Do Not Burn Our Flag

I do not care what the context is or was. I do not care if you were manipulated and weak minded enough to be influenced by “fake Facebook” or “the Manchurian candidate” or some conspiracy theory or anything else. This is tragically disappointing and a pathetic attempt at free speech.

IF that is what happened. First the image:

(Questionable photo origin, but AP ran it.)

Emotionally, and patriotically, I gotta say this image is horrific to view for me no matter how it came to be.

Just don’t. Do NOT burn our flag on American soil. Any cause you might think you are representing is immediately debased. And delegitimized. It’s so egregious, at least to me, I can’t possibly fathom someone thinking this would advance their cause.

I can’t help but notice the person holding the fire is carefully cropped out of the frame. So perhaps, like the media, I have been tricked by people seeking to divide our country.

But, just WOW, this is a real hot-button for a lot of us. It is painful to view.

As I’ve said before, the Presidency is an “office” – not a “person.” Disagree with the current office holder, as the majority of Americans do, does not justify this.

If it’s Russian propaganda by their new Emperor-for-Life seeking to further divide us – you got me. If it’s homegrown idiots, even if behind a cause you believe in, you have cemented your place in history as traitors.

Do NOT burn the flag my Father, my Uncles, my Mother, my Brother, my Greats, my friends, fought to defend. the flag is a representation of an ideal. That we are all equal. That together we are one. E

e pluribus unum

out of many, one

(the motto of the United States)

In closing, I am highly suspicious of the origin and veracity of the photo. The photographer at a protest can’t tell what is “theatre” and what is “spontaneous.”

I just know in my heart, despite everything going on in 2020, that we must stick together. Out of many, one.

#peace

Lighting is the new Power Suit – Home Lighting for Zoom Conference Calls

When suddenly we are all on video chat much more than ever before, lighting becomes a big deal. When meeting with the boss or a client you typically want to look your best, which in the past meant wearing your “power suit” – the clothes you felt made you look your best!

In the age of Agile Meetings daily and constant Zoom meetings, you are probably “seeing” clients and your boss more than ever! So you want to look your best. The secret is pretty simple: lighting. And it doesn’t have to be expensive.

I’m no model, but for me, this is the basic goal.

Without any lighting hacks, I look like this (taken same day, same time, just without the bouncing light.

Would you want to work with this guy? He looks brooding!?
It’s just the harsh direct light from the window and the low quality camera on the laptop.

This is the concept of what we are trying to achieve. A *cheap* studio lighting setup using as many existing props as we can. Awareness of your lighting and placing a book in the coffee shop window to reflect light up for those early video conference in SOMA can make all of the difference. For now, let’s just look at your home “work spot”. This is the goal along with a few obstacles.

TOP VIEW: Our lighting goal to achieve decent video lighting in the age of COVID19 and Zoom.

For me, this is what I had to start out with. And how I managed to put together a solution using just one “flood light” reflecting off the ceiling and other readily available lighting sources, and hiding all of the actual junk that lives in my workshop/office/cave. And I have most of it out of frame even in this photo – suffice it to say I need to clean the place.

I’m not saying either photo is great, but the top photo is definitely the winner out of the two. Especially when you consider that the screen capture was taken in my workshop/office chaos, I don’t think this is a bad, non-cluttered result.

Live result – white balanced, somewhat even lighting, and definitely more reflective of the fact that I was truly listening to someone speak. The image more closely reflects the respect I was giving, and that the speaker, deserved.

While mine is attached to a studio tripod, it could just as easily be attached to the wall or a chair, whatever, as long as you can point it UP so it bounces off the ceiling and walls.

Can lighting for $8 bucks with a clamp. FLOOD light pointed up.

So there is your “can” light with the clip and the flood reflector. Now to bounce a light off of the ceiling. I’d recommend LED first and foremost. Energy efficient and MUCH COOLER. Lighting in a studio can get very hot. You want the equivalent of at least 75 watts to 100 watts. Plus most LED is much cooler and most are frosted and that is part of the goal, diffused softer lighting.

If the can light is 10 bucks, say the LED flood light is 10 bucks, you have gone from zero to being an active participant in the ZOOM meetings!

It’s a power suit. If you think lighting isn’t complementing your appearance, talk to a photographer because it just means the lighting isn’t set up properly. Or google it. But I promise you don’t need a $1000 ring light or something.

Bonus: minor details you might have missed.

  1. FILL the frame. The exception is when more than one person is on one camera. But generally “filling he frame” is the right way to go given the small size of the image in a grid display for everyone else.
  2. Keep the background simple. It can distract people and also slows down the transmission rate.
  3. Have a good “fall back photo” for those long meetings when you do need to go grab a glass of water. Just don’t ever let a green circle with your initials show up in your place. It’s unprofessional and tells everyone you don’t care AT ALL.
  4. On my chair, I use an old jacket bunched up to give me lumbar support so I sit up straight.
  5. It’s OK to get two lights and use one as a fill on one side, just use a lower power light (100 watt on the right, maybe 40 watt on the left. Although in that case I’d use a 120 watt bulb and a better reflector to save energy and keep the room cooler.
  6. Everyone’s head will reflect light. It’s OK to use makeup, even for you guys, depending on the importance of the call. I also sometimes use a napkin or a tissue over the light (ONLY LED LIGHTS TO AVOID FIRES!) But ya, just a little diffusion. Bring the light up closer and then diffuse it more with a white cloth/tissue/paper/something. Or physically move the light back and let the distance diffuse it.

Pro tip: Drink warm water. Cold water can give you frog throat. And use a good quality microphone. Don’t get a $10 headset at walgreens. Spend the money on a good headset or your voice will sound tiny and nobody can hear you.

Happy Zooming!

COVID19 – Until We Expand Testing it Will Not Be Solved

When Roses Die Because They’re Already Cut

From the article by a Canadian in Florida returning to Canada by car. She left out of concern that Floridians were ignoring the Coronavirus Pandemic. (I will try to track down the link and update.)

Canadians are divided, politically and geographically, but compared with our neighbours, our divisions are trifling. … There are disagreements, as is proper in a democracy, about the best course to take, but the virus (in Canada) has not been turned into a political weapon, as it has in the United States, where attitudes about the illness sharply divergeon partisan lines.

With catastrophic leadership and a lack of social solidarity, the United States looks like it is going to get hit hard, which is tragic, because it has the resources to stop the virus in its tracks. What it doesn’t have is the leadership, the will, the social solidarity, to get equipment to health-care workers and convince everyone to stay home for a few weeks.

I am afraid that partisan division, fuelled by a narcissistic, attention-seeking president, is going to cost the Americans dearly.

It reminds me of this quote from President Bush:

“The difficulty of the task is no excuse for avoiding it,” George W. Bush

And right or wrong is for history to judge, usually. W did not hide from facts. I say this because as a society we need less of this imagery.

ReadyHarris.org

And more of this:

A Happy Squirrel
Beautiful Sunsets, Even if Taken From Quarantine

We need a lot more of positives images, but only those based on facts. If you, as a leader, give one iota about who genuflected to you for doing your job, then you may have picked the wrong job.

Facts: Sadly, since this last Thursday, (today being Sunday, March 29, 2020), deaths from COVID19 went from 1,000 to over 2,000 on Saturday – and a current count of 2,348.

The above image shows the current reality in the United States as of March 29, 2020 at approximately 1 PM EST.

https://www.theguardian.com/world/ng-interactive/2020/mar/29/coronavirus-map-of-the-us-latest-cases-state-by-state

A third of Coronavirus patients admitted to ICU – Lancet Medical Journal – Jan 2020

A familiar cluster of pneumonia associated with coronavirus
progression of the Coronavirus in a patient over time
This is the progression of the Coronavirus in a patient over time. This is why we quarantine.
https://www.thelancet.com/action/showPdf?pii=S0140-6736%2820%2930183-5

I’m stunned by this: “Lancet, the British medical journal, published an article in January, based on studying a small group of patients, which found that a third of people (infected with the coronavirus) had to be admitted to intensive care units.”

The reason that stuns me is it is from January and it is now March. We lost significant time in responding to an obvious issue of a lack of Ventilators and ICU beds are vastly insignificant for that level of infection.

That quote on Covid-19 is from today’s NEW York Times article March 20, 2020 titled “Behind the Virus Report That Jarred the U.S. and the U.K. to Action”

https://www.nytimes.com/2020/03/17/world/europe/coronavirus-imperial-college-johnson.html

Statistics from the Imperial College of London predicts what an uncontrolled spread would mean. This data is from the WSJ article (this will NOT happen, this shows what COULD have happened without non-medical intervention.)

  • 510,000 deaths in Britain
  • 2.2 million deaths in the United States

I repeat – the ABOVE predictions will NOT happen because of non-medical intervention. It does represent what could have happened. And the final numbers, while less than the above, will be greater than they needed to be.

Back to the WSJ article:

The (now debunked) theory (ignoring coronavirus) is that this would build up so-called “herd immunity,” so that the public would be more resistant in the face of a second wave of infections next winter.

Dr. Ferguson has been candid that the report reached new conclusions because of the latest data from Italy, which has seen a spiraling rate of infections, swamping hospitals and forcing doctors to make agonizing decisions about who to treat.

My opinion: Let me translate the phrase “build up ‘herd immunity’” – because I went to Texas A&M with a BS in POLS and my wife is an Agricultural Science major as well. “Herd Immunity” basically means building up immunity, in the absence of a vaccine, “culling of the herd” or “survival of the fittest” or “the weak or those predisposed to the virus will die.” – Ed

And….

“Based on our estimates and other teams’, there’s really no option but follow in China’s footsteps and suppress.”

My opinion: Let me interject here again. If the public had known that up to 1/3 of all patients with the coronavirus needed treatment in an ICU with ventilators, I’m going to guess we wouldn’t be where we are now. Back to the article. – Ed

…the burden on hospitals was clear as far back as the original outbreak in Wuhan, China. Lancet, the British medical journal, published an article in January, based on studying a small group of patients, which found that a third of people had to be admitted to intensive care units.

I can’t help but feel angry that it has taken almost two months for politicians and even ‘experts’ to understand the scale of the danger from SARS-CoV-2,” said Richard Horton, the editor-in-chief of Lancet, on Twitter. “Those dangers were clear from the very beginning.”

(PDF on Coronavirus from Lancet, search for more.)

My Opinion: My understanding from reading the above article, is that the Lancet feels their advice was ignored for two months and our leadership didn’t take it seriously, causing greater pain. I get that.

This is what your lungs look like with the Coronavirus (Covid-19)

COVID-19 Lung Scans Through the Treatment Process
https://www.thelancet.com/action/showPdf?pii=S0140-6736%2820%2930183-5

Like all Global Citizens, I believe we are in an unprecedented time. I hope and pray the miracle of humanity can solve this pandemic as soon as possible.

I’ll do my part as best I can. – Ed

hunting botnet attacks and reporting to the host

Cyber Alert Dashboard Example

I like to demystify things for people who aren’t completely tech savvy, hopefully using words that are human readable, although anything having to do with information security (infosec) is going to read a bit geeky. To that end, this is an attempt at a human readable example of the tracking down of an ip address that was attacking our network today. Let’s start with THE FACT that your network admin CAN give you visual open source tools. This is important if you want accountability and awareness. Like this:

Most networks (hopefully) have endpoints that include firewalls and extensive logging And frequently the logs are redundant for verification purposes. Usually the virewalls using tools like OSSEC to help decipher what is going on. We run multiple tools for network monitoring, but my “go to” is ElasticStack (also called an ELK stack) because the whole team can visualize things in Kibana and bring it to our attention if we happen to take 5 minutes off for lunch.

Looking at the wazuh plugin tab in Kibana I noticed an increase in rule id : 31303 which is a Critical NGINX error.

The log file includes this snippet:

Graph of OSSEC Network Security Alerts Over Time
A visual graph from OSSEC visualized by an ElasticStack

When we drill down into the logs in Kibana it parses things out to be a little easier to read. This matters because we need the detail to report the bad ip address.

FROM THE LOGS: SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking

So who is the bad guy? Who owns this IP address? Arin.net answers that for us either with the owner or by pointing you to a different registrar that can tell you the owner. In my situation is was a US based IP address 23.100.232.233

Straight up, most of us in InfoSec actually prefer using the command line because we can filter the data faster that way. If you can't "see" it in a report in my experience it rarely happens. Still, a typical command would be something like this if I wanted to help out my SEO manager prioritize which 404 pages to fix first:
grep '404' /log/file/path/nginx/access.log | sed 's/, /,/g' | awk {'print $7'} | sort | uniq -c | sort -n -r | head -100

Now back to our story of finding the botnet hitting our endpoints. Mr. 23.100.232.233

We go to arin.net. The ARIN URL is: https://search.arin.net/rdap/?query=23.100.232.233 which shows the owner and further delegates.

It goes on to show that the owner is Microsoft.

Source Registry: ARIN
Kind: Org
Full Name: Microsoft Corporation
Handle:
MSFT
Address: One Microsoft Way Redmond WA 98052 United States


And it continues:
To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:* https://cert.microsoft.com.

Perfect! They are telling us exactly how to report the problem to Microsoft. Now we want to be a bit more helpful so let’s try to figure out what it is in more detail. There are many tools, just google “ip address reputation” and you will get something.

We have the data from the logs so let’s try to find out what the attack is. Google for other options, but I picked this one today:

https://www.abuseat.org/lookup.cgi?ip=23.100.232.233

RESULTS OF LOOKUP
23.100.232.233 is listed
This IP address was detected and listed 4146 times in the past 28 days, and 137 times in the past 24 hours. The most recent detection was at Fri May 31 17:35:00 2019 UTC +/- 5 minutes
This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably necurs.

necurs is also known as: WinNT/Necurs.A, Mal/Necurs-A (Sophos), RTKT_NECURS.SMA (Trend Micro), Trojan.Hosts.5268 (Dr.Web), Trojan.Win32.Genome.aglua (Kaspersky), Trojan.WinNT.Necurs (Ikarus), Win32/SpamTool.Tedroo.AS (ESET)... etc...

Microsoft told us exactly how to report it, so we can go to: https://cert.microsoft.com and enter all of our data with confidence. And they are far more likely to take action having the exact data, logs, and type of attack in detail.

For those of us managing large and numerous websites that are constantly under attack, we have seen a HUGE increase in attacks over the last 10 years.

Y’all, we really are in a cyberware, and while the Navy gets Ships, the Airforce gets Planes, The Army gets the tools they need. But in the US, most of the cyber warfare defense is literally left up to private companies and private individuals who are not part of any organized force nor provided assets to fight the war. Kind of scary, huh?

CoronaVirus – Markets Move on Emotion not Fundamentals

Now we see fears and the reality of coronavirus hitting the markets hard.

coronavirus

I’ve said it before, so this is repetition, but worth repeating. Stock markets move on emotion much more than the fundamentals. Companies are overvalued because there are more people with more money in pensions and the money has to go somewhere.

Stock Market Movement with Coronavirus Last two weeks

Source: https://www.msn.com/en-us/money/markets

I also highly recommend this informative thread on twitter regarding research on coronavirus so we can all hopefully keep it in perspective. It’s linked with more detail on my linkedin at https://www.linkedin.com/feed/update/urn:li:activity:6641792800314675200/

Your 2nd Amendment Rights Are About to be Taken Away by the Senate

This is a crosspost with editorial commentary (by me) from https://blog.tendenci.com/mlk-day-2020-read-the-docs/ . I wrote that post, and given this is my personal blog I’ll add a bit more of my opinion on the topics of today, **

Disclaimer: I’m a programmer and an established businessman with a long history of accomplishments and contributions to the global community. But mostly to America as that is where I am a proud citizen. I’m an independent because I grew up on Army bases throughout the world and in the Military (I have *not* served, my parents and brothers have), we were taught to NOT be partisan. TAMU reinforced that. It forces you to THINK. I’m not allowed to be a sheep to any cult on either side. And because I LOVE my country, that’s how I roll. Deal with it or stop reading. For reference, eschipul on linkedin

Let’s start with this. The US Senate is about to take away your Second Amendment rights to bear arms. Yes, read that again. We are going to lose our right to bear arms. Guaranteed.

Why? Because we can’t just pick and choose which parts of the Constitution we want to follow. Logically, if you do that, when a new “King” takes over, they will strike through the articles and amendments that THEY don’t like.

Yes, the “conservative” party (a misnomer as neither party is conservative or liberal if you actually read their party planks) is missing the fact that if you ignore the part of the Constitution at the request of one branch of the government, then ALL of the constitution is subject to dismissal by future Executive Branch leaders.

If this becomes true, which we all hopefully pray it doesn’t, we will have become either a monarchy, a dictatorship, or an autocracy. (Think Cuba under Castro.)

The Title of Nobility Clause is a provision in Article ISection 9, Clause 8 of the United States Constitution,[1] that prohibits the federal government from granting titles of nobility, and restricts members of the government from receiving giftsemoluments, offices or titles from foreign states and monarchies without the consent of the United States Congress. Also known as the Emoluments Clause, it was designed to shield the federal officeholders of the United States against so-called “corrupting foreign influences.” The clause is reinforced by the corresponding prohibition on state titles of nobility in Article I, Section 10, and more generally by the Republican Guarantee Clause in Article IV, Section 4.[2]

https://en.wikipedia.org/wiki/Title_of_Nobility_Clause#Presidential

Let’s start with “Freedom of speech.” That means if I start a company, and grow a following in social media or whatever, I can express my opinion, right? So this is me saying that Dr. Martin Luther King Jr. personified the leadership I expect of my elected officials. And he wasn’t elected – he was a LEADER.

Was MLK a perfect man? Of course not. But daaaaaammmnnn, he was patriotic. He understood that strong resistance to social injustice is STRONGER when it is done PEACEFULLY. That is strength.

Dr. King’s actions, peaceful and strong, are what makes America great. Not the valuation of the top 1%’s investments.

The American experiment is about PEOPLE. You, me, all of us. Together. As RFK stated.

Yes, obviously we must stand with a strong military behind a voice of reason. But that amazing power requires rational leadership. And real power comes from truth. To find truth, in a country ruled by LAW, you can’t ignore subpoenas. The Mafia does that.

Martin Luther King Jr. addresses a crowd from the steps of the Lincoln Memorial where he delivered his famous, “I Have a Dream,” speech during the Aug. 28, 1963, march on Washington, D.C.

On this day, on Martin Luther King Jr. day 2020, we encourage everyone to read Dr. King’s speech.

Don’t read the news “about” it. Read the docs! https://www.archives.gov/files/press/exhibits/dream-speech.pdf

That is the end of the post on blog.tendenci.com, the company blog. It also ran as the masthead on https://www.tendenci.com yesterday and was posted to all of our social media accounts.

As a true patriot and believer in the American dream, I must speak out as I see bipartisanship and an American public accepting the replacement of the K-street swamp be replaced by an even more corrupt corporate swamp of national intrigue. I’m disappointed in us.

What do I ask of you? I have no authority or ability to ask anything of you, except rationality.

Understand this: if the Senate ignores the facts, refuses to hear the facts, refuses to read the documents, not only will you lose your right to bear arms, but the very fabric of our country will be shredded and we will truly be subject to tyranny of the majority.

And being raised Catholic, people who were also persecuted in the global tragedy of WWII, American “dough-boys” who literally saved the world, will have succeeded only briefly. Only to see our rights thrown out the window by a reality TV personality.

In closing: to those who think I am “flip flopping” – I am not. The data has changed. Only a fool doesn’t change their views when their data changes. I don’t suffer fools. Nor should you. We will not only lose lose our 2nd Amendment right to bear arms, but the supposedly conservative party will have distorted the constitution to make all rights “questionable.”

** The great fool is he in whom we cannot tell which is the conscious and which the unconscious humour; we laugh with him and laugh at him at the same time.

https://en.wikipedia.org/wiki/Suffer_fools_gladly

Microsoft Worm Exploit Danger and Huawei Unintended Consequences

NSA Advisory

From the article titled: Warnings of world-wide worm attacks are the real deal, new exploit shows

It was posted Tuesday by Sean Dillon, a senior security researcher and RiskSense. A play-by-play helps to underscore the significance of the feat.

https://twitter.com/zerosum0x0 and reinforced by the NSA:

Source: https://arstechnica.com/information-technology/2019/06/new-bluekeep-exploit-shows-the-wormable-danger-is-very-very-real/

“It’s these last six seconds (of the video) that underscore the danger posed by the vulnerability, which according to Internet scan results posted eight days ago remains unpatched on almost 1 million computers. The flaw, which is indexed as CVE-2019-0708 but is better known by the name BlueKeep, resides in earlier versions of the Remote Desktop Services, which help provide a graphical interface for connecting to Windows computers over the Internet. A much more detailed blow-by-blow is here.”

(It) Only takes one unpatched system to spread

Last Friday, members of the Microsoft Security Response Team practically begged organizations that hadn’t patched vulnerable machines to do so without delay, lest another WannaCry scenario play out. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread… officials with the National Security Agency on Tuesday echoed Microsoft’s warning. The video posted by Dillon, particularly in the last six seconds, demonstrates that the danger is in no way exaggerated.

If the intermingling of Mimikatz and a critical Windows vulnerability to devastating effect sounds familiar, it’s probably because that’s how another paralyzing worm, dubbed NotPetya, managed to wipe out entire networks. According to an analysis from Kaspersky, NotPetya, which is regarded as the most expensive malware attack in history, used the Eternal Blue exploit developed by and later stolen from the NSA to exploit one or more vulnerable machines. NotPetya,

and

In the NotPetya analysis, Kaspersky researchers wrote, “IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.”

Source: https://arstechnica.com/information-technology/2019/06/new-bluekeep-exploit-shows-the-wormable-danger-is-very-very-real/

My Thoughts on EternalBlue, BlueKeep and Why These Are Human Problems

Closing thoughts: NOT all countries can realistically afford the cost of the Windows Operating System in their schools. But without that experience they can’t compete, so they use hacked versions. If you lived in Indonesia or Mongolia, what would you do?

Those companies, with employees using hacked system in countries of different economic status, are possible subcontractors for international global leaders (like Maersk for example). They are the weak leak, because a hacked Windows system can’t be patched.

To be clear: I do *NOT* agree with software theft. But I also don’t agree with sloppy work on the part of our security agencies that have the resources to secure the nuclear weapons of the cyberwar that are being unleashed against not just the US, but the world.

We all need to stop and think about the overall situation. I believe the existential threat of EternalBlue, a gift that keeps on giving, is that it was an American agency funded by the US tax payers that did not report the vulnerabilities to an American software company. For years.

Unintended Consequences of Huawei and Google Android Patch Ban (possible)

Bonus Round: What if nobody can patch their Android phones, or at least half of them? That would be awesome. Or not. And that looks like a definite possibility in the near future if Google cuts Huawei off from Android patches per US restrictions.

When the dollar’s primacy dwindles the US hegemony ends

From the article, (and I believe we are already there):

“A major blunder would be pushing too hard with financial punishments, and incentivizing Moscow and Beijing to bypass the U.S. trade and monetary order.

When the dollar’s primacy materially dwindles, that will be game over in the balance of power with the East.”

Source: https://www.axios.com/russia-china-security-threat-69567dd1-b618-4ef4-8852-4f09bb432327.html

If people don’t realize cryptocurrency “payment channels” (basically like a purchase order between merchants – settled up later but pre-approved) is a threat to the petrodollar, they are mistaken. The USD is nothing more than what we would call “proof of stake” in the crypto world. The Fed is the issuer, the stake.

Energy traded based on a proof of stake crypto currency pinned to the future value of a fiat currency in, say 30 days, via a smart contract could replace the influence of the US at a global level – I believe you are mistaken.

Equifax Breach via Apache Struts Framework

Equifax Hack via Apache Struts

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites.

This is like Hurricane Harvey – it’s not even close to over.

some bi-partisan good news – uptick in crime is a bump in overall decline

We get plenty of bad news so let’s talk about crime trends again. From the article:

Using the FBI numbers, the (crime) rate fell 50% between 1993 and 2015, the most recent full year available. Using the BJS data, the rate fell by 77% during that span.

Click the image below for actual facts about crime in America (And here’s something to listen to while reading to make it more dramatic.)

Pew Research on Crime Decline in US

http://www.pewresearch.org/fact-tank/2017/02/21/5-facts-about-crime-in-the-u-s/ 

More from the article:

Property crime has declined significantly over the long term. Like the violent crime rate, the U.S. property crime rate today is far below its peak level. FBI data show that the rate fell 48% between 1993 and 2015, while BJS reports a decline of 69% during that span.

and then there is the disparity created by the advertising supported media that influences our brains. We are gullible.

Public perceptions about crime in the U.S. often don’t align with the data. Opinion surveys regularly find that Americans believe crime is up, even when the data show it is down.

Although it’s not all good.

Many crimes are not reported to police. In its annual survey, BJS asks victims of crime whether or not they reported that crime to police. In 2015, the most recent year available, only about half of the violent crime tracked by BJS (47%) was reported to police.

Bottom line? Stay thirsty for the facts my friends. We can’t always drink the kool aid. Or the same thing. Stay thirsty for knowledge because knowledge is power.

There is no media really, only advertisers selling scary stories in the media. People Tweet alt-official-news, fake news or real news alike. So I think it’s healthy to point out (again) a few positive overall societal trends we are experiencing.

#peace

WSJ Data on Financial Decline since 2016 Election

Make no mistake, say “pro business” and then create “market uncertainty” and you get a LOT less job creation. Wall Street Journal last weekend. Data is data. Constrict capital and people like me can’t create jobs even if we want to.

Drop in Liquidity for Business 2017
post election drop in cash flow

The headline? It’s incorrect. Ask anyone – what happens when people lose access to capital? #duh

Prince was a Trickster

Prince was a trickster, the best kind of god for social scientists and apparently the verge agrees as well. There are numerous books on this, the last I read was called Trickster Makes This World: Mischief, Myth and Art.

Tricksters have always been with us

Are they tricksters or merely pranksters? That is up to you to discern, but that is the point, right? They stole the sun and the moon while we “took the time to watch the flowers in the garden” while doing yoga.

As one review of the book Trickster by Lleu Christophe points out

Hyde gives equal time to the Native American Coyote, the Chinese Monkey King and India’s Krishna. At first glance, these characters are merely pranksters; humorous, sometimes annoying and occasionally dangerous ne’er do wells who disrupt the normal flow of things. As the title of this book suggests, Hyde believes tricksters are much more than this. He makes a convincing case that tricksters are essential in both preserving and transforming societies. Without their disruptions, cultural stagnation would result. He points out that tricksters can either help to maintain the status quo or bring about radical transformation.

To quote two of my favorite tricksters, Pablo Picasso and DuChamp,

Everything you can imagine is real. – Pablo Picasso

Now to quote DuChamp, an artist who “refused to repeat himself”, now that is a challenge. Every quote is subjectively abrogated by another quote from the past or the future like the a religious text – was it situationally appropriate? DuChamp stated this himself.

I have forced myself to contradict myself in order to avoid conforming to my own taste. – Marcel Duchamp

To ponder that, if a trickster’s response is situationally appropriate is in and of itself a huge trick. Did in fact the Raven steal the sun and the moon, one, or both? Perhaps more importantly, we all know that Pablo Picasso was never called an asshole.

As for DuChamp, you can reinvent, but it takes energy to constantly come up with a unique identity. DuChamp still needed a vehicle to wrap the thread around, a thread to follow back out of the woods if he got lost.

To begin to understand Duchamp takes someone way smarter than me. I choose to view his work like the bobbin of time.  We are just the blameless victim of observation. Maybe the thread broke, or maybe thread did not break. At least a cat didn’t die in the discovery process. right? Regardless like the genius before his time that he was, Duchamp gave us Rrose Sélavy to at least provide one example guide, like the math equations with odd numbers solved in the back of our calculus books, so that we might oddly enough, solve the evens.

marcel-duchamp-rose

These threads are strings. The strings are wrapped around bobbins of tricks and truth. And these bobbins are not the tiny bobbins that went in your parents’ sewing machines. These strings are the messy bobbins of someone working a weave. The bobbins are large with varied widths and inconsistencies from the vagaries of human behavior and therefore our resulting inconsistent craftsmanship.

bobbins for weaving
weaving bobbins

Damn the Industrial Revolution! Of course ManRay was there for DuChamp to accommodate the birth of the DuChamp’s trickster alter ego – Rrose Sélavy:

Rrose Sélavy, the feminine alter ego created by Marcel Duchamp, is one of the most complex and pervasive pieces in the enigmatic puzzle of the artist’s oeuvre. She first emerged in portraits made by the photographer Man Ray in New York in the early 1920s, when Duchamp and Man Ray were collaborating on a number of conceptual photographic works. Rrose Sélavy lived on as the person to whom Duchamp attributed specific works of art, Readymades, puns, and writings throughout his career.

Is the Trickster dead? Well one of the greatest tricksters of all time, we just lost in Prince.  I must point out the brilliance: Die Antwood, the collaboration between  “rappers Ninja and Yolandi Visser (often stylized as Vi$$er) and DJ Hi-Tek” (source)

To get a straight stand alone “test-of-time quote” from DuChamp I imagine would be like  trying to get a straight answer from Die Antwood, some of the most brilliant tricksters to emerge in years.. Their collaboration makes no sense, until you realize they’re fucking with you.

They. Are. Fucking. With. You.

 

And the most guilty of all, of fucking with us, is Prince. So let’s go crazy because he already predicted it. Partying like it’s 1999 was stolen from us by a bunch of computer nerds warning about the two-digit date big. We have NEVER partied like it was 1999.

You know what we can do? We can and should go crazy. If you aren’t already there yet, join us, because we look the same as you, act the same, obey the law and act ethically, but I am told there is an ethos that emerges when you “go crazy”. I don’t know, I’m not there yet, but it is a worthy topic of discussion.

Lyrics to Prince’s Let’s Go Crazy from

 

American corporate espionage preparedness is unprepared

American corporate espionage preparedness, in a random sample and via anecdotes, is in bad shape. We are not prepared.

the-company-man

The video is 30 minutes but worth it for training your team. Now a question.

What is the technical difference between a Speaker (thump thump) and a Microphone (can you hear me now?)?

NOTHING. There is no difference between a speaker, headphones or microphones. No. Difference. At. All. None.

Significance:

Plug your headset into the microphone jack on the stereo and poof – you have a mic.

Why do you care? Because if your employees are relaxing after work, at the local vegan cafe. Just unwinding, spending 20 minutes at the salad bar. nearby people hypothetically might get bored. “Hackers aren’t vegans” you say, “so it can’t happen here.”

Mics vs speakers – the answer is anyone can just put their iphone down with the headphones in and record away. Especially if the marks are “extremely loud bar talkers” as these two were.

Identity? Well gosh, they left their credit card receipt detail side up so I could helpfully straighten their table and take a quick photo of their info on the way to the restroom

How does this impact you? Well these two gentlemen next to me are clearly in town for a conference. Still wearing lanyards with fortune 500 company logos? Accents. Of course, we’re either the first or second most diverse city in the USA.

Again, It’s Houston – we know what’s going on. Houston is all about the back channel. And once your dialed in? Well it’s kinda like the matrix. Seriously – why else would millions of people live in a paved over swamp with the moniker “The Bayou City”?

Back to the situation at hand. These fools spouting corporate secrets next to me because I have headphones on and my audio turned off.

I’m white hat so no, I did not record anything and will not inform their companies nor will I inform them. No I did not take a detailed photo of their receipt although it sits just to my right at the moment as it has for 10 minutes.

Honestly I have other battles to fight. And so do you. Yet make no mistake – if they had revealed some anti-American activity I would have arranged for them to meet up with some of my friends who love America as much as me and my friends know how to handle such matters delicately.

This blog post is simply an anecdote, a story that is true, of knuckle-heads who weren’t thinking before they spoke.

As for companies that employ people, what are our options? First the obvious – we can try to hire for common sense, Then you can train and test – I do drills to test our team,

Big picture? What will work best? Dunno. I do know ignoring the issue of human hacking /social engineering isn’t the solution.

To repeat, we know humans are the weak link because I’ve tested it with my own company and as a paid approved pentester at the request of some of our clients. I’ve unfortunately been 100% successful in finding security holes in my pre-approved and client authorized tests.

Even when the employees KNEW ahead of time that someone was testing the systems..I’ve yet to fail to find an opening and honestly I’m not that good at the whole pentesting thing … like I don’t have the best tools or a infinite budget or even a good lock pick set with a proper bump key.

In other words – I’m amateur at best and only to protect my own clients.

But sheesh, a little reality training would go a long way with folks like this. The humans are almost always the weak point. I was in one restaurant and they said “ya, the Internet has been spotty for days.” I said “well maybe I can help. Would you mind taking photos of the front, back, connections and the serial number on your router and I might be able to fix it.”

I still have the photos on an encrypted drive somewhere. My point is I didn’t misrepresent myself as a Comcast employee or whatever. I just said I was a customer and that I might be able to help.

Back to our main storyline. It is YOU, the management team and every employee who is handling YOUR company’s data. It should take more than sitting down next to two guys drinking IPAs for me to even have the opportunity to gather that type of intel.

And the router example where the waiter literally texted me all of the technical specs of the router? xOMG, no excuse.

In the various circumstances I fixed their internet, got their credit card processing systems working again, reset passwords with upper management’s permission. I did what I would do with my own family’s business. 

What did happen is that even with permission and weeks of advance notice, zero clients or friends have had any network my team has tested properly secured. It was not barriers already installed that blocked us. On the rare occasion we ere too impatient to power through something (which we can do), it was laziness, we simply were tired and wanted to go home. So we’d just ask a manager and say it was part of the test. Seriously.

Grok that. Leaders at a company who were specifically told who we were, that we were there to test network security, that it was serious and they were to block us in every way possible. Those managers would give u the keys to the kingdom if i asked the right way. (the “right way” is vague on purpose. I’ll do another post on that one later.)

Perhaps the scariest part is that I personally was never impeded by even the most basic security training for these employees or their own intellectual “well duh I shouldn’t do that” factor. In every instance if I hit a roadblock they helped me bypass any remaining obstacles.

  1. Train. Train. Train your people.
  2. Know, don’t expect but know they will get in. So shrink the attack vectors and restore from a known clean backup regularly.
  3. Try not to get anyone fired. The business owner would have been just as clueless.

—————–

PS – for the curious, the fastest network break in I’ve ever done? 5 minutes. The owner asked us to test his network security. I agreed and we agreed on a  price (remember this guy didn’t know me from Adam). Then I said “of course we’ll need your login to monitor how the red team is doing. He then just blurted out his username/password for the network and for his email. And assured us it wouldn’t be a problem with anything else because he always “used the same password.” Gosh. We printed nice reports and pounded sand for a few days, but it was the fastest… whatever you want to call it.

PPS – I bet if you owned stock in that corporation and liked the CEO you’d call it a hack. Similarly if a black hat, you’d call it like it was.

H4CK3D: Why my web site? What now?

Your web site will be hacked. It is inevitable. It’s not a technology problem, it’s a people problem. Wetware is the weakest link and it is us.

H4CK3D: Why my web site? What now?

Motivations and mitigations when your site gets owned, because there is no true prevention. And if the OPM, Chase, Target, Ashley Madison and many more have fallen, then you will too. It is no longer sufficient to consider perimeter defenses. Your only consideration is to understand why you were attacked and how to limit, but not prevent, damages.

Questions to consider for SXSW Panel, or no panel, as regardless this is a topic worth of discussion.

Q1
Why did someone bother to hack my site in particular?

Q2
Is this a vendetta?

Q3
How can I prevent this in the future? (hint: you can’t, but let’s talk)

it is as spurious to…

It is as spurious to over-assign unadulterated ‘credit’ to social media activism as it is to deride it as trivial and/or dangerous. The reality is that social media is part of ““ though by no means the entirety ““ of the air we collectively breathe. And new actors are appearing who are arguably without precedent and demand new understanding.
Strengthening Network Actors, TechSoup Global Summit