Quae nocent, saepe docent. Lair: /leər/ a place where certain kinds of wild animals live. The views expressed on this blog are mine alone and do not necessarily reflect the views of my employer.
Many, many years ago, when I was self-employed, I came up with the idea to provide personal computer training to busy executives - these folks often don't know how to use Office programs and are too embarrassed to ask their admins for help and are too busy (or embarrassed) to attend a traditional corporate training class. I figured a customized one-on-one session would be ideal.
I just couldn't figure out how to market it. "Discreet, private instruction" made it sound like I was going to show up in black leather with a whip. I could have gotten paid more for that, I'm sure.
Thus was born the concept of "Mistress Karla, Computrix", for "a disciplined computer experience".
No, I didn't really do that. It would have been fun, I admit, to thwack someone across the knuckles when they misbehaved in, say, Outlook: "NO! You do NOT put everyone's name in the To section! Use BCC! [Swak!]"
Anyhow, when it came time to create a infosec-focused blog I revived the domain I purchased years ago (I purchase domains when I have ideas...) and here we are. There are older entries for now, from another project, and since I hate tying myself down (just others 😏) I can't promise any sort of regular updates. Posts will happen when I feel like it.
Update: I now have a Latin phrase, "Quae nocent, saepe docent." (look it up 😎)
I'm likely rare among higher education faculty in that I don't take off points for late work and I allow students to make up assignments if something has happened in their lives and they've missed class. There are a few philosophical reasons behind this (one of them being my ubiquitous "they need to be safe to work at my bank/hospital/utility/school/defense contractor, etc." - and if they don't practice the thing I can't guarantee they'll be safe), but there's one very concrete reason: I'm paying it forward.
You see, when I was an undergraduate (in the previous century) I had a health event that resulted in missing classes for two weeks. It hadn't occurred to me when the health event started to contact my professors/teaching assistants (I was 20 and this was a big state school and we didn't have student email back then), but after it was over I did go and see each one of them in person to ask whether I could make up the assignments.
They all said "yes". All five. And I ended up getting all "A"s that term (I believe that was the only term I got all "A"s - I used Acceptance as a risk management strategy a lot before I knew that it had a name...) I will always be grateful to those folks for allowing me to make up the work. I have led a charmed life.
So, I pay it forward. And I'll keep paying it forward.
Twitter is going through some stuff, as is said. Frankly, I'm not sure that stuff makes it sustainable in the long run, and as I've said in other places, I have reevaluated how much time I waste on social media. So, I have locked my Twitter account and created a Mastodon account. I'm not promising to be that active on Mastodon - because I try to not promise anything and because I don't know how useful Mastodon will be. I have set up my Mastodon to require my permission to follow me, because what sort of Computrix would I be if I didn't require folks to ask for permission? 😏
I am not the biggest hashtag user - I find them about as annoying and distracting as in-text APA citations - but I will attempt to use them on the toot...no, I can't say it. Posts. The posts. I will continue the tradition of posting classical music pieces I enjoy in addition to cybersecurity and ethics - again, when I'm in the mood - no promises.
Update: First, a sort of backstory. My undergraduate degree is in psychology. I got a BA because that was perceived to be the harder degree back then because it had a language requirement (although I have forgotten more Spanish than I learned). I could have had the BS because I had a bunch of lab classes - I was pre-med for my first two years - but I liked how the BA sounded harder so there it was. I did not continue on in psychology because I realized I wasn't a good fit for the culture. So, I switched to history, and then technology. Before picking up the graduate degree in cybersecurity I explored whether I wanted to look into doing clinical counseling. I took 15 graduate hours before realizing that, nope, still wasn't a good fit for the culture. Some folks are. I was/am not. It's important to know that about oneself. I've always felt like I was a good fit for technology. I am not always the best fit for "academia", but it has its moments.
So, Mastodon...I'm probably not a good fit for it. I'm keeping my account to keep track of some folks over there, but in addition to the realization that my time is better spent offline than online I have realized that my personality is not suited to all the rules of Mastodon. It feels like an HOA, frankly. I can't say that it's because I'm too old, because I've always been this way. I'm not HOA; I've never been HOA.
Blogging seems better for me (and Tumblr for my non-work musings).
Today I present the story of Lord Armey, Lady Penelope, and Lady Penelope’s sister, Lady Maleficent, along with Countess Katerina, a Russian émigré bookstore proprietor whose shop is visited frequently by both Lord Armey and Lady Penelope.
Lord Armey, Viscount Huddleston, is desperately in love with the daughter of the Duke of Pemberly, Lady Penelope, who returns his affections. Their families, though, have been waging a feud for hundreds of years. Were Lord Armey to show up on the Duke of Pemberley’s doorstop asking to pay his addresses to Lady Penelope, assuming he wasn’t shot on sight, he would not be admitted to the house. Needless to say, any letters he might send would be intercepted, read, and discarded. Lady Penelope’s correspondence is likewise monitored. The only way for Lord Armey and Lady Penelope to communicate and ultimately plan their elopement, then, is in secret. They need to find a way to get messages to and from each other without the Duke of Pemberly, or his other daughter, Lady Penelope’s viciously jealous sister, Lady Maleficent, reading the messages and foiling the couple’s plans.
Lord Armey and Lady Penelope are huge admirers of the Russian author, Leo Tolstoy. In fact, they initially met at Countess Katerina’s, a Russian émigré, bookstore, when they were at her shop at the same time to pick up their translated copies of War and Peace and bumped into each other on the way in and out. For months afterward they would make their way to the bookstore to meet in secret and sip tea from the Countess’ samovar, but once Lady Maleficent became suspicious of her sister’s happy demeanor she started following her around town, so meeting at the bookstore wasn’t safe any longer. Sending letters to and from Lady Penelope’s house was too dangerous, because of possibility of interception. Lord Armey and Lady Penelope began to despair of how they could communicate secretly.
Countess Katerina offered to help - a woman of the world, the wife of a late diplomat, there wasn’t much she hadn’t seen in her three score and then some years and nothing scandalized her. At first the trio considered using the Countess a mere go-between, with Lord Armey dropping off his letter for Lady Penelope at the shop and the Countess holding it there until Lady Penelope could visit to retrieve it, but then they remembered how Lady Maleficent was stalking Lady Penelope and worried she might try to bribe one of the Countess’ clerks to gain information – and a letter written in plain English was too easy for anyone who came across it to understand. Then, it came to them: Countess Katerina spoke not only traditional Russian, but also an obscure dialect learned from her grandmother who grew up in the Ninilchik region (now considered part of Alaska, belonging to the United States of America). Lord Armey would give the Countess his note for Lady Penelope, in English. The Countess would translate the letter into Ninilchik, burn Lord Armey’s original letter, and leave the translated version locked in her desk – that way if any turncoat clerks ran across the letter they would have no idea what it contained. When Lady Penelope visited the bookstore the Countess would quickly translate the Ninilchik letter back into English and give it to Lady Penelope. When Lady Penelope had written her response, the Countess did the same process, converting the English into Ninilchik, destroying the original, and saving the translated letter for Lord Armey’s next visit. In this way, Lord Armey and Lady Penelope were able - even under the surveillance of Lady Maleficent - to plan their elopement, which was successfully conducted that Christmas, when they escaped to Gretna Green, in Scotland, and after the mandatory 21-day waiting period declared themselves married in front of the local blacksmith.
To compare this scenario to Stallings’ “Simplified Model of Symmetric Encryption”, there are five ingredients to symmetric encryption: the plaintext input is the letter in English written by Lord Armey’s/Lady Penelope, the secret key shared by sender and recipient is Countess Katerina’s assistance, the encryption algorithm is the Ninilchik dialect spoken/written by the Countess, the transmitted ciphertext is the Ninilchik-translated letter stored in the Countess’ desk at the shop, the decryption algorithm is the Countess taking her Ninilchik letter and turning it back into English, and the plaintext output is the letter in English read by Lady Penelope/Lord Armey.
Using simply Russian as an encryption algorithm would not have been sufficiently secure, since Russian is a known language, even if Lady Maleficent or her father weren’t fluent in it. They could have taken it to someone who was. By using the Countess’ obscure knowledge of Ninilchik, essentially a secret dialect by then, given the village’s location in the USA, the messages were secure enough from prying eyes, even if Ninilchik wasn’t a complete secret. It’s clear Lady Maleficent suspected the Countess’ bookstore but she did not know exactly how the Countess was involved or that there was a translated letter, and the Countess’ assistance remained a secret key.
It's been said over and over again, when it comes to cybersecurity, "humans are the weakest link."
(Actually, that's not exactly accurate, but we'll save that conversation for a potential bonus blog entry!)
It's easy for me to burn through podcast episodes. I gobble down CYBER, Darknet Diaries, Malicious Life, and Hackable? as quickly as new episodes are released. Adam Grant, Gretchen Rubin, Derek Thompson, and some other folks keep the non-cybersecurity part of my brain occupied, but I felt like I needed to get addicted to find another cybersecurity podcast to add to the stable. There are plenty of cybersecurity business-related podcasts out there, and I know that side of cybersecurity is important, but, well, I subscribe to them and then never listen after trying an episode...and...I just want something that has more storytelling involved (see the previous blog entry "It Was a Dark and Stormy Night") I like danger and excitement and fear. I also felt like my current lineup didn't include enough social engineering, which is how I got interested in cybersecurity to begin with.
Hacking Humans is a weekly podcast (new episodes drop every Thursday) by The CyberWire, an independent cybersecurity news site that is sponsored by seemingly every security vendor known to humankind. That said, CyberWire does seem to be maintaining their editorial independence. At least they are very open about the sponsorship. The primary sponsor for the Hacking Humans podcast is the security awareness training company KnowBe4 - you will soon memorize all their ads and the jingles.
The hosts for Hacking Humans are Dave Bittner and Joe Carrigan. Dave works for CyberWire and Joe is involved with the Johns Hopkins Information Security Institute as a senior security engineer. For anyone unfamiliar with Johns Hopkins University, here is their library:
I've been there. It's in Baltimore. It looks exactly like that. One feels smart just standing in it.
Dave and Joe both have pleasant voices, which we know is key for me. The hosts don't tell stories, exactly - the format is more like a morning talk show - the kind where two or three guys tackle sports, for instance - but instead of sports it's cybersecurity. Their banter is very engaging. When I had satellite radio activated in my car I would listen to the talk shows on the POTUS channel, such as Julie Mason and Michael Smerconish, and Hacking Humans has that feel.
The episodes typically begin with a listener email/letter, which the hosts discuss, followed by some headline news, which always contain some basic explanations of security concepts that arise in the news item. They don't talk down to anyone but they aren't talking over folks' heads, either. They explain how social engineering attacks are working without using Cialdini words like "scarcity". The hosts take turns telling the stories. My favorite segment is what they call "Catch of the Day" where listeners send in phishing examples and the hosts discuss how to tell the example is a phish. There seem to be a lot of scammers who like to portray themselves as military service women (quite badly). The hosts continue the episode with a guest interview and then discuss between themselves after the interview is over.
I definitely feel like I've learned something (or reinforced something) after listening. The cyber insurance episode stands out as one that I felt I needed to recommend to friends who are in cybersecurity. Business Email Compromise (BEC) isn't typically covered by cyber insurance because that's a fraud situation. Cyber insurance covers hacking - although I (and the hosts) think a case could be made that BEC is hacking humans. Theft of intellectual property is also not typically covered by cyber insurance because it's an intangible. Cyber insurance is a type of SLA, really, so have lawyers ready to go through every line.
The podcast is available through nearly every podcast avenue there is, including their website. They provide a transcript, so you can listen without having to worry about taking notes.
The latest episode, #50, "People aren't perfectly rational", features research from Elissa Redmiles, who does some really interesting work connecting social sciences and behavioral economics with security and privacy (check out her article about why users don't install updates. At one point she noted, "we often as security professionals don't make particularly economically backed tradeoffs when we're thinking about asking people to do security. So we're sort of asking people to do a never-ending list of things without archiving old ones or measuring exactly how much this new behavior is going to help someone. So eventually users become overwhelmed, and then they just try to pick between behaviors on their own, which they may not be very well-equipped to do." She backed that up with research in line with the latest NIST 800-63-3 recommendations to only require password changes in the event of a breach. Elissa has discovered that enforcing password changes on a schedule leads to users re-using passwords across sites, which is worse than having the same password for a year. She also discussed some findings about motivations for using two-factor authentication and the folly of telling users to not click on links. I was eating this up because I love behavioral economics!
Hacking Humans has been renewed for a second season so I will be able to continue to feed my brain with social engineering podcast episodes!
Anyone who has either studied or works with technology knows the drill, "hey, can you fix my computer/phone/tablet/alien healing machine?" I once had a t-shirt from a Microsoft conference that said, "No, I will not fix your computer". That wasn't entirely true because goodness knows I've fixed a number of computers/phones/tablets/alien healing machines in my day. I've fixed systems for the young and the not-so-young. I had to chuckle when I was helping an older man (over 75) whose "neighbor" had used his computer and ended up getting adult content on the system, along with some annoying spyware. I told him to not let his "neighbor" browse for that sort of content on his laptop because malicious stuff hangs out on those sites. I felt bad because the man's daughter was non-technical and his granddaughter wasn't old enough to be of use yet. I have even helped out office workers at medical facilities figure out what was wrong with their computer1 (maybe I need to obfuscate my profession when filling out documentation). Twitter abounds with tales of woe of computer science students who are called upon to fix computers.
Of course, I am tech support for my mother, and was even tech support when my father was alive, as well. Back in 2003 I remember him calling me up to ask what this "wiffy" thing was that he kept seeing everywhere. I told him I needed more context. "It's on the door at Panera and Starbucks." Ah, I thought. "Wi-Fi. It's free Internet service." Since they didn't have laptops, and phones didn't use Wi-Fi back then it didn't come up again, but "wiffy" stuck as a term and it's what my family uses to discuss Wi-Fi. If someone doesn't know the story they think I'm an idiot, of course, the way we snicker when we hear someone call an older operating system Dee-Ohh-Ess (DOS) or refer to a server-side web programming platform as though it were a snake (ASP) To be fair, initialisms are difficult and those examples are opposites.
(I wonder if other families have an insider language, such as when my husband and I use "defiantly" to mean "definitely" - we got tired of seeing "definitely" spelled as "defiantly" in numerous social media comments. Instead of "possibly" we say "possumably" and I put paramecium cheese on my pasta. If folks don't know that's on porpoise... ;-)
So, anyhow, our parents brought us into the world, did not kill us during our teen years, and may have assisted in educational expenses, so I figure we do owe them free tech support. With parents there is a quid-pro-quo that goes on and I don't feel an imbalance. One gets compensated in some fashion.
80% of all troubleshooting is cable-related.
Things change when it's not parents. I'm sure you all have heard the stories of people who are starting any sort of business and are asked by friends or more distant family members to do something for free. My husband was telling me about a photographer in his cycling group who was asked to shoot a wedding for free. An acquaintance who runs a service to coach event planning was asked to provide the service free to a friend and her entire bridal party (hmmm...there is a trend developing there....) I know of graphic designers who are asked to design logos for free, in order to get a job or project. They have a name for that in their profession: spec work, short for speculative work. The client asks for a sample or runs a contest, but the presumption is the sample is a complete design. The designer submits the work to the client who takes it, doesn't offer the job, and runs off with a free design. There is a No Spec movement among designers, in fact.
Here is a parody video that highlights how clients can de-value consultants:
(My advice when dealing with friends or family who are artisans: ask them how much their rate is. If they wish to offer a friends and family discount that is their cue to do so but do not expect one.)
Cybersecurity professionals are not immune from this scourge. I wish I had captured the tweet when I saw it, but a young cybersecurity professional was asking for advice on how to tell her uncle that she wasn't going to set up security for his small business for free. It was that tweet that inspired this blog post. What we do has value and if we give it away for free others will not value it.
Another way of looking at free work is to call it unpaid work. Traditional examples of unpaid work include domestic labor (cooking, cleaning, laundry, childcare, elder care, etc.) but also tidying up at the office, taking notes, and planning parties. These services have a cost to them and it can be figured out by calculating how much someone would have to be paid to do them if there weren't a volunteer around doing them. Free or unpaid work is often viewed as low status and the people performing the work are viewed as low status, as well. This is particularly the case with women.
From a purely practical standpoint, if one gives away one's services for free one has no money to live on and can end up living in a van, down by the river, or worse.
Despite knowing that free/unpaid work is not in your best interest, if an uncle or a cousin or a parent's old college friend needs cybersecurity consulting and asks or hints that you should do that for free that is going to be an uncomfortable situation. Fortunately, other professionals have been through this and have advice:
Some of you might be wondering at this point, "what about pro bono work?" That is an excellent point! There is, in fact, a difference between giving your labor away for free, which could be called volunteering, and pro bono work. Pro bono - "for the public good" - work is often associated with attorneys,
as the American Bar Association encourages attorneys to do 50 hours of pro bono work a year and some states require evidence of pro bono work to maintain licenses. One does not need to be a lawyer to offer pro bono services, but the person must be offering professional services for which they would otherwise be paid. Pro bono services can be offered without charge or at a reduced charge, but documentation must be kept under generally accepted accounting principles (GAAP) to be considered as a business tax deduction. The language used with the recipient is important; emphasize you are doing pro bono work and provide an invoice showing the cost of your services. There is a formal pro bono program set up for providing cybersecurity to nonprofit organizations through the Crowdstrike Foundation.
Helping others is an important part of being a human. We want to make the world a better place. We need to make sure, though, that we don't kill the goose that lays the golden eggs. If we give cybersecurity services away without emphasizing their value - their economic value - society will not respect those cybersecurity services properly.
"It was a dark and stormy night; the rain fell in torrents — except at occasional intervals, when it was checked by a violent gust of wind which swept up the streets (for it is in London that our scene lies), rattling along the housetops, and fiercely agitating the scanty flame of the lamps that struggled against the darkness." - Edward Bulwer-Lytton, Paul Clifford (1830)
I love a good story. Now, I've never read Paul Clifford, but that opening line does make me wonder what sort of gothic tale awaits me were I to set aside the time. It has a favorable rating on Goodreads - apparently it's a tale about a highwayman!
I'm presuming my audience is mostly male, because statistics, so it follows that when you see "highwayman" you will, like my husband, picture this:
(this was discovered when I suggested "highwayman" as a Halloween costume)
Most women know that "highwayman" is more like this:
Like the man in the Loreena McKennitt song:
"He'd a french cocked hat at his forehead A bunch of lace at his chin A coat of claret velvet And breeches of brown doe-skin They fitted with nary a wrinkle His boots were up to the thigh And he rode with a jeweled twinkle His pistol butts a-twinkle His rapier hilt a-twinkle Under the jeweled sky"
Ah, yes, a highwayman...
(spoiler: it doesn't end well for the highwayman)
I not only love a good story, I love a good procedural crime story. I don't watch TV as a rule, but if you sit me down in front of any of the Law & Order shows I will have to watch them to the end. It doesn't matter to me if I know how a story ends; it's the story itself I find engaging - the journey, as it were. (I actually read spoilers before I go to movies so I can relax and enjoy the story.) Storytelling is not only a excellent form of entertainment, an enjoyable story can help us remember things. Stories aid learning because hearing stories lights up areas of the brain that PowerPoint just can't do. So, it's no wonder that the podcasts I enjoy the most tend to feature storytelling. (If you remember my earlier entries to this blog I'm a huge fan of podcasts, not only for when I'm driving but also folding laundry and getting ready)
I came to this realization about the storytelling podcasts upon reading an op-ed in the Washington Post written by a fellow who doesn't care for podcasts: "I think they’re tedious and samey and sedative". The author's point was more about music and sound quality, but as I was reading his examples I mentally went through the sorts of podcasts I listen to. A few of them are the conversational type (Happier by Gretchen Rubin, Happier in Hollywood by Gretchen's sister and her writing partner, etc.) and I find those well-produced and interesting enough. A few of the cybersecurity podcasts, such as the Motherboard CYBER one I reviewed earlier, feature interviews. If the content is interesting and the voices don't annoy me I will keep listening. But, the ones I binge listen like rats in drug studies are the storytelling ones - the ones that have suspense and action and a satisfying conclusion. The top two are Darknet Diaries hosted by Jack Rhysider (probably not his real name, but it could be) and Malicious Life hosted by Ran Levi. Both podcasts are widely available on a variety of streaming or listening platforms, or one can visit their sites, which also contain supporting resources. Malicious Life has transcripts on their website, too, so if you need to go back and check on something you won't have to re-listen. Rhysider and Levi both have real-world cybersecurity experience in addition to being skilled storytellers.
Now, I wasn't unsympathetic to the points about sound quality from the anti-podcast op-ed author I mentioned above, although my sticking points with podcasts tend to be the presenter's voices and not production quality. I'm happy to report that Rhysider and Levi are both quite charming to listen to. Rhysider has the drama club voice, but without trying too hard, and Levi has a pleasing accent (he's Israeli). So, in addition to having engaging content, told in a manner that lights up my brain, my ears are happy, too.
The content of both podcasts is centered around cybercrime stories - Darknet Diaries has the tagline, "True stories from the dark side of the Internet". In some stories I knew before listening how they end, or at least whodunnit, but as I indicated above, knowing how something ends has never dimmed my excitement for the story itself. I can't say that I generally have sympathy for cybercriminals the way I might romanticize an 18th century highwayman (I will admit I'd like to high-five the folks who wrote Stuxnet...) but I can abstractly admire the cleverness and the cat-and-mouse nature of cybercrime while lamenting any damage done to individuals (I am unequivocally horrified by the Equifax hackers, I'll note - although the Equifax "leadership" at the time of the hack is equally villainous in my opinion). There was one episode, though, of Malicious Life - on DeCSS - where I was all in with the highwayman, but that comes from my philosophical stance on "intellectual property" and my strong dislike of the term "piracy" being applied to anything that doesn't involve the high seas and bad folks with weapons. I also felt a kinship with Manfred, the video game hacker from Darknet Diaries. If there weren't others out there like me, who like to hear stories about crime, I doubt it would be such a lucrative market for TV and movies. It's frankly just more fun to hear about when things went wrong rather than a how-to on setting up security controls properly - not that how to set up security controls properly isn't important, but when you hear a famous penetration tester - @TinkerSec - talking about how he [tries to] break into a company, the security controls take on a new meaning; they have context.
Outside of possibly getting CPE credits for listening to podcasts, why should someone in cybersecurity spend their time listening to these two, particularly out of all the other cybersecurity podcasts out there? These podcasts not only tell older stories - such as the Morris Worm episodes - that are important to know for background and context, but also new ones. Darknet Diaries interviewed Hacker Giraffe pretty much right after that happened. You're not going to get breaking news from these two, but you will get thoughtful, well-researched analysis of cybercrime events relayed in a riveting presentation. If the formula for storytelling involves something along the lines of "put your character in a tree, set the tree on fire, get your character safely down" they are following this formula. There are ways to tell these cybercrime stories without the suspense of what will happen to the character in the tree on fire but they generally involve PowerPoint. Because of the storytelling aspect you will remember more of the stories - and not only the stories, but the cybersecurity technologies and issues that have starring or co-starring roles in the stories. You will feel the anxiety of the government intelligence agents who realize their expensive espionage malware implant might be discovered and lead to a diplomatic incident (not to mention have everything you learned about social engineering validated). If these podcasts were books you'd be turning the pages, waiting to see what happens next. No one eagerly clicks the next PowerPoint slide. If content is engaging it's more likely to be consumed. You can queue up all the cybersecurity podcasts out there and have the best intentions of listening to them, but unless you actually listen and pay attention, they aren't much good sitting in the queue. I'm not saying Darknet Diaries and Malicious Life are the dessert of the cybersecurity podcast world because they contain an overwhelmingly useful amount of brain nutrition. They aren't comfort food, either (that would Happier) They are perhaps the meal that is both tasty and nutritious: filet mignon coated with an almond and shallot mix with a side of steamed broccoli. You look forward to consuming it and feel virtuous and satisfied afterward.
I had a bad case of the willies recently. Actually, it was a more or less sustained case of the willies. I work in a building that has a lot of glass. Surprisingly for someone who has a Tumblr devoted to tornadoes, volcanoes, and hurricanes it wasn't inclement weather I worried about. No, it was an active shooter fear: I worried that one of our customers or even just a random want-to-watch-the-world-burn individual would come shoot up the office (I occasionally wonder which of my colleagues is most likely to go postal but I haven't seen anything that bothered me). Our office phones have a floating display of what number to call in an active shooter scenario, so every time I look at my phone (or someone else's) I'm reminded of it. It was getting so bad that I took about any excuse to work from home that I could (the weather certainly helped out there). I talked to a retired military colleague about it who advised planning as a strategy. I've seen all the videos and figured out quickly that in a building of glass running, not hiding, was my best bet, but I still felt apprehensive. Another colleague suggested that I read a couple of books: Gavin de Becker's The Gift of Fear, and Ben Sherwood's The Survivor's Club. I initially thought these books were part of the Cybersecurity Canon, but it turns out they aren't, although they are recommended reading for anyone in a security field because of their focus not only on physical security but also threat modeling on a personal level.
I requested them both from the public library. The Gift of Fear (TGOF) arrived first. I was unfamiliar with the author until I saw an article about Jeff Bezos' security investigator and realized he was the author of the book. I have to admit the Bezos background story added some glamour and intrigue so I started reading TGOF eagerly. Here is my cat posing with them:
I will pause here to note that reading TGOF while traveling alone on business to a strange city is not the best idea. There is a huge focus on vulnerable women.
TGOF opens with a harrowing story of a rape and near murder, by someone who had murdered previously. That's an attention-grabbing start. Because of my business trip obligations I couldn't stay up all night reading the book, but it seemed to be the sort of book one wanted to do that with. I picked it up again on the trip back, but, let's be realistic here: my ratio of awake/asleep time on plane flights is 10/90 (this despite numerous viewings of plane crash investigation programs...which I will return to discussing shortly). I ended up having a free weekend shortly after and dug into the book with relish, figuring I'd knock the rest of it out quickly.
...except that I realized I didn't really like the book past the riveting opening.
Several TED-Talkish people (Adam Grant, Daniel Pink, Gretchen Rubin, etc.) recommend that one stop reading a book when one realizes one doesn't like the book. There's no law that says one has to finish a book one starts. Lifehacker even has an article about it: https://lifehacker.com/quit-more-books-1822969347 Normally, I would take their advice; I don't like to fall for the Sunk Cost Fallacy. But, in this case, I didn't want to let my friend down - he seemed to love the book so much - he's recommended it several times, in fact - and I figured I must be being too picky and had to figure out a way to get through the book. I tried again. Nope. De Becker came across to me as a monster ego-beast. Yes, I know he has experience. I don't doubt that. It was just so annoying to keep reading about how much he loved himself and how awesome he was. That's not what I was expecting. I wanted to know how to deal with my fear of active shooters. I started jumping ahead to find the useful parts. There are useful parts, but they are obscured in the self-serving prose.
I began to wonder whether it was just me. As I mentioned in an earlier blog entry I'm sensitive to "trying too hard". I checked out Goodreads, a book review site, to see what others thought. Most of the reviews were very positive. I did, however, find some reviews that echoed my thoughts: "Parts of this book were helpful. But I could SO do without all of his egotistical grandstanding", "blatant self-promotion", "digging out the interesting bits between all the clutter and self-promotion feels like a chore", and "The Gift of Fear is impossibly repetitive. It is disorganized, badly edited, and mainly serves as a pedestal on which Gavin de Becker can place himself for the rest of us to admire." It wasn't just me. It's a style thing. I don't care for his style.
My verdict? TGOF is a famous book and cybersecurity professionals should be familiar with it, so at least read some spoilers. The main message is to trust one's Spidey-senses. I'm someone whose Spidey-senses have saved them in the past, more than once. I'm what is called "disagreeable," to boot, so I'm unlikely to allow a stranger to take advantage of me because that's just not how I'm drawn. Another message, though, is to not manufacture fear, and if one feels fear to figure out why it's there. De Becker thinks that worrying about everything is a waste of energy and many people worry for no reason. Perhaps that's the message my friend was trying to get me to see: in the absence of an actual negative customer situation the likelihood of an active shooter scenario at work is low. Intellectually I know that I'm more likely to die on the commute to and from the office than at the office. This may be another area of disagreement with de Becker who is quite anti-worry. I am a worrier by nature: after reading about a tragic accident involving an overturned cement truck I cannot be around them now. My manner is called Defensive Pessimism and it means that I'm prepared for everything bad to happen and spend a great deal of my life pleasantly surprised. I can't change the way I am and one day my way of being will save the galaxy. I need to spend time after coming up with all the threats prioritizing what do about the threats, though.
After my less than positive experience with TGOF I was worried (see what I did there? ;-) about The Survivors Club (TSC). But, blog posts need to be written so I picked it up (also I'm on my last renewal of the books so I had to just do it) Defensive Pessimism to the rescue! I was pleasantly surprised! I wanted to stay up all night reading TSC and while I was unable to again (pesky real life obligations) the impulse has sustained. I've determined that I liked Sherwood's style better. He's a journalist so writing is his craft. He knows how to tell a story without getting himself in the way - although his opening story about qualifying for survivor status in an aviation survival training center exercise started ringing the self-serving bells. Mercifully, that part was over quickly and he moved on to others' stories - which are good stories. (I really shouldn't be sleeping on planes, at least during takeoff and landing.)
TSC has three rules for the club: everyone is a survivor, you can't compare your crisis to someone else's, and people are stronger than they realize. The first half of the book is about what it takes to survive and the second half presumes one knows one's survivor type (a new book comes with a code, but I was reading a library book with a code long used - I tried to find a free version of the quiz and all the leads came up dry. Given that the book was popular a decade ago that should not be surprising.) Based on reading the descriptions I'm mostly a Thinker, with a splash of Realist. Adaptability, intelligence, and ingenuity are my top strengths, although Instinct is probably up there, too. (Interestingly, the two books converge when Sherwood is discussing Instinct as a psychological strength: Sherwood invokes TGOF and its discussion of intuition.)
Upon figuring that I'm a Thinker I remembered a wonderful movie from the 1990s called The Edge. It starred Anthony Hopkins and Alec Baldwin. Their plane crashed in the Alaskan wilderness and they had to survive. A bear was chasing them. At one point early in the movie Anthony Hopkins' character is seen reading a survival book. I didn't remember after the movie what the name of the book was (and it seems from this discussion that the book was fictional, anyhow), but I found something similar at a bookstore and carried it with me on every plane flight I took after that. (I do count how many rows until the exits and never take my shoes off.) Here is my cat posing with it, and another book I keep in my post-apocalyptic bag (I believe the proper name is "Ready Bag," but I prefer my more colorful terminology):
After the characters' plane crashes and before the bear starts chasing them there's a scene where Hopkins notes why people die in the wilderness (his book is lost in the plane crash, by the way):
"You know, I once read an interesting book which said that, uh, most people lost in the wilds, they, they die of shame....Yeah, see, they die of shame. 'What did I do wrong? How could I have gotten myself into this?' And so they sit there and they... die. Because they didn't do the one thing that would saved their lives: Thinking."
There is so much of TSC in that one quotation. (Well, for Thinkers, anyhow ;-) If one has time for only one of the books I suggest Sherwood's, because I find more actionable advice with real-world applicability.
We hope that our cybersecurity tasks don't involve thwarting a literal bear but there are metaphorical bears, including a nation-state variety. The concepts in both books apply to security generally and can be applied to cybersecurity specifically. Incidents happen and how one responds to them is likely the same way one responds to bears. Likewise, it's important to listen to one's intuition about threats, particularly in a human factors sense. Check the badge, ask for the ID, don't let someone tailgate in, decline to click on the free lunch email link.
I'm sad to say neither book made the active shooter concerns go away, but I realized they ebb and flow. They're a dull roar right now and other concerns are busy screeching in my ear - like this blog entry ;-)
CYBER,
a cybersecurity podcast sponsored by the Canadian-based media organization
VICE, through its Motherboard technology-focused division, launched in November
of 2018. There have been 16 full podcast episodes. They average 30 minutes in
length, some shorter and some longer. They aren’t long enough for my full hour-long
commute but work well for my getting ready routine or for when I’m doing
household tasks like folding laundry or loading/unloading the dishwasher. It is
hosted by Ben Makuch (sounds like Mack-coo), a security journalist with Motherboard/VICE,
with guest Motherboard reporters Joseph Cox and Lorenzo Franceschi-Bicchierai.
It is ad-supported, but anyone who listens to podcasts is used to ads. (If you’re
not a fan of Samsung maybe plug your ears during the ads.)
I discovered the podcast in January of 2019 when I was doing
an Internet search for “cybersecurity podcasts”, because a
friend wanted some suggestions for his 400-mile round trip to visit his
daughter and was interested in learning more about cybersecurity. I found CYBER
and since I appreciate the edginess of the VICE and Motherboard brand – I want
to be informed, but I want to be entertained while I’m being informed - it was
one of the first I sampled.
Fun trivia fact: the introduction sequence features Lex’s
line from Jurassic Park, “it’s a Unix system; I know
this”, which many poke fun at as an example of outrageous tech-in-entertainment-fiction,
but is based in
reality. The File System Navigator (FSN) shown in the movie was an actual
3D file browser.
The first episode, “SIM Hijacking and the Phone Number Scam”,
frightened me the most of them all, even the Bounty Hunter location tracking expose
episode. I remember what I was doing when I heard it, even: steaming dresses
(for wearing, not eating). I knew on a vague level that it was possible for
nefarious folks to get a mobile number transferred away to them, but when I heard
Lorenzo Franceschi-Bicchierai saying “here’s the bad news: there’s very little
you can do, unfortunately”, I panicked. I have a mobile number through my
carrier, of course, but I try to use my Google Voice numbers when I can, both
for communication and the times when two-factor authentication (2FA) relies on text
messages (SMS) instead of an authenticator app. However, there are some situations
where I am forced to provide my carrier mobile number. I don’t trust my mobile
carrier to do the right thing and ask for the passcode whoever is calling to
make changes should have to give. There is nothing we, as consumers, can do to
protect ourselves from our mobile carriers and their employees who are a known
insider threat. The Bounty Hunter episode went more into that, because mobile carriers
were selling location data to the highest bidder. Lorenzo wrote a detailed article on SIM Hijacking in the summer of 2018: https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
"The Dark Overlord and the 9/11 Insurance Files Hack" revealed that some ransomware groups have professionalized and use contracts. (It's only a matter of time, then, until they are so busy having meetings and filling out reports that they won't have time to do actual hacking.) "Spy Versus Spy" was like a James Bond movie, which proved that true life is stranger than fiction.
My favorite episode, hands down, was the “The
Penetration Tester” episode, featuring a Walmart Red Teamer, Jek. It made
me want to be young and unattached and starting off in security so that I could
fly around the country being a physical penetration tester. What made the episode even cooler was that a few weeks before I had noticed a tweet about how a physical pentester almost got caught. I wondered as I was listening to the podcast episode whether this was the same person, and, yes, it was.
This next part will doubtless surprise my mother and anyone else
who knows what my language is like when I’m driving (“well-educated sailor”
covers it), but one thing I have to point out about this podcast is that it’s
at least PG-13 in terms of language and often veers into what I would call R.
Myself, I don’t care, because I’m listening in an environment where no one is
going to notice or comment, but when I went to recommend it to an audience
where I was unsure whether ears would be sensitive I started paying closer
attention to the language. One should be very careful listening to this podcast at
work, in the car with kids, or around sensitive grownups.
Interestingly, only one
of episodes, the PewDiePie
Hacks, is marked as Explicit. The creators are Canadian, and thus have different
language conventions, but I also think there’s an attempt to be more with it by
using strong language. I’m reminded of when my husband’s Belgian cousins tried
to impress me with their English and had a higher F-word count than a Samuel L. Jackson movie.
When the podcast is playing clips from interviews or other sources, they could bleep
out the F-words, for instance (which, to be fair, are the PG-13 usage where it’s
an expletive and not an activity). Or, maybe I’m finally showing my age ;-)
Still, despite having to be careful about with whom I share
the podcast I do recommend adding CYBER to one’s podcast list. They know how to
tell an engaging story about current and relevant cybersecurity issues, and you
will want to keep listening until the end. I look forward to each new episode
and have learned a lot about cybersecurity from listening.
Some of the entries for my blog will be reviews of cybersecurity-related
podcasts. I’m a huge fan of podcasts because I get bored easily when doing
purely physical or motor-related tasks and while I should be taking
advantage of that boredom to become creative it bugs me to daydream when I
can’t write things down. Also, I feel like I’ve successfully multitasked if I
can catch up on news or be exposed to new thoughts while doing something
mechanical. That’s the secret to multitasking, by the way: you need to pair
something mindless, which is usually something physical, with something that
occupies your brain. If the something physical requires attention, such as free
climbing El Capitan, that’s not the time to multitask (although I’m sure there are
folks who have scaled El Capitan enough that it qualifies as rote in their
book). It’s nearly impossible to multitask on two mental exercises, such as
reading email when your family is trying to have a conversation with you – you’re
doing fast process-switching at best. Humans only have one brain to process
things. Anyhow, I listen to podcasts. Lots of them.
A wrinkle in my affinity for audio delivery of content: I’m
deeply sensitive to voices. If the voice isn’t right I find it very difficult
to listen to the podcast. And “right” is deeply subjective. An example of when
a voice wasn’t right for me is when years ago there was a podcast service where
audio-type journalists would read print journalism stories. I miss that
service, but I gather it wasn’t sustainable as a free product and it went away.
I’m a voracious reader, appreciate good print journalism, and can’t get enough
of it. Having these stories read to me while I was getting ready in the morning
or driving saved me a lot of time. Okay, saved me time so I could spend that
extra time reading more. (I’m like those bar-pressing rats in the cocaine
studies when it comes to reading. My Gallup Strengths Finder result of “Input”
is highly accurate.) I had to avoid stories read by one person, though, because
she was reading the news as though it were 50
Shades of Gray. (I gather she had a rich existence otherwise narrating the
audiobook versions of steamy romance novels.) Now, sometimes C-SPAN-type news
could use some lively delivery, but, wow, this was over the top. I’ve had to
give away perfectly good audiobooks because the narrator was too dull and
monotone. Also, I know that I can’t get an audiobook that isn’t narrated by the
author if I’ve heard them speak otherwise because it’s too jarring and
unfamiliar. So, I’m the first to admit that I’m a difficult podcast listener. Others’
mileage may truly vary.
Dear Computrix, I’m a video game developer for a small company. We’re
about to release our latest title – written and developed by a primarily female
team. This is our first release. A review of the game is scheduled for next
week. After hearing about #Gamergate and how women often get harassed online
generally my fellow developers and I are concerned that we are going to be assailed
not only online, but for real, at home. The stories are frightening: many women
are told they will be raped or killed and then their personal phone numbers and
addresses are published online through social media. I was reading through
Facebook today and saw a story about journalists at a non-profit news agency,
ProPublica, who had to have their work email turned off from a scam email
subscription bombing attack. Our company only has one IT person and we don’t
have the resources to withstand the sort of assault that ProPublica got. Up to this point no one who doesn’t already
know us hasn’t paid much attention to us online. How do we keep safe, both
online and at our homes? Signed, My cat won’t handle a bomb threat well.
Dear Cat,
Congratulations on your upcoming title release! I hope that
your video game is well received and your justifiable fears do not come to
fruition. When angry people online decide to take it to the physical world and
publish personal details about their target – details not only involving phone
numbers and home addresses, but also birthdates and Social Security numbers –
it is called doxxing (you might see it spelled with only one x – standard
spelling and grammar aren’t concerns of the Internet). The name derives from
“documents” – someone who has been doxxed has had their documents released and
it is a form of information warfare. To make matters worse, the doxxing is
usually accompanied by threats of violence and bodily harm. You have every
right to be concerned. In the ProPublica case they had to give up their
well-known work addresses and get new ones – and their organization suffered
inconvenience and dread - but they luckily were not threatened in the physical
realm. In the #GamerGate situation the women targeted had to leave their homes
out of fear. Men get doxxed, too, but it’s more likely to happen to women. Once
someone’s personal contact information is released onto the Internet it cannot
be taken back. You can change phone numbers, yes, but you cannot easily move –
and changing your birthdate and Social Security number is not going to happen.
One solution to avoid being doxxed is to never do anything
that draws the attention of the Internet, but that isn’t a realistic course of
action for anyone who has a technology-related job. There are less drastic
measures you and your colleagues can take, but they should be taken before you
draw any attention from the Internet. (Yes, this is horrible that I have to
give this advice, but that is the world we live in now.)
First, you need to think like a doxxer: if you wanted to
discover someone’s private information, how would you go about it? Google-stalk
yourself and see what comes up. (This will be a depressing exercise, by the
way, so make sure your cat is handy for emotional support.) I will be honest:
nearly all of the private information that someone can find online cannot be
erased permanently. You can make requests to some of the data brokers to remove
your information but unless you find the source of their data and rip it out,
it will just keep coming back to them to aggregate. If someone owns a house the
property tax records are a matter of public record and therefore the physical
address is available to anyone who knows the homeowner’s name and city. It is a
good idea to have a friend or family member you can stay with if you start to
receive threats and you feel your safety (and that of your cat) is threatened.
It’s even better if you don’t mention this friend or family member on social
media. Of course, if you are seriously threatened, notify local law
enforcement. Keep a log of whatever sort of harassment you receive – that could
help them if it comes down to legal action.
Next, even though the physical threat is a possibility,
prepare for an online threat, too. If you aren’t already using multi-factor
authentication – where an account makes you enter another code before you can
login, start using it. Change your passwords and have different passwords for
every account. If you were using those security questions that ask “what grade
school did you attend?” go through and change the answers to something random
and false – but keep a record of your mis-information in case you need to get
into your accounts! This is especially important for any public social media
accounts. You might want to consider changing your social media audience to
private, so only your friends and business acquaintances have access to your
posts and information. If you need to speak out publicly about something
controversial on the Internet think about using a pseudonym that could never be
traced back to you. Last, it doesn’t hurt to call your utility companies and
financial institutions and ask them to set a password on the account.
As far as your work email and avoiding the ProPublica email
subscription bombing attack, before your game releases and any reviews are
published maybe change any known work email addresses and make sure your
current contacts have the new one. Then, use a single email address for
developer contact purposes; if that email address is attacked it is easy to
turn it off to avoid blocking the entire system. Those who need to contact you
legitimately can still do so through your new and improved and relatively
secret email address. These are not perfect solutions, but if the worst case
happens it can protect your company’s resources better than nothing.
Dear Computrix, I’m home recovering from knee surgery (too many times jumping out of perfectly good airplanes). I’ve run through every Netflix series there is and ended up watching CSPAN. I found a livelier session than most called “Combating Money Laundering and Other Forms of Illicit Finance: Administration Perspectives on Reforming and Strengthening BSA Enforcement” by the Senate Committee on Banking, Housing, and Urban Affairs. The last Netflix show I binged on was Ozark, which is about money laundering (“FinCEN” is mentioned), so I felt I had some background to appreciate what the good senators would be saying. In a nutshell, they want to modernize the money laundering to make it easier for banks to comply (some banks have more compliance officers than lending officers) and also account for Bitcoin. Everything they said made sense (and both groups were getting along, surprise, surprise), but I couldn’t help wondering about a scene in the first episode of the Ozark series where the main character tries to take all his money out of the bank and the FBI is asking him why – that must be these banking laws. Anyhow, he says it’s his money and if he wants to put it all in a hot tub and sit with it that’s his business. That got me thinking: why does the government have the right to track our money like this? Shouldn’t they be worried about those banks like the one in the hearing that cleaned over half a trillion for some Mexican drug lords and got away with just a slap on the wrist? Signed, So Desperate I Watched CSPAN
Dear So Desperate, Ozark is a good series – you probably heard they’re bringing it back for a second season! I wondered about that bank vault scene myself, knowing the Bank Safety Act (BSA) law and other anti-money laundering (AML) laws would mean the bank had to notify the federal authorities - that amount was clearly over the $10,000 threshold for currency transactions reporting. The series is obviously fictional – I can’t imagine someone in real life being allowed to take $8 million dollars in cash out the door – but at least the FBI is following him. The Senate Banking committee hearing you watched is an engaging one – and available online for watching, as well (see the list of references at the end). The bank you mentioned from the hearing - that’s been in the news lately for other misdeeds related to currency rigging - is HSBC, a British bank. HSBC, through supposed negligence, allowed billions of dollars associated with Mexican drug cartels to go unmonitored and unreported. They were fined and put on a deferred prosecution agreement, meaning that if they behaved the charges would be dropped. The US government seems satisfied that HSBC has reformed its processes related to AML; I cannot speak for the US government but it seems the end game is to have banks’ cooperation in AML, which may be worth more than stronger fines or jail time for the banking executives.
Money laundering – the taking of money that you don’t want someone to know you got, and “cleaning” it to make it look like legitimately-gained assets – as a concept has been around since governments, such as they were at the time, started to care about getting taxes. Modern anti-money-laundering laws exist to thwart mainly drug trafficking and terrorism, but also to curb tax evasion and non-drug-trafficking-derived income. The government feels that the surveillance and inconvenience to the ordinary person who wishes to engage in financial transactions of large sums (this includes jewelers, as well) is worth it to protect society as a whole against the effects of drug trafficking, terrorism, tax evasion, and other financial crimes. Some Libertarian groups disagree, finding the laws ineffective and too invasive, citing the Bill of Rights. That’s the beauty of our country, though, that we can disagree. For now, the various AML regulations are the law of the land and financial institutions (and jewelers), along with citizens, have to comply. If you feel strongly about these measures I encourage you to write to our legislators. The Banking committee is having another hearing next month and they won’t know how you feel unless you let them know.
Dear Computrix, my cousin, who lives in North Carolina, shared a
local news story on Facebook about a man who had been arrested for scamming
women on online dating sites. Here is the story: http://www.wral.com/fake-millionaire-tycoon-gets-prison-for-online-dating-scam/17234727/
This is scary! My daughter has recently started doing some online dating and
I’m worried she will run into one of these criminals. Why isn’t the government
doing something about this? Signed, Worried Mom.
Dear Worried Mom, several other community members
have expressed alarm related to the news that John Edward Taylor, the man in
the WRAL news story, was charged with stealing “money, credit, and personal
information from more than a dozen women”, according to the US Attorney’s
Office (see a link to their formal release at the end of this article). People
have been deceiving each other since the beginning of time – the ancient Romans
were doubtless plagued by confidence tricks. In fact, “confidence” is where we
get the word “con” from. Romance is an area where confidence schemes thrive,
because it’s hard to think straight when one’s heart is involved. Confidence
schemes manipulate emotions, such as compassion, but also vanity and greed;
they find someone’s buttons and push them, to the benefit of the con artist and
the detriment of the victim. What the man in the article did has a name – not a
legal name, but a popular name: catphishing. It sounds just like “cat fishing”,
but it has nothing to do with cats and fishing poles. It is a scam that is
(pardon the pun) pawsitively clawful in its effect on victims.
Catphishing as a term comes from the cybersecurity world and
the sport fishing world: a “phish” is a deceptive email using an emotional lure
to obtain information, and catfish can be caught by dangling a hand in the
water and patiently waiting for a catfish to grab on, at which point the
catfish is dragged into the boat. You might also see it spelled as catfishing. Some
catphishers use their own identities and then deceive the people they date into
giving them money or information. A catphisher can also take photos they find
on the Internet – typically someone conventionally attractive – and use those
to create their fake dating profile, from whence they execute the same scam.
There are multiple victims in that case: the innocent person being impersonated
and the people the catphisher is trying to lure in. Here are some things your
daughter can keep in mind that should set off alarm bells in her mind:
The person does not want to meet face to face or
through a video chat service like Skype.
The person is too good to be true: too
attractive, too charming, too wealthy.
The person is difficult to find on social media
or through an Internet search.
The relationship escalates quickly into talk of
love and long-term relationships.
The person wants a home address to send gifts
to.
The person asks too many personal,
financial-related questions early in the relationship.
The person has sudden, strange financial
difficulties.
Last, you asked why the government isn’t doing anything
about this. Catphishing is not a federal crime – the perpetrator in the WRAL
story was charged with wire fraud, bank fraud, aggravated identity theft, and
threatening communication, not catphishing. Oklahoma is the only US state that
has made catphishing (they use the catfishing spelling) illegal and its law
protects only Oklahomans who are impersonated, not catphishing victims.
I hope this gives you and your daughter something to think
about. Catphishing is a risk on online dating sites, but not everyone on those
sites is a catphisher. Good luck to you both! – The Computrix
Nearly everyone who is in a technical field provides technical support for their relatives, and perhaps even their friends. I got a t-shirt at a conference once that says, "No, I will not fix your computer." I don't actually wear it, because, truth be told, I will fix your computer. I might (okay, will) whine about how messed up it was afterward, and how can anyone possibly be productive with a computer set up that way, and why aren't you on Windows 10 yet? but I will fix your computer.
Especially, I will fix my mom's computer.
I don't mind - she gave birth to me and refrained from killing me when I was a teen - that has to count for something!
I've got a list started of all the things I will be taking care of, technology-wise when I next visit her. Recently, though, it occurred to me to add one more thing to the list: her router. I have to confess I've never looked at her router before. Bad security person! Bad!
Here are three articles that list and reinforce the dangers lurking in home routers:
I'm really hoping Mom doesn't have an ISP-provided router: apparently those are one big security hazard waiting to happen, mostly because they have credentials that cannot be changed, but are well-known by bad folks. Also, I don't ever recall Mom saying something about "firmware". Yikes. I think the router is older than 2012. My mom isn't eating cat food but she can't really go throwing money around so I have to come up with a good business case for getting a new one. Oh, I know I could use scare tactics - or, heck, Merry Christmas! Here's your new router you didn't know you needed! but my mom is an intelligent woman and needs to be treated like one...
Which brings me to a larger point about parents and technology and support: there is so much snark going on out there about how clueless folks over a certain age are. I've even seen my own age group included in the clueless group (yes, the older members of GenX are apparently speeding toward senility %-/) Moving forward, I call upon all geeks, regardless of age, to not treat folks who are older as clueless by default. Becoming older might mean they say "huh?" more often but it doesn't mean they've lost the ability to understand how things work. If we treat them like children (which is funny, because if you've ever seen a kid have their first go at technology they are fearless, persistent, and ultimately successful) they might start thinking this current tech stuff is too hard for them to learn. It's not. It's not brain surgery, nor is it rocket science:
What if we, the kids, are abducted by space aliens? Do we really want to set up our older relatives for failure by teaching and then reinforcing helplessness? What if we did treat them like actual children behave? Encourage them to play around with the technology and figure it out. As long as stuff is backed up, does it matter if everything needs re-configuring? Do you make that sighing noise (you know the noise) and get impatient when you're teaching little kids how to do something? Okay, after you've had coffee? I read a book once that said you should treat people like you'd treat the Pope, for instance. If you had Pope Francis over for dinner and he accidentally knocked his glass over, would you yell at him and tell him he was a clumsy oaf? (if so, hope you can dodge lightning quickly ;-) No, you would clean it up and try to make sure you didn't put the next glass by his elbow or something. If your parents or other older relatives do something with their computers - and I do include getting ransomware in this - don't yell at them and treat them like they are awful stupid people. Help them fix it and then help them understand how to help themselves. Help them get a backup system in place so if ransomware happens they don't have to figure out Bitcoin give into the demands. Help them set up a router firewall (and it doesn't hurt to have a software firewall system, too) properly so that countermeasures are in place to catch malware before it catches them.
Be the sort of tech support parent you wish you could have, because one day the younger cohort will want to help us out with those fancy brain implants ;-)
Security has to belong to the business folks in the organization. The technology/IT people need to support it, and the CISO might very well hail from that territory originally, but the business folks need to "own" it. That's the only way security will ever be given money before the organization shows up as a trending Twitter hashtag.
In the words of Frederick Avolio: "Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business's viability."
I was talking to a business friend about how data had to go through this (and one could argue it still is) process of being adopted by the business side of the organization in order to be taken seriously. Of course, that means there is a tension between the technology folks and the business folks about who controls the data, but data governance is beyond the scope of this blog entry.
Security governance, though!...
But, seriously, until the business side of the organization - those who hold the purse strings - realize that security is an investment and not merely a cost center and that promoting security helps the business meet its business goals modern businesses will not run as well as they could be. Security is not an after-thought, begrudgingly assigned leftover scraps from the head table. Just because we don't put security in the mission statement doesn't mean it doesn't matter.
I live about an hour's drive away from work so I rely on podcasts to make productive use of the time. One of my favorite podcasts is Note to Self, about society and technology. (I used to even donate money to them until they had an episode on going vegan after which I pulled my support and gave it to local no-kill cat shelter, but I digress...) The latest episode featured an AI tool called Replika (https://replika.ai/): https://www.wnyc.org/story/replika-artificial-intelligence/. It seeks to create a virtual AI-based representation of oneself - the creator built it from texts and email messages from a dead friend. It was almost along the lines of the movie Transcendence: The idea, I have to admit, sounded a bit intriguing (yes, even though Transcendence was a creepy concept): I'm a very curious person and I figured, hey, what could it hurt to try this thing out? I'm also extremely cautious, though (in Emergenetics terms my Yellow and my Blue are constantly at war)
I decided to do some searching about Replika. It's free, which really made me wonder how it made money. Oh, I know how most "free" things make money: ads (every app that isn't paid for) or selling data (every social media platform). Replika's FAQ seemed to indicate it wasn't selling data and its origin story sounds like an altruistic endeavor. But, still....more looking.
I happened upon Reddit. One of the things mentioned in the podcast was that it was a sort of therapy to have a conversation with a bot version of oneself. I know a young man who has high-functioning autism and one of the aspects of that is that communication is something he's not as experienced with as a typical kid his age. I wondered whether folks with autism were using Replika. I found a post written by another young man with autism who was enjoying having conversations with his AI replica. Hmmmm. Well, that's a good use case, but I'm still wanting more information. I went to the main subreddit for Replika: https://www.reddit.com/r/replika/ and browsed the post. I found a disturbing post, based on an Imgur capture (strong language warning):
Oh, wow. Okay, this is the Internet and it's easy to make things up, Photoshop and all....but, those other negative and scary posts...
I've decided against Replika. There was a big part of me that wanted to try it out, but I've got the willies from what I've read on Reddit.
It's not worth the risk.
But, what risk?
If I had to explain in logical terms to someone why I wouldn't recommend using the tool I'm guessing "gave me the willies" is not going to cut it. There are many things in our information lives that make us go "I've got a bad feeling about this",
but if we want others to take our concerns seriously - or put money toward alleviating those concerns - we need a structured framework for identifying risk and a plan to deal with the risk once identified. There may be times when we have to proceed down a path we have a bad feeling about, but we can make ourselves feel better by putting security controls into use and monitoring the situation.
I can't think of any security controls that are going to prevent Skynet, though, so no Replika for me ;-)
I once took a class where I had to create an Issue Specific Security Policy (ISSP) for home use. Since I'm the fun sort of person who brings up Multi-factor Authentication at football tailgate parties this was right up my alley!
I've always thought it is useful to think of one's household as a business - whether that is one person, or one person and a pet, or two people who are roommates, or a romantic couple, or a romantic couple with children, or even a romantic couple with or without children who are also taking care of an elderly adult and a pet - I think I've listed a few sitcom plots right there...actually, my friends and family at this point think my idea of having an authentication credential policy for a household is a sitcom waiting to happen - and that's after I deleted all the items about picking usernames and just left in the password details.
Hey, at least I didn't bring up death! :-D
(to be fair, I wanted to, but thought that would have to be its own issue specific security policy and while SANS has a great pandemic template, I didn't see one for death - maybe the disaster recovery one could work...)
The way that technology is ubiquitous in our lives means that homes have to think of information security the same way any business would and at least consider having plans for their technology and its uses. (Homes also need to think of fiscal issues like any business would, starting with "what business problem are we trying to solve?" whenever a new purchase is being decided on, and identify all stakeholders, but that's another post for another time.) I read recently from a security awareness expert, Lance Spitzner, of SANS' Securing the Human organization, that if you can convince people of the utility of information security for their own personal lives they're more likely to understand why it matters at work. An organization could kill two birds with one stone by encouraging employees to think about their at-home security.
My ISSP was predicated on there being at least one Technical Adult in the house, who was then part of the Lead Technical Adult (LTA) team. (I specifically mentioned "adult" because studies have shown the good-decision-making parts of the brain are not fully formed until after age 25; a teen may understand the technology, but is a teen consistently capable of making good decisions?) There might not be such a technical adult in the household. The nearest technical adult might be a grown child or grandchild, or perhaps someone from the community who does nice things out of the kindness of their heart. Or, it might be someone from down the street who seems nice and is really just playing the non-technical adults in order to win their trust so they can get scamm...oops, sorry, my white-ish cat just jumped into my lap and I went all evil for a moment. She's jumped down now :-)
I suppose I open an entire can of worms by pointing out (which I have done in other venues) that technology products are not necessarily non-technical user friendly. Imagine for a moment someone who cares nothing about the ins and outs of technology and security, because they're busy doing other things like operating on people in an emergency room, or building houses, or teaching kindergartners. Imagine them setting up a new router to provide wireless service to the plethora of mobile devices they and their family members and any guests might have. (Okay, stop shouting at the monitor - you know the people in the movies can't hear you and they are going to open the closet door, anyhow.) Router setups have come a long way since 2003, when I set up my first wireless access point, but there are things that people who have nightmares about security failures - it's no coincidence that IT and that evil clown have the same characters in their name, is it? - know about securing home networks that non-technical people don't even know that they don't know. I can't suggest that vendors supply a complimentary technical adult with every purchase (well, I could, but that wouldn't be practical), but how are we going to solve the problem of people bringing home a shiny new baby technology toy and being left at home with it when they haven't the first idea what to do with it? If we don't start thinking of household technology and the security that implies in a structured way that will lead to chaos.
(Yes, I just argued for structure. Shhhh, don't tell anyone 😏)
Security policies aren't only for businesses, and they aren't only for the super-geeky. It's possible to help non-technical users get a handle on managing their technology even when they don't have ready access to a technical adult. Issue-specific security policies can help.
"Because I could not stop for Death – He kindly stopped for me..." - Emily Dickinson
Small talk is not a skill I possess. I prefer big talk...important things, like, say, death. Death is a favorite topic of mine. Not that I want to die anytime soon, nor because I take pleasure in others' deaths (well, generally :-), but because everyone seems so unwilling to talk about it and they really need to. Death, you see, in the realm of contingency planning is an adverse event - it has the potential to really mess things up. When someone dies death goes from being an incident candidate to a full-blown incident. Death, being inevitable, needs an incident response (IR) plan to go along with it.
Okay, how is death relevant to an infosec blog?
It's an attack against information assets - what you know, including how what you know gets you into more information assets, is gone after death happens. Death is pretty efficient when it does its thing so its chance of success is high. Death definitely threatens the availability of your information assets, although one could make an argument for enhancing the confidentiality of them.
It's important for an organization to plan for deaths of its employees, from the C-suite to the cleaning crew. No, not plan to kill them (although one wonders sometimes...), but a plan for how to react and recover after death occurs. From an obvious perspective, at the very least whatever tasks the person was assigned to do will not be getting done and someone else will have to do them. It's easier to respond when a plan is in place than make things up on the fly - and if the death is of someone close to the people making the decisions their thinking will be affected, even if the death is expected. The story of how a small organization handled the death of one of their founders provides a good foundation for planning on that level: http://www.smallbusinesscomputing.com/tipsforsmallbusiness/business-survival-after-death.html
On a personal level, contingency planning for death is even more vital. This summer I had a long-distance friend die unexpectedly. No one can get into her digital assets, so her Facebook page and LinkedIn account remain open as though she is still alive. Her non-technical family doesn't even know where to begin - and no one wants to bring up the specifics of how those accounts can be closed by the vendors. (Someone did inform her employer.) Not talking about death doesn't make it go away. In the past couple of months I know of more people recently who have died unexpectedly, leaving their families to deal with digital legacies on top of the grief and expenses. No one wants to go up to the widow and say, "hey, I know you're in shock and numb with grief right now, but have you thought about how to get into your partner's digital accounts?" Not even I am that goth. (Yes, I'm thinking it, but my mother raised me better than to say it out loud :-)
The recent Equifax breach gives criminals a chance to capitalize on their theft by making it easier to purloin the identities of the deceased: unless the deceased was receiving Social Security payments there is no automatic notification to the credit bureaus that someone has died and that their accounts should be marked that way (see http://www.bankrate.com/finance/credit/happens-dead-persons-credit.aspx for more details). My friend's credit report looks like she's alive. She's not there to notice anything sketchy coming up. Of course, she's dead, and had no dependents, so no one is being directly hurt if someone absconds with her identity, but, still.
Everyone dies at some point. This incident will occur. There are many logistical aspects of death that don't necessarily involve digital assets that need to be secured, but in our modern times nearly everyone has digital assets. We all have some sort of device, either a computer or a mobile device. We probably have email assets and social media assets. While financial service relationships typically have a physical aspect, many people access their financial service accounts digitally, with authentication credentials. How about e-commerce? Kindles? What about Alexa (who might be able to help solve the case) or Siri (who is more helpful to the perpetrator)?
I'll pause. I admit this has to be overwhelming to anyone who hasn't thought about it before.
Because death is such a scary concept, let's talk instead about space alien abduction. There is a chance that if someone is abducted by space aliens they could return. But, while they are being entertained by the space aliens one would not have access to their digital assets unless one had a contingency plan in place. So, it's like death, but not exactly death.
Think about how people back home would carry on with your digital activities if you were abducted by space aliens. How should they react? How would they recover? If you've planned now, before the abduction, they have a list of what to do after they have detected that the aliens have zoomed away with you. They can then focus on acquiring, preserving, and securing the assets you have left behind, for instance, your mobile device (presuming it wasn't destroyed in the abduction process).
More organizations are offering practical advice for digital contingency planning. https://www.funeralwise.com/learn/digitallegacy/ is an example. It's important to note that legislation has not caught up to digital realities. It's unclear in many jurisdictions how digital legacies are to be handled and the most obvious option, impersonation, might not be exactly legal, even if it's not exactly illegal, even if an executor is given specific authorization by the deceased space alien abductee.
Whether you plan for this adverse event, or not, it will happen. Think of setting up a contingency plan for securing digital assets in the event of death as a kindness to those left behind - a final gift.
Project failure is seriously much more interesting to discuss than project success. I think people remember bad things more than good things: a kid is more likely to remember the time they put their hand on a hot stove more than the hundreds of times they saw their parents not touch a hot stove. (Some people need to touch hot stoves more than others to get the message, but that's another topic for another time.
Real-life project failures abound, and some of them can be interesting, depending on how they're written up. Fictional project failures, though, because they can be over-the-top, are inherently more interesting, involving, say, dinosaurs, or, another of my favorites, Star Wars. I've used scenes from the Star Wars movies to discuss social engineering:
Star Wars in general is full of information security metaphors. Kellman Meghu, a Canadian security professional, did a SecTor 2012 talk, "How NOT to do Security: Lessons Learned from the Galactic Empire" (http://2012.video.sector.ca/video/51119497) It's nearly an hour long, but worth every moment. Darth Vader is cast as the CISO at one point, if you need further incentive to watch.
Another entertaining (and shorter) video presentation is from Darin on YouTube, who uses Star Wars to explain industrial control system security to people who know nothing about security: "Securing your ICS with Lessons Learned from the Death Star"
To tie this all back to project management specifically, Emily Bonnie did a hilarious infographic: "10 Reasons the Death Star Project Failed" at https://www.wrike.com/blog/10-reasons-the-death-star-failed/ She includes the usual project management failure suspects such as incomplete project requirements, bad risk handling, poor leadership, failure to look at alternatives, and bad resource handling, among others:
Fictional comparisons can help non-technical stakeholders, particularly the ones in decision-making capacities, understand project managment and security management by presenting the concepts in a non-threatening and diverting manner. It's easier to understand a nebulous idea when one can point to a concrete big-screen example. Humor helps, too - people retain information presented with humor more than information presented without.