jump to navigation

Who’s Risk Is It Anyway? June 6, 2016

Posted by wastedspacer in IT Security, Notable Incidents, Risk, Social State, Spam, SPIM and other annoyances, Technologies.
Tags: , , , , , ,
add a comment

Nolan GouldHuman beings as a species are generally terrible at rationally assessing risk. This is particularly apparent when we consider basic everyday risks as well as common threats and risk from an IT security standpoint.

All thanks to the media, blogs, viral videos and security services the general public substantially overestimate the likelihood of spectacular, headline-worthy catastrophes.  At the same time completely ignoring many extreme dangers posed by common, everyday activities.

A prime example of this irrationality is a fear of flying. Fueled by news reports citing terrorism, bomb-threats, near misses as well as mysterious or even spectacular plane crashes. Other perceived threat vectors come from government agencies with a stated vested interest in keeping us safe (and of course themselves funded). Consequently, airport security screening services further amplify this level of latent terror for the misinformed traveler.

The end-result, we in the US put up with paying(as of 2015) another $7 Billion in taxes and even more added to the cost an airline ticket for the illusion of feeling safe. As the former FBI assistant director when asked about an effective method to fund anti-terrorism he put it thus: “Keep Fear Alive”. The FBI can’t even explain their success metrics around the perceived “war on terrorism”. The only real measurement we appear to fall back on is when the security fails! The only answer seems to be: we need to spend more!

Tragically, this appears to be a similar rhetoric that the terrorists themselves use to measure how effective their terrorism is on their intended target populations. The more perceived threats and the larger the anti-terror agencies become the more apparent they are as they broadcast the potential threats posed by future terrorism! Aside from the actual heinous terrorist attacks, the terrorist organization perhaps measures their success by how much additional chaos, media coverage, public inconvenience, fear and growth in anti-terror security services their actions are catalysts for.

Shocking airborne terrorist attacks such as 9/11 understandably leave the vast majority of our world population with a “never again” security-at-all-costs attitude.  Although the total number of people ever wounded or killed by terrorism on air travel is many orders of magnitude less than the number of victims by “ordinary” dangers driving to and from the airport.  Consider events such as having a blow-out or hitting a (deer, cow, dog, pothole) or being hit by (distracted driver, truck, road debris) when driving to the airport, all of these have serious or even lethal consequences to 1000s of travelers every year.

From a pure risk/value/mitigation assessment seems like an absurd disparity we could dramatically reduce the overall risk simply paying a little more money to fix potholes. Our collective thinking is habituated and skewed by sheer terror, amplified by sensational media coverage, augmented by continual terrorist rhetoric and supplemented by security agency threat alerts. As a result the perceived terror risks are far more salient and likely than reality. Consequently we are collectively convinced that it is worth standing up and funding entire government security agencies to combat the potential threats!

OLYMPUS DIGITAL CAMERA

Keeping “Little Jimmy” safe!

As a general rule most individuals underestimate the risks for which there is a perceived benefit to the individual. The intended achievement of a laudable goal (or simply what’s in it for me) often creates tunnel vision where many risks are ignored or at least not adequately considered in context. Consider first-time parents of a small child they need to start taking to kindergarten. They logically purchase a very large SUV, perhaps a Chevy Suburban so that “little Jimmy” can be safe. What they understandably fail to consider is the consequences when the brakes fail on the Suburban. A smaller vehicle would simply bounce off the curb, the airbags would deploy and perhaps some minor injuries. With the height and gross tonnage of the Suburban however, it bounces over the curb and through the wall into the classroom killing six of little Jimmy’s classmates!

car-into-maternity-bvm-school

At least “Little Jimmy” was safe!

A less contentious example is the inevitable project management by dashboard method where NOT delivering on-time and on-budget are the only perceived risks. This conversely leads to the introduction of greater or imaginary risks for activities that have no perceived upside. The perfect IT security solution is a prime example where the pinnacle of success can be measured by “nothing bad happened today”!

We tend to mostly ignore or underestimate the less controllable risks in IT security. For example consider how easily can anyone in our organization get phished, scammed or inadvertently disclose sensitive information? We have awareness training for that but how easily or accurately can it be measured?  A number of security solution providers have a large marketing budget supporting products they can sell you to manage areas, functions and individuals you already have a degree of control over. But what happens when the actual threat is the password that’s shared with a spouse then used and inadvertently disclosed outside the organization? How can their solution address that?

The bottom line is that assessing risk can only be a general guide and not absolute. Perhaps risk assessment is more akin to Heisenburg’s Uncertainty Principle. A thorough unbiased quantitative risk assessment can certainly give a bottom-line risk score but as soon as it is observed and the results consumed by you, me or anyone else, each score will probably be different.

 

Droning on again! December 26, 2015

Posted by wastedspacer in Everything Else, Global Industry, New Rules and Compliance, Political Issues, Rants, Technologies, The Fun Stuff.
Tags:
add a comment

ARDrone

I guess I could be classed as a drone early adopter of sorts with a trusty 4 year old Parrot AR Drone. I am somewhat dismayed that the FAA demands I now need to register it! It doesn’t weigh very much, nor fly very high nor even get out much but it does exceed the paltry 250 gram weight.
Being a responsible and law-abiding adult I decided I had better respond to the FAA drone-user nagging by visiting the FAA drone registration site and send them my $5 :
So what’s the big deal?    You first have to set up an ID which should be simple but of course there are unnaturally complex password requirements. You are informed that you cannot proceed with drone registration until your identity has been verified by a web link that has just been sent to you by email. Of course hour after hour go by with no incoming email from the system. You cannot log on again as your verification remains in a pending state, I send a help request to the supplied usahelp@faa.gov contact. Many more hours pass with no response or verification email!
Eventually (later the next day) I see the FAA mail has finally arrived. I click on the supplied link and I get a 404 “not found” error! I try again an hour later with the same result, I send another Email to usahelp but once again receive no response. Many hours later the site finally appears operational and I can register my drone. I was hoping to pay via something other than a credit card (Amazon, Paypal, BitCoin etc). Certainly of concern would be the need for trusting a historically porous government entity such as the FAA with my credit card information!! But given no alternative, I am forced to supply my credit card details (perhaps I should place a bet on how long before the FAA manages to leak their customer details?)!

DroneLALAFinally I receive a printable certificate to stick on my box and I can write my FAA registration on my Parrot drone! In fact if I buy another drone perhaps I don’t need to register that, simply use the same registration number hmmm? Well the chances of me flying more than one drone at a time is unlikely to say the least.

DroneLALA2
But why do I need to register this at all? Just how dangerous is my drone – or is it more about who is actually using the drone, the where and how?  Or is it just another media fueled paranoia piece of legislation latched onto by a government department keen to elevate its own sense of importance by adding yet more “care-bear” bureaucracy that comes with a whole department of taxpayer supported employees?

bigkite
If we are registering drones why don’t we register big kites? I see 7-10 ft wide kites being sold that come with 1000 to 3000 or more feet of line! They seem to be potentially more dangerous and can also be fitted with cameras. We don’t even register guns for heaven’s sake and don’t get me started on the dangers there.
On the positive side, it is only costing $5 for every 3 years and the $5 is being rebated (though I will believe it when I see the rebate appear in my statement).  I do get a “Certificate” which makes my little drone seem just that bit more “official” than it did.
On the concern side, yet another massive, notoriously porous, allegedly incompetent and insecure government department is being needlessly inflated. The FAA itself has become a juicier target with the millions of new drone-owner identities and credit card details for harvesting and exploitation by nefarious individuals 
Sorry for droning on!!!

Darkweb and the consumer facing state of Cybercrime November 10, 2015

Posted by wastedspacer in Government, IT Security, Social State.
Tags: , , , ,
add a comment

The latest BBC Panorama episode (now available via YouTube) is a really effective and appropriately disturbing expose on the current state of cybercrime:

BBC Panorama How Hackers Steal Your ID BBC Documentary 2015

Darkweb = the eBay of Cybercriminality!

On the 9th of November BBC Panaroma put together this thought-provoking piece on the current state of the Darkweb. The primary focus was the volume of valid and current credit card numbers including the CVV were generally available via BitCoin payment for just a few dollars.

The recent internet provider breaches Talk-Talk and Comcast are merely the latest examples of known identity thefts that have been offered for sale via the Darkweb.

Many thefts begin with just general situational awareness and basic contact details (such as provided by these breaches) can provide organized criminal call-centers essential ingredients to perpetrate convincing but sophisticated identity theft along with personally targeted financial fraud.

According to the documentary, the Darkweb also provides sophisticated storefronts anonymously used by criminals to access all manner of highly illegal activities: Drugs, human and organ trafficking, child pornography, guns, valid passports, and even contract killings!

This raises the question: Is the leading edge of cybercrime pulling away from the ability of our law enforcement agencies to combat it?

Sadly the Panorama piece’s rather tepid “keep your anti-virus program current” advice from London Police commissioner – Adrian Leppard is not even altogether sound. Antivirus programs, once considered bastions of cyber-defense are marginalized and now under serious attack when seen by criminal hackers (and government spy agencies) as themselves potentially effective methods of malware delivery!

There are at least some publicly known indications of a response from international law enforcement such as the JTRIG team at the UKs GCHQ in concert with the NCA (National Crime Agency).

A simple credo to apply to all things internet related – always be seriously cynical and TNO (Trust NoOne)

Toxic Trains – Bay Area Rotten Transport January 13, 2015

Posted by wastedspacer in Political Issues, Rants, Social State.
Tags: , , , ,
2 comments

As seen from my seat (my bag was sitting on that)!BartMyseatBart1531xTowards Front

I’m writing this journal entry as I sit among the filth and squalor that is Bart carriage 1531x, part of the 10 car 10:14 am from SFO to Pittsburg Bay Point. A cringing couple, holding an infant sitting a few seats away, concerned on the seemingly infectious nature of this squalid carriage. A possibly mentally ill, foully aromatic individual who remained on the train when it arrived at SFO sits mumbling obscenities and threats like “I’ll kill you” or “In your eye” every time the train operator made an announcement. The rest of the time he spent grunting, chewing and expectorating on the floor. I look over the other side of the car and I see a sign proclaiming “This Car Proudly Maintained by the Concord Shop”,

BART1531XrearBART1531XBeepBeep

I wonder about what the cadence, is, perhaps an annual maintenance? I wonder how long it takes for a car to get into such a horrendous state and why there seems to be no enforcement of some of the disgusting things that violating passengers do?

Is this an isolated case? Not at all, I am an infrequent user of this relatively costly however mostly convenient service. Sadly my journeys on Bart seem to be beset with such unfortunate scenes. I have traveled on far less costly public transit in many cities around the world and have to note that Bart is possibly the very worst. In the days when it went straight to SFO, around the early morning commute hours at the Dublin/Pleasanton station it is not unusual to see numerous individuals carrying blankets getting off the inbound train and board the outbound one each one quickly snagging a double seat to lie down on, forcing commuters to stand.

Drunk, messy-food consuming, vomiting, urinating and defecating possibly homeless and/or mentally ill passengers are also regular sights in the evening hours. Panhandlers, usually passive but occasionally hostile, make their way through carriages while shaking folks down looking for money. Reporting these infractions to station agents at best get a tepid “we’ll look into it” for the most part, BART police are invariably nowhere to be seen during these unfortunate events.

A few years ago, I had the misfortune one time to sit behind a couple of ironically comedic hand-holding BART employees. They also happened to be “proud” Union badge bedecked workers who’s overheard conversation snippets were disturbing. They thought it hilarious that they were able to procure overtime then just sat around or slept and that the tax paying public could do nothing about it. In my opinion, they could start by cleaning these darned cars but I’ll bet that’s a different Union? I assume their union would not tolerate crossing work boundaries.

Sometimes I wonder why bother connecting to airports such as SFO, there’s no specialized luggage racks (is it for fear that some passengers might sleep on them), many of the early morning flights cannot be connected to due to the relatively late start times (especially at weekends).

Is it just me or are other travelers appalled at the state of our Bay Area Rotten Transport. Do we seriously believe that we should spend vast sums of money on high speed rail while critical connecting infrastructures such as Bart remain such a cesspool of inefficiency and squalid conditions?

Signing off as I stare at what looks like mold growing on the floor I pause to consider I really need a second shower today!

Net Neutrality – A presidential U-Turn? November 11, 2014

Posted by wastedspacer in Global Industry, Political Issues, Rants, Social State.
Tags: , , , , , ,
add a comment

NNewt*sigh* Too little too late perhaps? I hear all of the Comcast, Verizon and AT&T execs crying foul over this supposed U-Turn. It seems that now we have a president unfettered by the mountain of promises needed to get elected and able to say what he really thinks! Of course, it will make way for 2016 presidential candidates to “disagree” with a now unpopular leader and enable new cable company supporting politicians to line their campaign pockets with the vast trove of funding to decry the misguided neutrality musings of the former president!

I like the chart with the Netflix shakedown, Comcast (and to some extent Verizon/AT&T for that matter) is all about squeezing maximum profit so they can spend  what appears to be 90% of it on marketing, lobbying, lawsuits, civic “incentives” to help block private and community cable or communications initiatives and of course a large pot of money to buy up any of the smaller competition and supplemental organizations. Comcast doesn’t actually need to block access only neglect to add upgraded connections where customer streaming services like Netflix add burden. It can then shake-down those service providers to pay to accelerate the process. “XFINITY” marketing suggests is all about giving the customer fast access to the services they desire – yet their actions are completely counter to that!!!

Now we have a huge presidential support for Net Neutrality! Throwing all of his old-buddy election campaign backers under the bus now he no longer has a future presidential bid to worry about funding! Plus the chances of any future Democratic candidates seeking Obama endorsement are unlikely – OTOH I’m sure the cable guys will be only too happy to help them if they can oppose this Net Neutrality stance.

We have the appointment of the former pro-cable lobbyist Tom Wheeler as the chairman of the FCC. presidential golfing buddies – Comcast’s CEO Brian Roberts, campaign bundle specialist David Cohen Exec VP at Comcast who was a staunch supporter and massive fund-raiser for the Obama campaign with some really compelling Comcast promises including grand statements around “internet for the poor”. (How extensive was this and where did that actually end up)? No wonder all these folks are now crying foul – but I guess this is politics 101 when you no longer need the money from those former “buddies” toss them under a bus!

http://deadline.com/2014/11/comcast-responds-obama-net-neutrality-1201280353/

http://www.phillymag.com/articles/david-l-cohen-profile-david-l-explained/

Once again the end-consumer is going to be the one ultimately paying for this with increasing charges, no improvement and possible degradation in services!

Some assembly required! Success as a Service! September 7, 2010

Posted by wastedspacer in Everything Else, Rants, Social State.
Tags: , , , ,
1 comment so far

How extensively are dissertation services used to falsely obtain educational qualifications?

What value is there in an education assessment system where a significant number of “successful” students derive that have achieved that success via leveraging a professional essay, thesis and dissertation service?

I was dismayed to see these posts in the Craigslist services section:

Essay Emergency Writing Services, Confidential, Affordable, Urgent
“Undergraduate, Graduate, and Doctorate clients.
Premiered and renowned personalized writing service for International Students from China, Japan, South Korea and the Middle East “

I can certainly understand a little help with a critique, editing essays or simple assistance for thesis work but to completely outsource the production effort makes the derived qualifications something of a joke. No wonder there are so many honors graduates who apparently can’t spell or string some sentences together when they arrive in the workplace.

China – pesistent threat vs convenient “demon”? April 1, 2010

Posted by wastedspacer in IT Security, Notable Incidents, Political Issues, Social State.
Tags: , , , , , , , ,
add a comment

When average folk in the US are asked about what they think of China – it would seem that they simply parrot much of what the media peddles: human rights abuses, disregard for the concept of intellectual property, stealing manufacturing jobs from the rest of the world, state corruption, militarism, gulags, illegal software, brand-name knockoffs, the source of advanced persistent threats and a lot of other big-brother-state demonizing in general. While there are no doubt factual elements that reflect some or all of those issues, when an accusation appears, the media quickly escalates to the usual feeding frenzy to highlight any “facts” they can derive from reports. When it turns out that perhaps the issue was not so heinous or even a work of fiction, the retractions and general backing down reports are buried way down the page or even completely ignored. Come to think of it, that’s actually pretty normal for just about any sensationalized media news event.

Case in point the recent accusations of conspiracy between the infamous Aurora botnet and a series of attacks on US Companies – Google, Adobe, Intel, Northrop Grumman et. al. This has appeared in a recent DarkReading article on the retracted McAfee stance supporting this theory.

DarkReading Article.

This report paints a picture to indicate perhaps China should not always be the usual suspect root of all malware. Has McAfee been somewhat hasty in their “cry wolf” analysis that had solidly linked a series of targeted attacks as part of the overall Aurora malware efforts? McAfee initially had positively identified China as the perpetrator for the attacks against US Companies. Further analysis has subsequently identified this to be botnet establishment malware out of Vietnam that just happened to end up on commonly infected machines and probably not even related to Aurora at all.

Disturbingly, although primarily leveraging Chinese services such as 3322.org (a domain service run by one Peng Yong) it may simply be driven by the fact that statistically Chinese PC users have by far the largest percentage of its population using hacked/illegal OS and application software that typically come equipped with “free malware” or are much easier to infect since security update patching frequently gets disabled as part of the hack.

It will be interesting to see the knock-on effect of the recent Chinese edict and domain registration crackdown requiring a verifiable address (in China), business registration number along with a head/shoulder photograph. This was brought about reportedly (at least according to the Chinese Govt) following the identification of massive numbers of non-Chinese addresses registering .cn domains. GoDaddy recently pulled its registration policy while grumbling about loss of protection of identities, at the same time it may have a positive effect on the nefarious use of .cn domains as smokescreens for botnet operations run out of other countries. One wonders if GoDaddy is also inwardly grumbling more about the loss to its revenue stream?

GoDaddy Exit’s the .cn space.

Excellent HBGary Analysis on Aurora:

ATT U(seless)-Verse October 15, 2009

Posted by wastedspacer in 1, Business Directions, Rants, Technologies, Technology Drivers.
Tags: , , , ,
1 comment so far

Years of adverts, one mile from ATT’s HQ, in 2014 we have U-V Internet but no U-Verse TV in ATT’s own backyard!

Consider the hot summer of 2007 in San Ramon California where AT&T begin a riotous assault on our senses offering a wonderfully fast TV/Internet/Phone service dubbed U-Verse! Excited at the thought that at long last, the fiber channel was finally here and I could get a piece of it. We quite literally live on the doorstep of AT&Ts Northern Cal Headquarters which I can even see from my back-garden.

Ever since moving to San Ramon, I have been a loyal PacBell, er SBC… er AT&T customer thoughout the years and have been an early adopter for ISDN (Project Victoria) and then one of the first DSL subscribers.

Expecting that AT&T would again roll this out to their local community first may have been a little premature but I went to the web site, popped in our phone number and sadly receive the message:

We’re sorry. Currently, AT&T U-verse service isn’t available for the address associated with this phone number:

*sigh* but I dutifully sign up to be informed as soon as U-Verse is available, the general sentiment from the advertizing was that it should be within months so I believe I can wait. I hear reports from new housing developments and other cities that are happily getting their U-Verse but still not the loyal AT&T customers in their back yard.

I am under a constant barrage of eMail asking me to sign up for U-Verse all the way through to the summer of 2008. AT&T continues to pump out millions of dollars to advertize in magazines, on the radio and TV waving the flags of U-Verse successes all over the place, but not in our neck of the woods 😦 Again, I am constantly invited to check to see if we can have access.

We’re sorry. Currently, AT&T U-verse service isn’t available for the address associated with this phone number:

Another year goes by with the constant battering of advertisements from AT&T amid the tortoise and other ATT denigration “Slowski” campaigns from their chief rival – Comcast. Again and again I check my telephone number and sign up for “tell me when U-Verse” notifications. I constantly hear of freinds and colleagues that are getting their U-Verse connections all over California (even remote parts). Still no sign of U-Verse again in our part of San Ramon 😦

Finally, well over another year later, I am hearing more pitches and received yet another series of Email requests to sign up for U-Verse. Once again that disappointing phrase comes up:

We’re sorry. Currently, AT&T U-verse service isn’t available for the address associated with this phone number:

I have no idea why AT&T can’t either get its act together and deliver its promise -or- tell its back-yard neighbor customers what technologies, process (or politics) of the local town infrastructure has been blocking our ability to recieve this service? It just seems that if a company wants to be commercially successful the LAST thing they should be doing is shouting availability from the rooftops where there seems to be no capability to deliver it to much of the audience!

One of these days, AT&T might eventually wander up the hill and connect us or maybe we’ll see the Verizon guy with the glasses appear instead?

Ah well, should I again don the pink glass spectacles and chant: “all I want for Christmas is High Speed Internet (That doesn’t involve Comcast)”!

*** Update Feb 2010 ***
STILL NO U-VERSE GOOGLE – Please connect San Ramon to your Fiber link and sock it to ATT 🙂

**** News Flash March 2010 ***
I was informed by a workmate that ATT Is cutting up roads and digging huge long trenches only a few miles away in Dublin. Wow – could this finally be some high-speed fiber closing in?

NOT A CHANCE *sigh* After my colleague asked the works foreman if that was fiber being pulled the answer was NO JUST REPLACING THE COPPER – AAAAGGGHHH!! ATT what is wrong with you, if you are digging up roads why oh why are you NOT putting in fiber for goodness sake??? Is it as simple as you ordered a load of copper ten years ago and have to bury it somewhere??

*** Fast Forward –  May 2014 ***

Now I have both Comcast/Xfinity (Cable) + a worthless cable-box bypassing the most excellent tuner in my TV AND AT&T/DSL internet connections in the house and they are equally disfunctional, outrageously wasteful customer-disenfranchising organizations. We did briefly sign up with Direct-TV (with a view of displacing Comcast TV) but alas the only workable but enlarged (due to low-azimuth/weak signal) dish placement was right over our backyard deck and seating area. The cancellation process was a breeze, I have to say that the Direct-TV marketing and service personnel were exceptional however I fear that will be severely diluted when mashed up with the AT&T marketing machine 😦

Unbelievably 5 years on, ATT continues the onslaught of marketing, endless telemarketing sales calls, $4 Million spots at the Superbowl, fliers. Reportedly the annual marketing budget for AT&T  is $2.36 BILLION (albeit slightly less than Comcast’s). Add to that the massive many $BILLIONS war-chest of cash used to buy Direct-TV matching Comcast’s insatiable appetite to buy the competition. Customers should ask (of both companies) after all this what is left  of their subscription to actually provide some form of value added service?

At least we can now get ATT U-Verse Internet (I don’t want/need voice)  but no TV (though I can’t wait to start getting the ATT/Direct TV marketing crud – yeah right!)  but I can still see the ATT regional HQ from my back yard. I understand a number of the employees there are being laid off or shifted to Texas? Perhaps that HQ has a questionable future.

(Twitter: MPWA)