Wednesday, October 19, 2022

Misunderstanding Risk

 Pretty much everyone has their own idea of what risk is.  Funny thing is that these ideas are usually wrong and often manipulated by media and popular culture.

I will sum this up early with a statement and reference.

"You are 5 times more likely to accidentally kill yourself while taking a selfie than to die by shark attack."

Read that again.

More People Die Taking Selfies Than by Shark Attacks (newsweek.com)

So why no "selfie week' on discovery channel?

I used to teach Risk Analysis (IST-301) for Penn State. I learned much from Dr Will McGill, who first developed the class.  I could never do as well as Will but I had my own approach.

First we have to agree that risk is the probability that something BAD will happen.  The bad thing could involve money, danger to people or the environment, or something else.  In Cybersecurity we look at the risk to the CIA of information. But the rules apply everywhere.

Next one has to look at what is at risk. Those are referred to as 'assets.'  So the risk is that something bad will happen to assets - people, property, secrets, etc.

This is where things like health care and insurance come in. I survived a devastating motorcycle accident in 2013.  I was dead for a minute.  Afterward all the bills came to about $160K.  Because I had insurance that was negotiated down to about $16K. Insurance paid all but $2K.

Mind you the risk of dying on a motorcycle is 1 in 112.  The risk of dying by firearm 1 in358, plane crash 1 in 8,015, poisonous creature one in 42,120, and shark? 1 in 3.7 million.  (these are approximate)

Your chances of dying from a plane crash, a shark attack or lightning strike | indy100 | indy100

We all take risks every day. Can't avoid it. But we learn ways to avoid or mitigate the effects of the risk. A risk with a tiny bad thing is no big deal. A risk with a big bad thing is important.

Next time I will introduce two more points of risk to give you nightmares - a comet/asteroid and a CME.


Thursday, October 13, 2022

Beware the post-disaster scams

 About 10 years ago I was interviewed by a talk show in London about scams following hurricane Katrina.  Turns out disasters are a ripe time for such scams, often aimed at elderly people.

So here is my sad, sad story.

Once I had cell service after Ian, I would check FB regularly to let my family and friends know that I am OK.  I got a friend request from a retired faculty member whom I barely knew back in the day.  I was initially suspicious (always am). I asked him a few questions to see if it was really him, but he found a way to avoid answering them.

He asked me if I had gotten my money from DHS. Scam warnings immediately went up, but he kept insisting that I trust him.  He then asked if he could have a DHS agent contact me.  I do not want to divulge this persons name since I am now sure it was a cloned acct.

However, I was soon contacted by a John Franklin, who claims to be a DHS agent.  He said I would get $150K in a Fedex box at 9:30 pm.  He wanted a lot of info from me, including a copy of my drivers license. I refused.  The only info i provided was info found on my FB anyway. Nothing private!

So then he contacted me at 9pm and said they needed $2k to complete delivery of my 150K - scam city!

So then I did what any citizen is supposed to do. I gathered documentation and first contacted DHS. Turns out they do have an agent John Franklin.  My bet is that his acct was spoofed also.  BANG! Now it is a Federal crime, impersonating a federal officer and a scam across state lines.

Here is Johns fake FB profile  (4) John Franklin | Facebook

DHS did not care! Email to John went without a reply. The web site at FBI for reporting things like this is impossible to figure out!  And NO email address for FBI. NONE! Zippo!

So I send the info to my local police.  Again no reply, although I cannot blame them since we are in the middle if Ians devastation zone.

So I have archived all information about this.  They honestly do not seem to care.  The scam is one thing but impersonating a federal agent in a scam....  wow. I had it all wrapped up as a present for them but oh well.

So bottom line. Try to be a good citizen but look out for yourself.  I have no doubt there are law enforcement people looking to break scams like this but good luck finding them.  I am very disappointed.

Tuesday, October 11, 2022

Getting online in a disaster area

 It has been almost 2 weeks now since Hurricane Ian passed right over our house. Luckily the house, shed, pets, vehicles and we, are OK.  The trees, fence, garden and birdcage are destroyed.  But hey, we were lucky!

The day of the Hurricane was surreal. We had bought new hurricane-proof bay windows, which I sat behind and watched it all go by. I did drink vodka, and listened to progressive rock music as I imagined the world crumbling around me. Suzi made a safe room where she, the pets and a radio sat.

The day after everything was in tatters. We had no water but we did have a pool for water to flush toilets. Luckily, we had bought about 8 cases of water over the preceding months.  We were also fortunate that the temps after Ian were in the 70s and low 80s so no need for air conditioning.

I expected that electricity and cable/wifi would be out for at least a few days.  I did not expect that cellular service would be down.  For four days we had no way to reach anyone to let them know we were safe.  Cell service came back in 4 days, electricity came back in 8 days. Cable/wifi are still dead.

Of course you need power with any electronics.  I was able to use my truck and an inverter to charge battery packs.  I also have a few solar-charging battery packs. More than enough to keep a cell phone running, or two in our case. I plan on getting more.

I do have 2 portable generators but had no luck getting either started. Neighbors and even the national guard tried, but nada. Lesson is to not wait until a disaster before making sure your generator works.

Now if you have unlimited data on your phone the magic starts.  Mobile tethering allows you to use your phone as a portable wi-fi hotspot.  Speed sux - about 2MB down and 3MB up last time I checked.  You ae limited on devices also but I have 2 computers on it now and so far no problem.

But be sure you have unlimited data or you may get a nasty surprise.

Now more magic.  If you have a smart TV, like my 85" Sony, you can get it on the hotspot and watch netflix or whatever.  Also, most TVs have a local antenna port. Get a $50 digital antenna from Wal Mart and you can watch local TV.  This and radio were our only info sources until cell came back.

One more little thing. We have a group here called CERT, Community Emergency Response Team. Given how cell was out, why not fall back on CB radios?  Pretty much every boomer has one in a box in their garage or shed.  With a tiny amount of prep these could be used for the CERT members to coordinate response.  I am planning to do a demo for the other CERT members.

Of course the problem is that coordination is needed early on. Almost nobody uses them besides truckers any longer.  New handhelds go for about $80. Battery powered.   Base satiations run the same price range but are not battery powered.

Also, demand a refund for the time any service, like cable, was down.  I expect this will become quite a kerfluffle.


Monday, September 26, 2022

Do we live in a simulation?

 Nah, really. Read this first ...

Do we live in a simulation? Here's why we may never know. (msn.com)

Pretty radical idea. But not really.

First of all, there is some pretty compelling 'evidence' in the apparent quantization of many physical things, at least in theory. For some phenomena we know a lot (electron states) and for others we know little (entanglement).

Simulations, at least as we know them, are digital and ruled by mathematics.  Physics, essentially, is ruled by what can and cannot be. Things that cannot be proven to be impossible are therefore possible.

Now here comes the interesting problem, at least in my mind. Many people believe in a God or Spirit of some sort. I am that way also but more Universalist. Is that not possibly a translation of a longing for the programmer of the simulation?

Now before I get into the metaphysical, let me drop one more bombshell. Maybe the illusion of self and reality that each of us has (even animals and plant) constitute the many worlds? Perhaps this is how the simulation works out?  

Now this is of course just conjecture. But an interesting thought experiment. Is such a thing possible to know and so what?


Saturday, September 24, 2022

I see a bad Moon rising ...

 Hi all. We are 3 days from a hurricane that may, or may not, be really nasty.

The real bad scenario of security is when something goes wrong and you do not know what to do and it keeps getting worse.  This was the case at Chernobyl and 3-Mile-Island.  Interestingly all blamed on a control interface that was too complex for humans to handle.

I mean, part of the idea of security is to have secure systems that are very difficult to mess up.

So, this upcoming hurricane leaves us with something of an opportunity.

I am from Pennsylvania.  The worse that can happen there is a bad snow storm every 3-4 years. Worse if you live in the mountains like I did.  But 3/4 of the year it is not good for being out riding a motorcycle, so Suzi and I decided to move to tropical SW Florida, where one can ride 9/10 of the year. Its a plan!

OK, back to security. Friends would joke about hurricanes to me. I would laugh it off. I had come down in 2005 just in time to rent a Harley in Orlando and ride in the beginnings of Hurricane Charley in 05.  Admittedly I hated it but I was single, unhappy, and willing to ride the edge.

But we figured, all in all, it would be best for us. I LOVE warm, and HOT? I don't LOVE it but i LIKE it.

The Gulf is really peaceful although ironically, I cannot get in it. More specifically I cannot get out of it, due to my deteriorated lower back. LOL

So security - You know a potential disaster, one documented many times. Is coming. You know the time frame. Your data is 'spaghetti models' which are inaccurate but overall a hell of a lot better than nothing and better as time diminishes.

The answer, given everything we know, is to evacuate. But that is not possible.

So first, stay informed. A few of you MAY have to evacuate. Have a plan for that, put important papers and such on the cloud. Have SSD backup. Take laptop with you. Unplug everything else!!!  Take battery backups for phones. Have a special box with papers, IDs, ammo, whatever needed.

If you have a pet be sure to take care of them. Food, leash, muzzle, water bowl, etc.  Most animals do really well for a few days. And have some idea where to go. Believe it it not there are a few instances where one in my position (Rotonda) will have the best chances by going south.

BTW - Treat this like a camping trip although you may be camping in your vehicle.  If you have to find a safe place for the night.  There will likely be others there. Do not waste gasoline. Share info from battery phones. Don't be a jerk, there will be a lot of scared people with families.

Point is - we now have the ability to create scenarios and evaluate them. You bet your arse the govt. is doing this. I would. Help each other! Cooperate.  I do not want to evac but will if ordered to. But I will take my pets.

We are cleaning the house/yard and taking lots of pictures just in case needed for insurance.  Murphys law says that the more we prepare for disaster the less likely disaster is to strike.

So to conclude, this is exactly what every security analyst should do.  Run the scenarios. Assume different starting variables from worse to best. Know what you will do ahead of time. Revise your plan as data changes.  A hurricane is a lovely example of a natural disaster that can absolutely decimate a companies IT infrastructure.









Monday, September 19, 2022

Rise of the Help Desk - 70s through 90s

 I would always tell my students that the best kind of training they can get is by working at an IT help desk.  Most of us have bad memories from interacting with a Help Desk.  I understand that because Customer Resource Managers (CRM)   otherwise known as "press 1 for ... "  are universally disdained.

I first encountered a small Help Desk at Penn State, where visionaries such as Bill Verity were hired as systems analysts to help faculty and graduate students use the computing resources on the IBM mainframes. Those old guard, Bill, Dan Bernitt, Chet Smith and others, came from various disciplines. It was a time full of potential.

When I worked at Pitts Comp Center from 76 to 83, the latter part of that as a manager. They were also mainframe based and everyone had to put in 1 or 2 days a week at the User Consultant desk at Old Engineering Hall on the Oaklland campus.  Those were fun times as I would get a sausage dog at the Original.  I spent a lot of my youth on Oakland.

The Help Desk was an amazing training ground. One had to be aware of a broad range of things, not only programming.

Saturday, September 17, 2022

What do you do if there is widespread cyber-warfare?

 In 2015, Dr Pete Forster and I developed a class for the MS Program in Homeland Security tentatively named SRA-404.  It was focused on cyber-espionage and cyber-warfare.  It was one of the first classes of its kind.  Peter is an expert on the political and espionage scene. My expertise was in the technology of cyber crime, espionage and warfare.

One of the bigger things, IMHO, to come out of the class was an exercise on what to do if this happens or how to prepare. In this posting I present the suggestions. I cannot say they are complete. A lot depends on specifics.

Direct attacks.

By these I mean worms, viruses, and such. They could conceivably be deployed for activation later.  Mainly we are talking about home and small-business systems. Of course you have good anti-virus and firewall protection. Make sure you have backups stored on a non-electronic media - such as CD or DVD. A low nuke could put off an EMP and potentially fry solid-state or magtape backups.  If you have access to a safe or faraday cage use it for your backups.  I bought a home safe and a home UPS for under $200. I also have multiple backups on CD and DVD (also SSD ) all of which goes in the safe with my pistols.

Attacks on servers and networks

I would create a doc with all of your PWs and IDs on it and print that a few times.  Also maybe encrypt it and put it somewhere on the cloud.  Having encrypted docs on the cloud is great if you know what you ae doing.  I will post more about that later.

Do not expect that any of your online services will be working under a cyberattack.  Therefore have a backup plan for paying bills, etc.  In the old days we used to write checks. I would also keep about 2K in cash (20s) just in case. Should hold you over for a week or more.

Now the bad stuff. I learned a lot living in a Hurricane zone.  Prepare as if a disaster were coming. Esp your meds, water, canned food, peanut butter, etc. In PA we had the occasional blackout during a blizzard. We used a wood stove to stay warm.

I am not suggesting becoming a survivalist, but the potential for damage from a cyberattack is too great to ignore. And BTW, a cyberattack can come from the Sun as well. More on that later.

Friday, September 16, 2022

Relauching the Blog

 Hi Yinz'all,

I am gonna try re-launching my blog, but as a slight twist from the traditional science/ security blog.

Yeah, it will have some of that. It will also have some of the memories of a city kid who followed his dreams and became a scientist.

but I refer you to the following:

Apple Steve Jobs Heres To The Crazy Ones - YouTube

The stories I tell will be mostly true, as true as I can remember them. But I will NOT say anything bad about anyone. Not my place. Watch for a few posts each week.

gerry