against Application Denial of Service Building Protections In Abusing Application Logic Attacking the Application Stack Newly Published Papers Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Staying focused on the prize: Our pal Wendy posted another terrific rant before the holiday. This time on user feedback in applications. In What’s my name? No, really, what is it?, she talks about how pen testers always gave her a hard time about the feedback given by the login process. With that information, the attacker could infer user IDs, etc. Wendy points out that is by design – if users cannot remember their user names they call the help desk. When they call the help desk it costs money or takes folks away from more important tasks. So yes, you need to balance the obscurity required to make it harder on attackers against the downside of making it harder for legitimate users. Which do you choose? Thought so. She closes with: “If your system can’t withstand attacks by someone who knows a valid username or email address, then you have MUCH bigger problems to solve.” Wendy drops the mic and goes home. – MR Super-unrelated: The PCI DSS 3.0 requirement that firms map the flow of payment card data is really nothing new – identifying what systems contain cardholder data has been part of every DSS specification since the beginning. Mapping the data flow and showing which users and applications have access to that data simply provides a clearer picture of how that data is used so you understand how best to safeguard it. For threat modeling this type of diagram is a must! The key is that it makes the assessor’s job easier to have a map of the systems in scope and subject to review. That does not address the flaw Troy Leach identifies: unknown and unsecured cardholder storage locations

  They say it is better to be lucky than good. I seem to test that theory on a daily basis. Just yesterday I ranted about the need for multi-layer DoS defenses, mostly by poking at a Prolexic white paper advocating the opposite. I alluded to the reality that most customers wouldn’t run all their traffic through a scrubbing center, so they need on-premise defenses as well (so a multi-layer system). What I didn’t specifically say is that if all traffic runs through a processing center, a customer could get pretty full DoS protection. Then Akamai went and bought Prolexic for $370MM in cash, basically to test that concept. The combined entity can (at least on paper) offer DoS protection against both volumetric and application-layer attacks as part of a single service, as long as (and tis is the big qualifier) all traffic is running through the provider… which is Akamai’s normal mode of operation, and fits well with their pricing model. The deal makes sense for perspective both parties. Prolexic gets a parent with deep pockets, which is critical when you need to keep pace with ever-increasing bandwidth available to ever-increasing millions of compromised devices being used as DoS artillery. Prolexic’s investors get out at a reported 7-8x sales multiple, which is generous for a business with significant infrastructure and bandwidth costs impacting profitability. Akamai gets a blue-chip customer base of large enterprises who get hammered by DoS attacks daily. They get some sales folks (hopefully the ones who stay) who understand security. They also get some research, response processes, and know-how to supplement their existing in-house capabilities. Akamai has struggled to make inroads in the security business, so clearly this adds significant momentum and some credibility. They also get to leverage their existing global network as the underlying infrastructure for Prolexic’s services. That takes one of the huge costs of running a DoS service provider – bandwidth – out of the mix. Not that Akamai gets free bandwidth. But given the size of their CDN networks, Prolexic’s bandwidth requirements should be a drop in the bucket. Maybe not even that… Of course I add my usual caveat that even the best paper deals all come down to execution in the end. There are countless ways Akamai could bungle this deal and squander the hammerlock they just bought in enterprise DoS mitigation services. But on the surface this deal makes perfect sense – which is rare for security deals lately. Photo credit: “bath time for pandas” originally uploaded by Second Life Resident Torley Share:

  I guess I shouldn’t be surprised by highly biased marketing campaigns providing bad advice to customers. Normally I let it go (yes, Zen Mike is usually in the house), but not today. I saw Prolexic’s Why a Multi-Layered Security Strategy is Not Ideal for DDoS Mitigation campaign and was a bit perplexed, especially by one statement: The typical IT advice of using multiple tiers of security to build the best defense for protecting networks does not apply to distributed denial of service (DDoS) mitigation. Wrong. As I described in our Defending Against Denial of Service Attacks paper (and the subsequent AppDoS series), attackers use multiple tactics to impact the availability of your applications. So you need to think about how you will deal with volumetric and application-layer attacks. I read Prolexic’s white paper, and I will never get that 15 minutes back. But their main point is that coordinating among many vendors and/or service providers is challenging. So you should use one provider who can do it all. They are correct that it’s hard to coordinate multiple controls across multiple vendors. But isn’t that what security folks do? Oh, you want an Easy Button for security? Good luck with that. Here’s what Prolexic didn’t mention in their paper. They didn’t say that in order to get protection from both network and application-layer attacks, you need to route all your traffic through their network. All of it. All the time. If you wait until you are being blasted or your applications fall down, it’s too late. They don’t mention that increased cost. Of course not – it would make their pitch much less attractive. I am the first to push for simplicity rather than complexity. But the trade-offs need to be disclosed. In this case it is the cost of paying for all your bandwidth going through a service provider. Anyhow, I said my piece. Now I’ll let it go… Photo credit: “cute but wrong” originally uploaded by Gerard Stolk Share:

  Actually, things mostly don’t change. We talk a lot about the dynamic threatscape, advanced attacks, and all sorts of other things that make us feel special. But most of the same tactics that have been owning people and technology for decades are still in play. The mass market doesn’t learn, so they repeat history – over and over and over again. Roger Thompson makes this point on a recent ICSA blog post on Cryptolocker. He reiterates the directions he (and probably the rest of you) have been giving folks for a long time. I told her that Cryptolocker was indeed real and is the criminal’s monetization scheme-du-jour. While it is a real pain if you got nailed by it, basic security practices would keep you perfectly safe. I enumerated those practices for her, and, although we were communicating by typing in a chat program, I could almost hear her smile as she said, “That’s the same advice from twenty years ago.” I realized she was right. The practices are right out of the simple security handbook. You know, things like patching (not just MSFT software nowadays), don’t open unexpected attachments, don’t use admin rights (when you don’t need to), and back up your stuff. Simple. But not many people really do this stuff. And that’s why advanced attackers are only as advanced as they need to be. To be clear, as Roger says, if you are targeted by a truly sophisticated adversary, these simple practices won’t do much. But most of the world isn’t in that situation – fortunately. So getting better at the fundamentals still matters in security. And probably always will. Photo credit: “Dancing Dummy” originally uploaded by Dave Hogg Share:

This should be no surprise because I just pounded through all the posts and put the paper up on GitHub for open review. As of today I am happy to launch the official exec-friendly white paper version of the Executive Guide to Pragmatic Network Security Management. There is a landing page, or you can go directly to the PDF. As a reminder, this paper focuses on managing your network security program – not a particular appliance or tool. It targets those of you with larger or more complex networks – or, really, anyone struggling to manage network security from a big picture perspective. I would like to thank RedSeal Networks for licensing the paper, which is how we get to publish these things for free. Share:

  Dell SecureWorks CTU published a cool research report published today. Joe Stewart and David Shear dug into the marketplace of attackers and found that the market for attack products, tools, and services is thriving. Here are a couple of their more interesting findings: Bank account number with online credentials ($70-130K in account): $300 or less 15,000 infected computer botnet: $250 DDoS attacks: $3-5 per hour; $90-100 per day Exploit kit subscription: $1,500 per year That’s pretty short money for those kinds of services, no? We are dealing with market forces, which means there is plenty of inventory. Yup, lots of credit cards, bank accounts, and bots out there waiting to be used. You know, supply and demand for the win. At least the computer crime folks haven’t screwed with the laws of economics. Not yet, anyway. Photo credit: “Dig for Victory 33” originally uploaded by Aidan “Trig” Brooks Share: