The Security Samurai

Open Letter to Verizon Wireless

Eric Marvets — Mon, 25 Aug 2008 15:43:00 GMT

After receiving no support from agents at the Verizon Wireless store or by agents on the phone, I decided to write them and make it an open letter. It’s no secret that Verizon has a great network, but it’s also no secret that their phone selection stinks. I don’t want to leave them and am hoping that whatever little bad press I can cause will encourage them to resolve the issue. If not, I’m tapping out. For 3 years I have hated my phone and loved their network. I’m ready to feel mediocre about both. Here it goes:

I am currently without a phone and would appreciate a speedy reply.

I have been a Verizon Wireless customer for over 5 years and my monthly bill easily averages over $200 during that time frame. While I love your network, I have been completely unsatisfied by your selection of phones. It is a stretch to say that my last phone worked—it had a feature called a battery that allowed me to switch from the car charger to my office charger without dying. And I waited—under duress—until I was allowed to purchase a new phone with the discount.

My current phone has a wonderful battery life, but this is the 4th time the charger has snapped off in the phone. The phone is fine, but I keep paying $30 for new chargers. I refuse to purchase another or wait until February when I will be eligible for a new phone. You sold a phone with a design flaw, and I’m not even asking for a refund or a free phone. Just allow me to take a chance on a new one at the 2 year contract renewal rate.

If not, I will gladly pay the early termination fee and leave Verizon. On general principle, I will spend more money canceling my account with you than I would likely receive as a discount on a new phone. As a customer, I consider it unacceptable that you sell inferior phones and leave me with no recourse.

The first time I waited haplessly to become eligible for a new phone. I will not suffer a second time. If you don’t like the fact that you will end up losing money by allowing me to purchase a new phone early, I suggest you take it up your vendors who supply you with awful products. I can promise you that we will both lose more money if you don’t.

Sincerely,

Eric Marvets

What Does ‘SHA1 is Broken’ Mean?

Eric Marvets — Wed, 12 Dec 2007 07:35:00 GMT

For those of you Slashdot readers out there, you may have heard by now that ‘SHA1 is broken’. Recently I did some security videos for Microsoft, and decided that SHA1 was the best hash function for the example (modifying an existing application to store hashed passwords).

The videos I did were part of the “How Do I” series, and not exactly the place to explain why it was appropriate to use SHA1. But for those of you looking to understand the why behind the example, I’ll take a few minutes to explain it.

What exactly is SHA1?

SHA1 is a hashing algorithm, also known as a one way function. A one way function is where given any value of x, it is easy to find f(x), but given f(x) it is unrealistic to find x. One way functions allow us to take a ‘fingerprint’ of data without storing the data itself. In a password scheme, instead of storing a user’s password (x) we instead store a hash of the password (f(x)). Later when the user wants to login, he again supplies a password which we hash and compare against our stored value.

It’s also useful for ensuring the integrity of data. When a message is sent over an unsecured channel, a hash of the message can also be used to check the message once it reaches its destination. If the message does not match the hash, then we assume it was modified in transit.

Designed Strength of SHA1

When we hash data, the range of values for x is infinite. The hash on the other hand is a fixed size. Therefore, for each value in the range of our hash, there are an infinite number of possible values for x.

This range of possible values determines the odds of guessing a value x to match a known value f(x). If the size of the hash value was 2¹, there would be a 50/50 chance that the valued guessed would match our known f(x). That’s why SHA1 utilizes a very large hash size of 2160. To put that in perspective, the Earth is composed of 2170 atoms. It’s computationally unrealistic that anyone would be able to beat those one in 2160 odds to find a value x which matches our known value f(x) (with today’s technology).

The Birthday Paradox

Some of you may be asking yourself, “but I read on Wikipedia that SHA1 has a strength of 280?” This is true, but to understand why, we will first look at the birthday paradox.

How many people must be in a room before the odds are even that one of them shares your birthday?

How many people must be in a room before the odds are even that two of them share the same birthday?

In the first question, we are looking to match a specific value, while in the second we were just looking for any 2 matches. The answers are 253 and 23. The reason for the difference is that between the 23 people, there are 253 unique combinations. In one way functions, this is the difference between finding what we call a pre-image value versus a collision.

The reason we say the strength of SHA1 is 280, is because we are talking about finding collisions (any two values for x with the same f(x)). When we are hashing passwords, we are asking the person logging in to match a specific f(x), and the strength of SHA1 in that situation would be 2160.

The Current Strength of SHA1

The analysis of SHA1 shows that collisions were found in 263. It’s now becoming computationally feasible to find two values of x that match an f(x). It’s still short of being probable that those two matches found would allow an attacker to compromise an encryption system, but the worry is that SHA1’s strength will continue to decline.

Until the strength of SHA1 drops to 240, it is still a valid way to protect against pre-image attacks.

Why Did I Choose SHA1?

In addition to SHA1 being secure in the example, there were a couple of other reasons I choose to use it instead of something like SHA256 (2256). The first reason was that in the example, I was showing how to modify an existing application, by simply changing the value in the password field from a password to the base64 string representation of the hash, which is 28 characters in length (for SHA256, it would be 44 characters). If the database allowed passwords that size, then it’s trivial to add support for hashing.

The other reason is that there are far easier ways of attacking a password field than targeting SHA1. An offline dictionary attack against the users’ passwords is several orders of magnitude easier. SHA1 protects the hash against brute force attacks. It does nothing to protect a user who chooses a poor password.

A system is only as strong as its weakest link.

-Eric Marvets

The Pwnie Awards

Eric Marvets — Mon, 10 Sep 2007 04:21:00 GMT

I just found the Pwnie Awards. It’s a great concept. They accept nomination and then give awards to “celebrat[e] (or make fun of) the achievements and failures of security researchers and the wider security community.”

They give awards in the following categories:

· Best Server-Side Bug

· Best Client-Side Bug

· Mass 0wnage

· Most Innovative Research

· Lamest Vendor Response

· Most Overhyped Bug

· Best Song

Presenting at the Connecticut Developers Group August 28th

Eric Marvets — Wed, 22 Aug 2007 13:20:00 GMT

If anyone in the Connecticut is interested, I will be doing a presentation entitled Applied Cryptography on August 28^th. It’s similar to the presentation I used to do (Block Ciphers and Initialization Vectors) only I’ve expanded its scope a little.

I changed the presentation slightly and am trying to turn it into a dnrTV episode with Cark Franklin (who will also be in attendance). Hope to see you there.

-Eric Marvets

DRM Scorecard Makes Me Wonder: The Media Industry and the TSA, Sadistic or Incompetent?

Eric Marvets — Thu, 02 Aug 2007 08:19:00 GMT

Back in March, I posted about the media industry and the BORA principle, or break once, run anywhere. Info week has a DRM scorecard where the box score reads Hackers 1000, Industry 0.

This all goes back to the simple fact that all DRM is based on encryption, and that it’s illogical to give someone the decryption key that is required to enable what the media industry views as authorized behavior (media playback) without expecting someone else to utilize that decryption key for other behavior, such as making Fair Use backups or sharing it on a P2P network.

Encryption is defined as the science and study of secret writing. What is it that the media industry is trying to keep secret? While we may want I Now Pronounce You Chuck and Larry and Who’s Your Caddy to be some sort of secret internal referendum on the crap the entertainment industry regularly produces, we have to assume from their actions (theater release inevitably followed by mass DVD production) that they are proud of their works and wish to share them with the entire world.

They worried about piracy with VHS, and it turns out that may have in fact saved Disney and launched an entire consumer market for home video. They worried about it with DVD’s, which have brought in billions of dollars to the media industry despite the fact that CSS was broken in 1999. Their fear and illogical behavior impedes and irritates their consumers while having absolutely no effect on the spread of piracy (which they could easily defeat should they ever focus on the simple economics and technology of the pirating industry).

I would be happier if the media industry and the TSA were sadistic rather than incompetent. It would be comical to see these two groups meeting for the first time over drinks trying to one up each other:

“We made a list comprised of thousands of names. If you fly and your name is even remotely similar to one on the list, we do extra searches…every time you fly….over and over again. The kicker is we let anyone with Photoshop and a printer board under any name they want.”

“Oh yeah, well we sell malleable $.05 pieces of plastic for $20 and when it gets scratched or stolen, we force them to buy a new one because we don’t allow them to make backups. Even though anyone with technical skillz can download the same thing for free.”

“Oh yeah, well we found a way to make people who can’t even change at the gym without flip flops walk around barefoot in public. We tell them we’re screening for bombs and they just go with it. The terrorist can still strap whatever they need to their leg, just not their shoes.”

“We installed rootkits on people’s PC without their knowledge.”

“We banned water and baby food.”

“We sue the people who love our products the most.”

“We detain babies.”

“We…damn you! Stop playing the baby card, that’s not fair!”

No More Comments

Eric Marvets — Fri, 27 Jul 2007 18:09:00 GMT

I've left the comments feature enabled on my blog despite the majority of entries being spam. But it just seems silly anymore. The number of valid comments pales in comparison to the number of spam messages so I'm just going to turn it off. I wish I had the time to add some sort of captcha function and will look at adding it in the future.

I still encourage you to send me comments via the contact form. I will now edit posts to include any comments I receive. If you need to send me a link, do not format it as HTML and leave off the “http://” (those message will get blocked). I will format it correctly when it's posted.

Thanks,

Eric Marvets

Encryption Presentation - .NET Developers Group - NYC Microsoft Offices - June 21st

Eric Marvets — Mon, 02 Apr 2007 06:46:00 GMT

For those of you in NYC or the surrounding area, I will be doing a presentation on encryption at the .NET Developers Group on Thursday, June 21, 2007. It’s a similar presentation to the one I’ve done for a number of user groups in the Southeast. I made this presentation as a response to the flood of online code snippets for encrypting data. While they are all fairly easy to use, they don’t explain what they do and often developers think their data is more secure than it actually is.

During the presentation, we’ll quickly cover some high level encryption basics (asymmetric, symmetric, and one way hashes), but will spend most of our time dealing with symmetric encryption; namely how and why you configure a symmetric algorithm to encrypt the data (ECB vs. CBC). By the end of the session, you’ll finally understand what an initialization vector (IV) is used for and the proper way to create and store it.

Don’t worry if you don’t understand what half of that meant. I’ll be sure to explain everything as we go along.

You can also find a fair amount of the content from the presentation here in an article I wrote a while back.

When Will the Media Industry Embrace the BORA Principle?

Eric Marvets — Thu, 22 Mar 2007 10:06:00 GMT

I was reading the WSJ this morning and came across an op-ed piece entitled “Congress Must Make Clear Copyright Laws to Protect Consumers” written by Walter S. Mossberg. I enjoyed the article and especially liked his fair use comparison between print and video (you can reprint a small section of a publication in another without permission, yet you can’t post a short clip of the “Daily Show” on YouTube). The one issue I had with his article was referring to Apple’s FairPlay as a “DRM system for music that has worked” (it’s not the DRM, but rather the void in the marketplace that made Apple successful).

While I would love for Congress to fix our copyright laws, I regard the notion as fantasy. They don’t appear capable of fixing any complicated issue and tend to muddy the waters making any situation worse off than when they began. Secondly, the media industry will either collapse under the weight of their archaic business model or realize the impossibility of DRM and move in another direction. Either of which nullifies the issue.

DRM is impossible due to the fact that it falls under the BORA (break once run anywhere) principle. This principle is understood thoroughly by those of us in the security industry. When analyzing a threat, if it’s determined that an entity could be compromised once and then be exploited globally, you are faced with two choices: restrict access to the entity by limiting and hardening access points or decrease the exploitability of the entity once compromised.

Many industries have fought BORA, which is akin to fighting gravity. I can think of three this morning, namely the software, credit card, and media industries. It’s infuriating to think of all the revenue lost and the exorbitant externalities bore by an unassuming public all because these industries couldn’t understand simple logic. This is especially true when the solution requires only a trivial leap of faith.

The credit card industry is by far the clearest example of an industry that came to terms with the BORA principle. Quite frankly, they delayed the success of ecommerce by about 5 years. I’ll even go so far as to say that we would not have had a dotcom bubble if not for their foolishness.

In 1992, credit card fraud was at its peak (15.7 cents per $100 charged) due to fraudsters becoming more advanced. The internet allowed people with similar interests who would have never came into contact in the physical world to find one another digitally. Fraudsters were able to share information and increase the sophistication of scams long before e-commerce was a reality.

Faced with a bleak economic picture, the credit card industry became paralyzed by fear as they imagined credit card numbers floating unprotected through cyber space. For 6 years their agenda was to spread fear in the hopes consumers (and brick and mortar retailers) wouldn’t embrace ecommerce until they created a process by which credit card numbers couldn’t be stolen online.

Their fear clouded their ability to approach the problem logically. If a credit card can easily be cloned by your waiter at a restaurant, then why protect the same card during an online transaction? Or better yet, why protect individual transactions while every brick and mortar retailer has a record of each credit card used for purchases? As a criminal you target the warehouse, the delivery truck, the retailer, but never a single customer.

The history of ecommerce between 1992 through 1997 is fairly interesting and comical. The failure to realize what seems obvious today is not the fault of a single company. There were over 30 dotcom companies that were created during this period, all vying to be the payment processor for not only the web, but literally the future. In 1994, Visa and MasterCard turned to Microsoft and Netscape, respectively, for solutions. As any company would, these tech giants devised schemes that benefited them rather than serve the needs of their clients.

Fortunately for Visa and MasterCard, CNP (card not present) transactions were already allowed for mail order catalog purchases. Despite their fear campaign and merchant agreements that left stores 100% liable for fraud, companies like Amazon accepted the increased risk and allowed the credit card industry to ultimately be successful. By 1998, Visa’s sales volume had tripled which cut fraud as a percentage nearly in half.

Credit cards went from being used for credit to being used for convenience (what they were originally designed for in the 1950’s when the banking system was fractured). This was a massive shift in the financial industry. Comparing one’s own experiences in the checkout line at a grocery store in 1992 and 2002 tells the story. It went from checks and cash to plastic. Even the stigma of credit cards is completely different today. College students can’t survive without credit cards, a far cry from when they were counseled not to have one.

With this shift, credit card companies began focusing on preventing fraudulent transactions. By using two sets of data, one for CNP and the other for in-store transactions, they were able to prevent cards that were cloned from being used on the web, and card numbers stolen on the web from being used in person. The other advent was address verification, which among other things allowed retailers (who are liable for fraud) to prevent highly liquid assets from being shipped to any address other than where the statements are delivered.

They then began to promote ecommerce as if they never said anything bad about it in the first place. Consumers were given zero fraud guarantees which created a perception of little to no risk. It wasn’t long before traditional brick and mortar retailers rushed to the web, displacing overnight dotcom sensations which lacked feasible business models. Finally in 2003, we were at point that could have been accomplished in 1998.

There are many parallels between what the credit card industry went through and where the media industry finds itself today. Instead of focusing on preventing the Fair Use of their content, they should instead deliver it through open mediums creating additional revenue streams while increasing the popularity of their product. Piracy can be handily defeated, not through the legal system but rather through a firm understanding of the economics of the environment.

Today, credit card companies are at the peak of their success. In 2004, the fraud rate for credit cards dropped to an all time low of 4.7 cents per $100, while setting records for volume and profits. I know for a fact the same thing can be accomplished in the media industry because I’ve studied it. All it will take is a trivial leap of faith.

-Eric Marvets

Rampant FBI Abuse of Power – Now Paperwork Free

Eric Marvets — Tue, 20 Mar 2007 23:53:00 GMT

Last week I read on Schneier’s blog about the rampant abuses of new powers granted under the Patriot Act. Today I read over on the Washington Post that the new rules from the FBI’s general counsel directs agents to use better discretion and to ditch the paperwork.

Wasn’t it the improper paperwork that led us to discover the FBI improperly obtained data? How does instructing agents to limit requests to the most dire situations, to not file follow-up paperwork (grand jury subpoena or national security letter), and to ask for the data orally fix the problem?

Here is the new process:

FBI suspects you of a crime.
FBI calls the phone/ISP/bank/etc. and asks for data under the emergency provision.
The company takes their word for it and provides the data.
FBI doesn’t have to obtain warrant and receives data without a single sheet of paperwork.

Anyone see how this could be abused? Forget judicial oversight, now they don’t even have agency oversight.

Sickening…

Month Of MySpace Bugs

Eric Marvets — Tue, 20 Mar 2007 22:46:00 GMT

I just found this little project called Month of MySpace Bugs. This should be interesting to keep an eye on. As they state, they are only picking on MySpace (they could have found similar problems in any of the poorly crafted social networking sites) because they are trying to get attention, MySpace is extremely popular to get them even more attention, and that MySpace is “notoriously dickish” in response to security issues.

Starting on April 1, they will release one MySpace hack a day. Most will center on XSS attacks and they invite anyone to send in a hack as long as you have a proof of concept. It sounds pretty light hearted and looks to be half goof, half public beating.

Polyphasic Sleep

Eric Marvets — Tue, 20 Mar 2007 21:04:00 GMT

For the past 2 months I’ve had the same problem. I can’t get more than 4.5 hours of sleep a night. I’ve tried everything. Regulating my sleep and wake time. Renouncing caffeine (something my ThinkGeek brothers would consider blasphemous). Removing the TV from the bedroom. No naps. Relaxation CDs, etc.

So after 2 months of this and more and more Google searches, I am changing my approach. I’m leaving the monophasic world and entering the polyphasic. With polyphasic sleep, you sleep for short periods multiple times a day, rather than one long sleep a day with monophasic.

There are a couple of different ways of doing it, from six 20-25 minute naps to three or four 90 minute naps. I am going to try the latter approach, which I have done in the past when I had looming deadlines on important projects. Basically I would sleep when I was tired, and as soon as I would wake up I’d go straight back to work. In other words I took a 3 hour nap at night and two 90 minute naps during the day. I never remember being tired when I was on those regiments, but I do remember being highly productive.

Once the project was over I would immediately revert back to my monophasic ways, happy to be done with whatever project I was working on. I never knew it was a way of life for some people.

From reading about it, polyphasic sleep does make sense. Almost all animals in nature exhibit polyphasic sleeping patterns. Newborns are born polyphasic sleepers and have to be taught not to take naps as they grow up. There are also studies of people who are isolated from an external environment that develop polyphasic behaviors without the sun or a clock to reinforce their traditional sleeping patterns.

So I am going to try it. I just woke up from a 90 minute nap and I’m feeling refreshed. I’ll have one caffeine drink now and will sleep for another 90 minutes when I tire. Hopefully this will help me feel more rested. I’ll report back in a few weeks to let you know how it goes, after a doctor’s checkup.

Google Changes Privacy Policy

Eric Marvets — Thu, 15 Mar 2007 08:31:00 GMT

I personally love Google and have since the first search I made 7+ years ago. I remember it clearly, I was at my first dot com gig and I made a search for some obscure technical detail. I was shocked that the first result took me to what I was looking for, and it has been my homepage ever since.

Unfortunately I’ve had to turn a blind eye to the serious privacy concerns I’ve had. The functionality they provide is so critical to my job that I have chosen to slightly alter my behavior and then proceed with indifference.

I always configure my browser to not store cookies (the number one feature to choose FireFox over IE); a practice that was instigated when I learned Google sent the same cookie from each machine when a search was made. I use Tor and Privoxy to achieve true anonymity when researching certain topics. I will never use their desktop client.

However, two pieces of good news have come out of the Googleplex in the last few months and I hope this is the start of a trend. The first story appeared mid January when it was reported that Google was resisting certain government subpoenas. With every financial transaction in the US being one step away from public record, phone companies granting the NSA unfettered access to their data, and ISPs supplying information to any ‘legitimate’ group that requests it, this is a breath of fresh air.

The second item came out yesterday on Google’s corporate blog. They announced a new log retention policy that would anonymize the data after an 18 to 24 months period unless they are legally required to retain them. They also said they would look at improving users’ privacy across the board, including services like Google Chat and Google Desktop.

This announcement was a change in corporate policy, rather than a detailed technical plan. We can probably expect the specifics in the near future. Their current stated intention is to change parts of the IP address and the cookie. Unless they completely strip the logs of the IP and cookie, then it will never truly be anonymous, but I think they will change it to the point that the data could never be used in a court of law.

It’s not perfect, but it’s better than nothing. They weren’t facing any possible government sanctions for eroding users’ privacy; in fact the exact opposite is true. They did this on their own accord. I don’t know whether to praise or expect this kind of behavior from a company whose motto is “Don’t be evil”, but for today, I say praise.

The world will be a completely different place 10 to 20 years from now. I am always infuriated by people who claim they have nothing to hide, so they have no privacy concerns. Privacy is a vital element of the human condition. I hate to imagine the political spectrum in 20 years. If they can find a drunk driving arrest from the 70’s now, what will they be able to dig up with your search, email, phone, and financial data at the fingertips of the established power base. Just because we use this data now to optimize search engines or hunt for terrorists, does not preclude malicious usage in the future, on a scale we can not imagine…

non facias malum ut inde fiat bonum

-Eric Marvets

New Anti-Cross Site Scripting Library Available

Eric Marvets — Mon, 27 Nov 2006 08:01:00 GMT

For those of you who don't know, Cross Site Scripting or XSS is when an application displays input that originated from the client. This could be a URL, cookie variables, as well as form field variables. Virtually every site is susceptible to these types of attacks, regardless of the server or client environments.

On every penetration test I have ever performed on a web application (since XSS became a known vulnerability in 2001 and was first demonstrated on a massive scale which was an attack on Microsoft, where any Hotmail user who opened an email that contained an XSS attack had their Passport credential sent to an attacker allowing for impersonation), I was able to find a XSS vulnerability.

Most people don’t consider it as significant of a threat when compared to SQL Injection or a Buffer Overflow, but a well crafted attack against the proper target can cause massive amounts of identity theft or at minimum, ruin the reputation of your company.

Last week, Microsoft released an Anti-XSS library to use in your web applications. They have a tutorial you can view here which shows not only how XSS Attacks works, but also how to use the library to prevent them.

I haven’t used the new library in an application yet, but considering some of the factors they took into consideration, it looks like they did a great job. It’s the perfect library to help anyone from MySpace (who have had several XSS attacks allowing an attacker to see anything from who is viewing their page, to automatically adding them as a friend just by looking at a page on the site) to a Bank of America which has highly sensitive personal information.

My New Favorite Tool – Case Complete by Serlio Software

Eric Marvets — Tue, 17 Oct 2006 04:54:00 GMT

After trying to do UML Use Cases in Microsoft Word (2003) for the past 2 weeks I finally decided that I’ve had it. The way Word deals with lists is great for 99% of the population out there, but it drives you mad when you are trying to put in ordered lists that begin with a certain seed.

So after Word crashed numerous times (each time deleting auto-save versions) and freezing every hour (again, deleting the auto-save), I decided to do some tool evaluation just to see what’s out there.

I looked at a number of different Use Case authoring tools and decided on Case Complete by Serlio Software.

The training demo and tutorial doc were clear, concise, and allowed me to learn the product in a couple of hours. I transferred all my use cases in Word over in less than a day (all 94 of them), and the template for creating a Word report was easy enough to configure.

The pricing was a little higher than I expected, but since it has allowed me to do in a day what it took me a week to accomplish in Word, I think it’s worth every penny.

Some highlights of the functionality:

Allows you to break your use case project up into separate files (all stored as XML) so that you can store it in Source Safe and allow users to only check out the section they need. I’ve had two people working on the use cases with no problems.
Automatic renumbering that will also update your exception steps. If you attach an exception to step 2, then move step 2 to 3, it will update the exception to step 3 as well. Even typing ‘Continue at Step 4’ in an exception will cause it to change if step 4 were ever renumbered.
Link to other Use Cases or Requirements. All you have to do is highlight some text or just right click on an empty space and it’s easy as pie to add a link to another item.
Intellisense like underlining that allows you to hover over words that are either defined in your glossary or as an actor that bring up tool tips showing their descriptions.
Refactoring – If a single use case needs to be broken into two, highlight the steps, right click, create new use case, done.

All in all, it’s a great UI that’s packed with features. It’s definitely helped with our productivity by leaps and bounds.

-Eric Marvets

Secrets of a Road Warrior

Eric Marvets — Mon, 16 Oct 2006 08:34:00 GMT

I have been a road warrior since just after 9/11. For the past 5 years I have spent at least 6 months of the year somewhere other than where I call home. At one point after .NET was released in 2002, I spent over a year and a half visiting 2 cities a week (fly out Sunday, speak at a seminar from 7:30 to 5:00 Monday and Tuesday, fly home Tuesday night, fly back out Wednesday night, speak at a seminar from 7:30 to 5:00 Thursday and Friday, fly home Friday night, wash, rinse, repeat).

Some think the secret to being a road warrior is his durability, and for a large part that’s true. But it’s not just a matter of surviving, but thriving through any situation that my come up comfortably. The real key is always being prepared. You never know what might happen.

Last night I was watching the news about the earthquake in Hawaii and thinking of a loved one who was out there for a conference. I saw hospitals being evacuated, police breaking up fights over gas and food at convenience stores, bridges and roads that were un-drivable, no power, no water, no flights allowed in or out, etc. and I was worried. It reminded me of several situations I experienced personally.

Hurricane Ivan was by far the worst thing I’ve ever been through, and there have been many.

In September of 2004, I was working on a project in Montgomery, and had to be there the day before the storm arrived. Things seemed normal enough at work, until everyone spent the second half of the day gossiping over whether or not they would have to come into work tomorrow.

I was in meetings all day and was oblivious to the news. By time I left work, both lanes of I-85 were converted for northbound traffic as a mass exodus of people from Biloxi to Mobile to Panama City were heading north to get out of the storms way. I had a perfectly good hotel room and opted to stay there instead of sitting on the freeway for what would have been a long, miserable drive back to Atlanta. There wasn’t a bottle of water left on store shelves, so I decided I’d be okay and just head back home in the morning.

I never expected that the storm would be strong enough to do any damage as far inland as Montgomery…but it was.

I awoke the next morning to no power and no water, which was the perfect motivation I needed to get on the road and head home early. I figured by leaving this early, the traffic on I-85 would be decent enough to make good time back to Atlanta. I had a perfect view of I-85 from my room, and when I went to look, sure enough there wasn’t a single car on the freeway…there were however a number of trees, the marquee from the hotel, shopping carts, trash cans, and even a stray sock.

I was stuck.

I wasn’t worried at first. I had endured several hurricanes before, once in a tent (Alberto, which dropped 24 inches of rain in a single night that cut off all the roads in and out of our base camp on the Flint River; I spent a week wet, living in a tent, and as a brand new lifeguard, performing live rescues for the first time).

Things started to set in when I tried to find food. The halls of the hotel were littered with refugees who even though they didn’t have a room, the hotel let them set up camp in the lobby, hallways, etc, each one of them with a giant cooler, luggage, and all acting as if they had done this a million times.

With no power, the vending machines were useless. I got in my car to venture out, but a tree blocked off the single entrance to the hotel. I decided to walk, but it was a ghost town. With no power, nothing was open.

Then my cell phone died.

I spent 2 and a half days in Montgomery, without a lick of food and only a single warm bottle of water I traded a man for a pillow.

Most of Montgomery was without power for 4 days. I was unlucky in that I had no supplies whatsoever, but lucky in that I was able to leave after waking up the third day to see that the roads had been cleared. The refugees who had to spend weeks in shelters and hotels had it far worse.

Now I am always prepared. It’s helped me through several other hurricanes (read Katrina), an ice storm, and a few other minor inconveniences. When I’m on the road, I always make sure to adhere to a few simple rules:

Never get below half a tank of gas, and always fill it to the top.
Keep a case of water in the trunk of the car. Most gas stations sell them now and it’s easy enough to grab one when you’re getting gas. If I’m flying, I always keep 2 in my carry on and I make sure to stock my room immediately after I check in.
Keep nuts and energy bars in my bag. If you have to go without food for a couple of days or for 4 hours while your plane sits on the runway without a pilot (thanks Delta!), you’ll be happy to have a something to eat.
Always keep a full charge on the cell phone and pack a car charger.
Keep an emergency calling card in your wallet. They are cheap enough these days and if something happens to you cell, you’ll find it terribly inconvenient not to be able to make any calls.
Carry a MP3/FM Radio. You can listen to MP3’s to take your mind of off things and be able to tune into local news advisories.

None of this does a single bit of good while you sit at home and worry about a loved one half way around the world, but hopefully it will allow your loved ones not to have to worry about you one day.