Virtual Insecurity

One of my job functions is supporting a mesh of VPN tunnels that crisscross the country for various clients utilizing various types of network hardware.  Most commonly it’ll involve a Cisco PIX or ASA in a central office and a Cisco SOHO router at a user’s house.  Generally the Internet connection at the user’s house is residential DSL or cable and can be slightly unreliable resulting in dropped connections which can leave the SOHO router in various states of confusion but generally running a “clear crypto“-type command on both ends to delete the association and re-establish the tunnel takes care of the trick.  A minor annoyance for the users and myself but they’re willing to put up with it for the opportunity to work from home.  This week I came across what, I thought, was another one of these issues but it turned out to be a lot more.  It ended up testing my troubleshooting skills, patience, and sanity.

The most common application running across the VPN tunnels is voice.  Users working remotely generally have IP phones connected back to the central office over the tunnel which allows them to take calls coming in to the central office as if they were there.  By nature, voice is one of the most connection-sensitive apps to run across a network so if there’s something wrong with a user’s internet connection, their phone is usually the first indicator and that’s exactly how this issue was reported to me.  When I spoke to the user they said that their phone wasn’t working but their internal instant messaging client was.  Odd considering they were both hosted across the same tunnel.  I pinged the phone system from the user’s desktop and got no returns.  I pinged the IM server and got returns.  I thought “Ok, something’s up with the tunnel.  Clear both ends and let it re-establish.”  Did that and same problem.  I checked the configs on both ends and nothing had changed over the past few weeks.  Rebooted the user’s router, still nothing.  Time to break out my troubleshooting setup. 

For troubleshooting firewall issues I VPN in to the PIX in question, turn on syslog debugging, and point the syslog messages out the “outside” interface of the firewall to the IP my VPN client has.  I use tftpd32 as my syslog server on my machines which nicely dumps the syslogs out to a text file for me.  I then take cygwin and “tail -f” the syslog output file and pipe that through grep to grab the relevant info. I’m looking for (big thanks to Peet G. for showing me how to do this when I was a young, inexperienced network analyst.)  I SSH’d into both the firewall and the router and turned up some debugging on the router, specifically “debug crypto isakmp” and “debug crypto ipsec”.  I sent a round of continuous pings from the client through to the subnet that wasn’t working, I saw the traffic match the access list configured for the tunnel, bypass NAT on the router, get encrypted (by looking at the counters in “show crypto ipsec sa detail”), saw it get decrypted on the PIX (using the same command as I used on the router), saw the traffic come back to the PIX from the server, match the access list for the tunnel going back out to the user, bypass NAT, but the detail for the IPSEC  sa for this specific access-list line showed:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

The detail for the access list line that was working showed packets being decrypted and encrypted.

Immediately I thought, “routing issue” the traffic must be going somewhere other than the outside interface to go through the tunnel.  I checked the routing tables on the PIX and nothing in there indicated the traffic to the user’s subnet would be going anywhere but outside.  Just to reaffirm this, I turned on reverse routing injection on the user’s router and re-established the tunnel , now I saw a specific entry in the routing table for the user’s subnet but traffic still wasn’t passing. 

By this time the day was over and the user had been using a cell phone for taking calls, not ideal they said, but they were happy to work that way until I had the issue figured out.  I explained the issue to a few of my other networking peers and most of them said the same thing, “something must be wrong in your configs.”  Only one of them said, “Have you tried rebooting the PIX?”  Reboot a PIX that’s been up for almost a year with no issues?  Surely that couldn’t be it, rebooting is typically a knee-jerk reaction to a problem that, while it may work, you also wipe away traces of the actual problem only to see it later.  Late that night I confirmed everyone was logged out and rebooted the firewall.  A minute later it came back up, I logged in to a server on the main network (that hadn’t been working for the user) and pinged the IP address of their phone and it WORKED!  So hopefully the firewall just needed a reboot, if the problem comes up again I’ll be quickly able to determine if it’s the same issue and get TAC on the line.  Hopefully this helps anyone out there who’s having the same issue as this, I spent the good part of a day troubleshooting this and was seriously beginning to doubt some of my professional skills.

During my 8 years in IT I’ve held a variety of different jobs, met lots of cool people, and been paid varying amounts of money in a variety of different ways.  My first job was doing PC repair at the tender age of 16 after I got my A+ certification making a cool $9.50 an hour.  With my conservative, WASP background I was striving for that full-time, steady gig after college with a salary hoping to work a good 40 hour week and receive a nice 40 hour paycheck and my first job after college looked like it would meet all those expectations.  Sometimes…things don’t work out like you’d hope though.

Something they don’t teach you in college (or maybe they did and I just blocked it out) is that IT is so much more than setting up servers, plugging in cables, and typing dramatically and furiously in a command line.  Those things are just the “T” part of “IT.”  Notice I said “part” and not half because, proportionally, you spend a lot more time on the “I” part.  Information is what drives businesses and technology is one method of delivering that to your end-users.  Too many people come out of colleges, tech schools, and cert mills with an associates degree or an MCSE thinking they’re going to get a job setting up servers, plugging in cables, and typing dramatically and furiously in a command line.  Those people will usually find themselves  in an entry-level position at a help desk dealing with not servers and cables but people.  I was fortunate enough at my first job out of college to have the best of both worlds, I got to work directly with the servers and work with the end-users.  This gave me an appreciation for understanding what exactly an IT person’s role is in a company and quickly threw out any misconceptions I had that I’d be doing cool things like racking servers and building SANs all day.

As part of my dual-role I also got a hard lesson in what being a full-time IT person is like.  Things like night work, weekend work, and being on-call had never really occurred to me.  I went in knowing it was a possibility but the sheer volume of time spent working outside the office and coming in on weekends was a real eye opener.  When my blue-collar friends noticed me seeking out the nearest computer quite often to do some work while hanging out at their houses on weeknights they started asking, “are you getting paid overtime for this?”  That always caused me to pause and think, “well  no, I’m salaried but this is all extra time in addition to the 8 hours a day I’m spending in the office.”  My employer at that time didn’t offer comp days or time off for extra work, it was just expected as part of your job role and they assumed that was covered in the salary they were paying.

It was when my next job came along that would pay hourly instead of salary that I really began evaluating the pros and cons of getting paid hourly.  I’d always liked the idea of a consistent, steady paycheck but I hadn’t ever worked a week under 40 hours so I felt it’d be nice to be directly compensated for all those late nights and spoiled weekends.  Due to the nature of work in IT, I believe hourly is the best way to get paid for one simple reason, it prevents your employer from taking advantage of your time.  I’m not saying that they do this maliciously but, when time spent after hours impacts their bottom line directly, they think before they pick up that phone at 10 o’clock at night to ask why their printer isn’t working.  If it’s something that’s urgent they won’t mind picking up the phone and paying you for 30 min. worth of work and you won’t mind the interruption (as much) when you know you’ll be getting a little extra in your next paycheck.

I believe we’ll start seeing more IT employees being paid hourly as IT makes a shift to being a commodity item instead of an asset or a cost center.  We’re already beginning to see the shift through things such as Software as a Service (SaaS) and with virtualization we’ll begin to see more and more Infrastructure as a Service (IaaS.)  IaaS is essentially hosting but could you adopt a hosting model internally?  Bill out server time and resources on an as-needed basis?  People as a Service (PaaS) is essentially consulting which has been done for quite some time and that has typically been paid out on an hourly basis.  If your IT staff was hourly, would you bill out their time to various business units as they were utilized?  As software and hardware move to a service model versus an asset model, the people in an IT department might become less and less important as the number of resources required to keep the systems running will drop dramatically.

Many big businesses have been running IT shops similar to this for some time now but what about small or medium sized businesses?  Rather than hiring one or a few “know-it-alls” to run the IT (and putting up with their salary requirements and typically equally large egos) you could bring in IT on an on-demand, as-needed basis just like cable, telephone, or electricity.  Competition in this space would keep prices down and place a high emphasis on good customer service and the ability to deploy the right talent to fit the customer’s needs.

Thoughts? Comments? Questions? Concerns? Is your current job going away?  Do you need to take a look at your career path as you see these shifts?

Voice over IP (VoIP) is continuing to grow in leaps and bounds.  As the technology matures, the equipment required to support it becomes cheaper and easier to operate helping smaller organizations adopt the same technology enterprise customers have been enjoying for years at significantly lower costs (both in hardware and support.)  One such example of a small organization benefiting from the deployment of VoIP is a local private  school that where I volunteer and serve on the technology integration committee. 

The decision to evaluate other options for a phone system came after the school had already accepted the donation of an old key system from a local business and paid a local telephony contractor to install the system.  After spending many costly hours programming the hardware, the system could send and receive calls but the phones were difficult to operate and voice mail didn’t work.  In addition to this, every time a change needed to be made to the system, the contractors would need to be called and because of the age of the system, any additional hardware needed to be purchased on the open market and since the hardware was system specific it could be quite expensive.  

A school has different requirements than a business does for phone systems and it was this realization that led the technology committee to recommend implementing a VoIP system to the school board.  Since this was a small school, cost was a primary consideration.  By implementing a VoIP system, we could utilize the existing network infrastructure.  This particular school has the benefit of being in a newly constructed building with brand new Cat5e wiring with at least 2 drops in each room. VoIP systems are also easier to support by non-expert users since they utilize web interfaces for managing extension assignments, voice mail, etc.  The ability for the school’s tech. admin to make simple moves/adds/changes to the system without incurring any cost or waiting for a member of tech. committee’s time would reduce the time it takes to make changes to the system and would result in further cost savings.  Another requirement considered was the fact that teachers move around the school constantly so providing the school secretary with easy call routing capabilities was a necessity.

With cost being a primary consideration, we on the tech. committee have learned to make do with equipment donations from friends of the school so we began scouting for pieces of a VoIP system that we could consolidate into a real working system.  For call processing/handling software we decided to go with AsteriskNOW because what price can be better than free and we were able to acquire an older HP DL380 for it to run on which provided plenty of processing power.  Since AsteriskNOW primarily supports SIP we started looking for SIP-capable IP phones to go with the system starting with used and off-lease Cisco IP phones but we were eventually able to find a sufficient quantity of Polycom IP430 phones a company was willing to donate along with a Polycom IP601 for the secretary.

From the network hardware perspective the school would be in pretty good shape were it 3 or 4 years ago.  Their switching infrastructure consisted of 3 Cisco 2900XL switches and 1 Cisco 2950 and their firewall was a Cisco PIX 506e.  They utilized a single VLAN and one /24 subnet.  In order to segregate the voice traffic from the rest of the network we decided to add another VLAN on top of the existing network.  Since we had no layer 3 switching capabilities and our firewall only supported 2 fast ethernet interfaces we added a Cisco 1721 in a router-on-a-stick configuration to route between our two VLANs since our donated 1721 only had one physical ethernet interface.  In addition to the 1721 we also had another 2950 switch donated which gave us enough ports in our server room and IDF that supported QoS for the amount of phones we were going to have. 

Since the phones were donated, not all of them came with a complete set of accessories, particularly power adapters.  Thankfully all of the phones supported Power over Ethernet (PoE) so we were able to purchase 2 PowerDSine 3012 PoE midspan devices, one for the server room and one for the IDF, to push power out to any phones that didn’t have wall adapters or weren’t close to an electrical outlet. 

For trunk lines we evaluated the option of purchasing a SIP trunk but the school is only fed through a business-class DSL line that wouldn’t provide sufficient upstream bandwidth so we elected to stay with the current analog POTS lines already coming in to the school and add a card to our server that would support multiple FXO lines.  Since we were using AsteriskNOW we decided to purchase the Digium TDM808E card which would support up to 8 incoming lines.  Configuring the card to work with AsteriskNOW was almost too easy.  There’s an “Add Hardware” option in the web interface that automatically detected the card. All we had to do was specify which interfaces had incoming lines connected. 

Based on conversations with the secretary and school administrators we came up with a call routing plan that met everyone’s needs.  The old phone system would simply simultaneously ring all lines whenever a call came in so those not wanting their phone to be ringing continuously would simply turn their ringers down or off.   With the flexibility of Asterisk we were now able to set up directed call routing paths to groups of users instead of the entire user base.  Since teachers would likely be lecturing most of the school day we set up a call group in the main office to ring for any inbound call.  If the staff in the main office is busy or unavailable the call would roll over to an auto-attendant and allow an extension to be dialed manually.  If an extension isn’t dialed within a few seconds the call rolls in to a general voice mail box that will trigger the message waiting indicator on all of the office staff’s phones. 

When all was said and done the system cost the school about $1200 to install.  If we hadn’t gotten so many donations the system would’ve cost about 4x-5x more depending on hardware choices but even that would’ve still provided a cost savings versus paying a contractor to come out every time we needed changes made to the system.  In addition to reduced labor costs the school now has a very modular, flexible system that doesn’t rely on a central “black box” proprietary solution.  We can add any SIP-capable IP phone including wireless ones, we can add more analog phone lines, and we can modify call groups or ring assignments with a few clicks.  With a solution such as this, small businesses, schools, churches, or charities can have a cheap, simple, scalable, flexible phone system that they can manage on their own without the need for costly contractors and proprietary equipment.

With the beginning of the new year comes a new semester of graduate school and a chance to look back at my first semester.  My first and foremost impression of graduate school is how different it is from undergraduate studies.  I began to sense that things were awry when I was selecting my first semester classes.  Gone were the typical classes on networking, operating systems, and programming where you’d get specific, hands-on instruction with the various topics.  My first selection was a class called “Network Security” with Prof. Sam Liles.  I figured it combined two of my favorite topics just in the course name alone and would involve things like firewall configuration, penetration testing, and intrusion detection.  Day one of the class Prof. Liles dispelled any misconceptions about graduate course work by stating that there would be no labs, no hands-on, and no vendor specific instruction.  I think half the class didn’t come back the next session.  Those things are for undergraduate classes where you’re building a technical skill base,  graduate classes take a step outside the command line and ask questions such as “What is network security?”, “How do you define security?”, and “Is a network ever completely secure?”  When you step back that far from the actual implementation of network and security devices you begin to understand the bigger picture and get a totally different perspective. 

When you go from college to industry back to college like I did, you find that you’ve been placed in a vendor-induced coma when it comes to technology.  Instead of developing a system that best fits the need of the business or organization, you find yourself focusing specifically on the various technologies you’ll need to utilize to implement a system.  This is especially true when considering information security policies.  Vendors would like you to believe that the level of security your organization has directly correlates to the amount of money you spend on the security system.  I think Prof. Liles takes pride in taking students who have been out in the field for a few years and smashing their perceptions of industry that they’ve developed to help them see the bigger picture.  This is necessary in making the move from an entry-level position and undergrad. degree would get you like an “analyst” or an “engineer” to an “architect.” 

Another thing that graduate school teaches you is critical thinking skills that you obtain from doing research. My second class of my first semester was called “Analysis and Research in Industry and Technology.”  This class focused specifially on doing scientific research and writing a directed project proposal.  After taking both of my graduate classes last semester I find myself being much more critical of sources of information on the Internet. 

For anyone considering graduate school, my first piece of advice would be that it requires a lot of commitment and dedication.  Whatever amount of work you think it will be, it’ll be more.  When you’re balancing a job, family, and school it’s really easy to get overwhelmed.  Don’t think that taking 2 or 3 graduate classes will be a nice time filler for week nights, they will consume a lot more of your time than you can imagine.  One thing I noticed myself doing quite often was even during the day at work I’d find myself thinking about my research project.  If your job requires 100% focus for 8 or so hours a day, make sure you have the mental self-control to separate your school work from your actual work. 

My second piece of advice for those considering graduate school is to use the buddy system.  Having a strong, core group of friends with you as well as a good academic advisor can make or break your experience.  I can only imagine how difficult my first semester would’ve been if I’d have gone through it by myself.  Having friends you can bounce ideas/questions/complaints against will give you a support mechanism through difficult times and prevent academic frustrations from making it back home.

Is it worth it?  After a semester I can definitely say I’m looking forward to take more classes,  I’m beginning to see changes in my thought processes, and I can’t wait to see what else grad. school has in store for me.

I’ve developed a good way to identify an organization that is micromanaged.  It doesn’t involve complex measurements, statistics, charts, or KPI tracking dashboards.  It merely requires looking at the name in the “cc” field in e-mails within that department.  If you consistently see a manager’s name in there, even in e-mails dealing with mundane day-to-day operations issues, you could be in trouble.

I’m not an expert on management but I’ve worked for quite a few different companies.  I’ve worked for great managers, good managers, and bad managers and in my experience, as an engineer, the best managers are the ones who take a high-level, hands-off approach to managing their team.  A great manager will delegate responsibilities, tasks, and projects to team members and only get involved when there is a major problem or decision to be made.  If you don’t have staff that you can say I need this project done at this specific time and step back, you need better staff.  When a manager requires that their staff CC them on all e-mail communications as a way of tracking performance on a project, they can actually end up negatively impacting performance and slowing down progress.  A much easier way of tracking performance is using proper project management skills.  Status updates, checkpoints, and target dates are all much easier to keep track of than sifting through hundreds of e-mails.  If it looks like the schedule is slipping, then it’s time to get involved and find out what the problems are.  This way employees won’t be stifled by constant questioning on the details of a project and managers can get a better look at the big picture.

According to RFC 822 for e-mail headers:

   The “Cc:” field (where the “Cc” means “Carbon Copy” in the sense of
   making a copy on a typewriter using carbon paper) contains the
   addresses of others who are to receive the message, though the
   content of the message may not be directed at them.

Organizationally, (ab)use of the CC button has become the grown-up form of tattling.  People seem to think that by CCing a manager that will put more clout behind an e-mail, equivalent to <snobby kid voice> “I’m going to go tell mom” </snobby kid voice>.  Managers sometimes require their subordinates to CC them as a form of technological babysitting.  I’m not a military man but I like to operate on the need-to-know principles.  When e-mail becomes a constant string of “CC” and “Reply To All” it’s no longer a means of effective, fast, directed communication, just a noisy day care.

Recently, Nextlink has been advertising their new fixed wireless Internet service to tenants in my building.  Nextlink, a division of XO Communications, provides high-speed Internet services to customers through a fixed antenna on the roof of their building which communicates with a central antenna (on the Sears Tower if you’re in Chicago.)

What I find funny about their marketing campaign in the flyers they’re distributing is that they’re trying to position themselves directly against Cogent by saying that a benefit of their wireless service is that you don’t have to deal with the “problems” of fiber Internet.  Now I dislike that proverbial backhoe operator as much as every other network admin but I have a hard time relying on a 2.6 degree wide beam shooting through the air in a crowded downtown area any more than I do the skinny strand of glass running in to the building.  I figured they were surely shooting for people looking for network continuity services instead of people using them as their primary ISP so I requested some pricing information figuring it would be pretty reasonable since they have significantly less infrastructure requirements than, say, Cogent would.  I was surprised to find that their 10 MB service was almost exactly what we were paying for our 100 MB fiber service from Cogent and their 100 MB service was over 3x what we were paying and required at least a 2 year contract. 

I don’t want to be a Cogent fanboy, they certainly have their problems, but if Nextlink wants to compete, here’s what I think they need to do:

1.) Lower your prices
2.) Don’t require 2 or 3 year contracts
3.) Leverage your ability to provide backup bandwidth to current Cogent (or any other fiber or copper-based ISP customers.)  By this I mean offer a service that’s significantly lower in price than your primary data service option that has a bandwidth cap on it.  By doing this you’ll provide us Cogent customers multi-carrier access (for when Cogent decides to initiate their next peering spat) and physical redundancy for when the backhoe strikes.

As a consultant I frequently encounter customers that either have or want to have Blackberry handhelds, the primary reason being mobile e-mail.  If it’s a small company that wants to set up Blackberry Internet Service to pull their mail from POP, IMAP, or now even through OWA, it usually works fine.  It’s when they want to put an Blackberry Enterprise Server in that things get messy.  100% of my customers are running Microsoft Exchange 2003 SP2 or later, systems which fully support Exchange ActiveSync with Direct Push (shortened to just Exchange ActiveSync in Exchange 2007.)  Exchange ActiveSync is a built-in mobile e-mail platform that only requires you to expose an Outlook Web Access portal to the Internet, something 99% of organizations running Exchange are doing anyways.  You can even self-sign the SSL certificate if you don’t mind dealing with the hassle of manually loading it onto the phones.  Exchange ActiveSync then allows a user to authenticate directly to their mailbox and have their e-mails delivered to their handheld as they arrive.

My main problem with Blackberry Enterprise Server’s e-mail functionality is that, at its core, it’s a hack.  Instead of granting the individual user the ability to access their e-mail from their handheld, you’re granting a separate user account the ability to read all the mailboxes in your organization and the ability to send as those users (which was the cause of a lot of grief for Exchange admins running Blackberry when Microsoft released some patches a few years back that modified the behavior of the “Full Mailbox Access” permission http://support.microsoft.com/kb/912918/.)  When you send an e-mail from your Blackberry through a BES, you’re not really sending the e-mail, you’re instructing the Blackberry service account to send the e-mail and essentially spoof your name as the sender.  Same thing goes for receiving e-mails, your user account isn’t accessing your mailbox and delivering the message to your handheld, the Blackberry service account is going in to your mailbox, grabbing the message, and forwarding it to your handheld. 

As an attacker, if I was interested in surreptitiously monitoring a company’s e-mail system, the Blackberry service account would be a great place to start.  An account that has been delegated the right to access other user’s mailboxes would be doing that on a regular basis so it wouldn’t be a glaring entry on an audit log….oh and that account can send as anyone too.  The possibilities…

The other problem with Blackberry is the amount of resources required to run it.  Not only does it require its own OSE (operating system environment to borrow Microsoft’s terminology since we’re not always dealing with physical servers) but the Blackberry admin account uses MAPI to access mailboxes which places additional load on the Exchange server.  This is akin to running Outlook on a computer and opening up hundreds of mailboxes at the same time.  If a few of those mailboxes are a couple gigabytes in size, goodbye Exchange server. 

When sizing an Exchange environment for an organization that runs Blackberry, I’ll place less physical users on an Exchange server since each person that uses Blackberry places about two user’s worth of load on the system.  While this may not be a big issue in smaller environments, in large environments this will increase the amount of mail server resources required to support the same number of users.

As a side note, Blackberry isn’t the only one guilty of this, GoodLink (now owned by Motorola) functions much the same way with a delegated admin account. 

Blackberry servers do have their place in some organizations, some companies require 3DES or AES encryption, some require the extremely granular security controls you can impose on a Blackberry handheld, and some require the mobile data access and application functionality that is also included with a BES.  The majority of customers I support running Blackberry use it exclusively for e-mail and I believe that Exchange ActiveSync provides a simpler and cheaper alternative that supports a wider range of handhelds.  With Apple’s addition of Exchange ActiveSync to the iPhone, I hope we’ll begin to see more mobile platforms (not just Windows Mobile) support Exchange.

On November 6, 2008 VMware released update 3 of their ESX and ESXi hypervisors.  (http://www.vmware.com/support/vi3/doc/vi3_esx35u3_rel_notes.html)  Update 2 of those products will likely go down in history along with other memorable patches like Windows NT4 Service Pack 4.

There was no practical way of testing for the issues that Update 2 had, unless your test plans include incrementing the day on the server about 30 times and doing a VMotion after each date change.  VMWare’s CEO assured customers that they have modified their build processes so the issue won’t happen again (http://blogs.vmware.com/console/2008/08/letter-from-vmw.html) but I’m still a little hesitant to upgrade, especially since the upgrade gives me no additional functionality that I need.  I think I’m going to sit this one out for a while and let others test the waters.

While on vacation recently I stopped at a local bookstore to find something to read while relaxing on the beach.  A week prior to my vacation we’d been discussing in my network security class how people with Asperger’s syndrome often find themselves in IT jobs where many common characteristics of Asperger’s that may not work so well in other jobs can be quite beneficial.  Some common misconceptions about Asperger’s that I’ve heard (and had) are that people with Asperger’s have an obsession with technology and that they are anti-social so my initial thoughts about this were, “Could I have Asperger’s?”  After reading this book, I can definitely confirm:

1.) I don’t.
2.) There’s a lot more to Asperger’s.

One of my favorite things about this book is how Robison conveys his thought process and perceptions of others (which is quite different from someone without Asperger’s) through words.  If you’re looking for a book that rigidly describes the ins and outs of someone with Asperger’s, this isn’t it.  Robison instead paints a vivid picture of life with Asperger’s through his own eyes without ever coming out and coldly stating “I think this way because…” or “I acted this way because…”, it’s left entirely up to the reader to make the connections and by doing that, you come away from this book with a greater understanding of people with Asperger’s.

As a technologist this book is great because it shows you where a passion for science and technology can take you, even if you have problems relating to other people.  Robison holds some really interesting jobs throughout this book including making smoking guitars for KISS and designing electronic games. 

The biggest takeaway from this book is an appreciation for those who see the world differently.  Just because someone with Asperger’s may react differently than we expect doesn’t make them socially inept or an outcast, their thought processes are just different then ours.  When you think of Asperger’s as a different way of thinking rather than something that is wrong and needs to be cured you gain a better understanding of the way your own mind works.