If you can’t trust your own, what’s the point?

The US Army and US Secret Service are working together to determine which troops participating in President-elect Joe Biden’s inauguration need additional background screening, an Army spokesperson told Insider.

“To ensure that deployed members are not sympathetic to domestic terrorists.”

Now that bit did make me laugh as in one sentence, everyone who took part on the Capital invasion seems to have been labelled a domestic terrorist.

When paranoia takes on this level, you’ve got to be thinking,
What about the:- Capital Hill Police, other security services, car parking attendants, food prep staff, ushers, media, guests, cleaners, and even the White House cat!

Only who’s going to check them doing the vetting?

There was a rumor that the whole thing would go virtual.
Personally I’d say no to that as if something does happen, it’ll make for great TV.

Besides the ‘villain’ of the piece won’t be there.
And now I’m wondering just when does the football, and its RED button, change hands?” That and what’s been planned that the villain in the piece knows about.

For example, Could it be something to make the whole thing go off with a bang!” (If you get my drift).

Still it’s kinda comforting to know that the US paranoia machine is working overtime. If only to give the world a good chuckle.

The cyber breach that was all down to lax security

The Russians did it? Truth is I’m not surprised.

Was US computer security found lacking?
Oh yeah, big time, and the more I read about it, the outcry from the US security machinery reads like someone is trying to cover their butt BIG TIME by deflecting blame.

The biggest smile for me was this snippet in the Guardian.

‘The only reason we know about this breach is that the security company FireEye discovered it had been hacked and alerted the US government. We shouldn’t have to rely on a private company to alert us of a major nation-state attack.’

How surprising, a private company has BETTER security in place than the state!

SolarWinds (using Orion Code), with over 300,000 customers world-wide.
[Which included a number of state establishments]
Sometime before March, hackers working for the Russian SVR – previously known as the KGB – hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123”

March? 9 months ago and all this bleating about the attack was actually caused by a hardware / software installer and probably a network manager (or 10) who did the initial installation of a server but didn’t think to change a password?

Still, I think the US should nuke the Russians. (Not)

Only lets put this into context.

  • 2018- An attack on Facebook has exposed personal information of 50 million users, according to the social network.
  • 2018- Quora 100 million accounts
  • 2019- Capital One data breach: Details of 100 million customers exposed in massive hack. Some 140,000 social security numbers obtained, says bank.
  • 2019- Dubsmash had the highest number of user accounts, 162 million to be precise, that were exposed in the hack, followed by MyFitnessPal, which had 151 million account details leaked.

Look people. What is being screamed about happens almost on a daily basis, only it seldom hits the media. Mostly it’s all about lax security and poor practices and that is a problem that is endemic in the computer industry.

So was this sinister? Could be.
Is this malicious? Not really but could turn out REALLY bad.
So what was it? Espionage.
Do I condone it? No way!
Is it illegal?  Actually no (sort of).

Russia was just doing what everyone does, espionage i.e. spying on each other all the time.  I mean the US spy, hack, intercept, divert, and spoof the planet. OR is the US above all that? The UK certainly isn’t.

So why am I speaking like this?
I used to work in a College / University on their network support team and the 41 servers were under attack by a small team of hackers on a daily basis.

Whose fault was that? Where to start.

  • Commercial Server Software probably  (A gift for most hackers is that).
  • End users suite of software. I’ll bet mostly Microsoft but there may be a little UNIX / and clone programs like Ubuntu. Bottom line? That list will be short, and the shorter the list, the easier it is for hackers to find vulnerabilities.
  • Users i.e. staff. WHAT!  Yep! From the lowly cleaner putting in an order for toilet rolls on their terminal, to way up the food chain to the Gods of whatever.
    The higher rank they are, and the lower they are paid, the less the operators seem to care about security.

It always makes me laugh why the guru’s of computer security don’t gather together and stop this insane rush to integrate everything through the Internet.

At best it is stupid, and at worse an invitation to your enemies, both foreign and domestic agents, and the criminal element, to poke around, usually with impunity, steal and read your most sensitive material.

Yet, in the UK, and I have no reason to think we are alone, EVERYTHING is done by computers that are interlinked and at some point cross public networks.

To that I’ll add there are only a few common sets of industry standard network and Internet communications packages in use and RARELY will you find someone working exclusively from code (a program) they write from scratch. Even then, how that information is transmitted across the Internet is also rarely encrypted to any depth and, if it is, it’s usually done using a commercial package.

So who are the fools now?

When I was first introduced to computers they had metal cases and no graphics let alone colour. Games for us was what we wrote and the biggest one everyone was playing was Kong.

Even at that time we all realized that computers everywhere would end up  networked and nothing would ever be 100% secure again, and since 1974 all that has happened is things regarding security have got worse.

As for who to blame? Will the software scribes, computer designers, big business, bean counters, State department’s, Government, and Military, please look in a mirror. That way y’all get a look at the guilty.

So what to do about the Russians?
Personally I would write them a letter of thanks for exposing the inadequacy of the US computer security. Then scrap everything and start again using PRIVATE networking, point to point (peer to peer) connections without going ANYWHERE near a public transmission media for secure installations. Only no one will.

You foolish children in charge never learn from your mistakes.

p.s. In case you are wondering, we did catch the hackers.
How?
We put up covert CCTV (illegally) in public places to capture their faces.
That and installed key stroke capture software (which we borrowed from a hacker) to record exactly what they typed.

What happened then? NOTHING.
Why? One of the hackers father was a large financial contributor to the university. As the university board couldn’t expel the others without including this well connected individual, The whole ‘matter’ was dropped.

Rather like what will  happen to the guy(s) who didn’t do their job right in Orion regarding it’s security and SolarWinds for an operational error, or the rest of the list of the guilty listed above.

After all ‘good’ help is hard to find. Even today.
And it was the Russians after all.

Brevity on a radio when passing a description

CAUTION,
This is probably Not Politically Correct.
So will be attacked as profiling.

That’s just tough as brevity on a radio is always best.
Be that the 10 code, IC coding, or other identifiers.
The idea is to pass information FAST and to the best of your ability to aid others coming to assist you.

Starting with the IC code.

Code Basics Applies to
IC1 White Native UK, Irish, Scandinavian, Nordic, White Russian, Other White
IC2 Mediterr’an Spanish, Italian, Greek, Portuguese
IC3 Black Afro-Caribbean, Sub-Saharan African, Other
IC4 Desi Indian, Pakistani, Bangladeshi, South Asian, Other (Afghan)
IC5 Far East S. Asia, Chinese, Korean, Japanese, Or Southeast Asian
IC6 Middle East West Asia, Israeli, Arab, Egypt, North Africa,
IC9 Not Known Unknown Race

To this you usually assign a gender, Male or Female.
Which has now upset the LGBT whatever groups.

An Approximate age, now that definitely profiling.
Especially if you are daft enough to say OAP, Middle aged, “Of military age”, teenager, youth, or child, unless you use a guesstimate of their age in years.

A brief description of their clothing, which by brand name may upset the clothing industry, and possibly someone else’s human rights if you use the term ‘gang colors’.

The religious world if they are wearing some distinctive cultural, national, or religious clothing. Say a head covering, Hoodie, Pakol, Beanie, baseball hat, shemagh, Hijab (head, neck, uncovered face), Niqab (Head, neck, face), Burkha (everything), to name a few.

Using the term ‘Bling’ for visible jewelry, VERY racial is that one.
Not forgetting eye wear and footwear!

Any visible markings like Tattoos.
Hair color, length, style. Facial Hair

Plus details of what they may or may not be carrying.

So I think I’ve managed to upset everyone by now.
Except those who will understand where I’m coming from.

Still, that is a very detailed list.
Race and color (by IC Code), gender, age, clothing, footwear, jewelry, distinctive markings, and facial hair or hair styling, glasses or not. Especially if they are carrying something (especially a weapon).

A consequence of all that is a lot of mic (radio) or phone time which, when you are on the rush, isn’t always possible.

So why did I highlight a few? To me that’s the bare minimum.
Unless you think different.

Reflecting On Security

“There is no object so well protected that it cannot be stolen, damaged, destroyed, or observed by unauthorized individuals.”  [Link]

The bigger the organization, the more formal and staid their protection is, and their procedures end up too slow and inflexible to be truly effective.

Thus with today’s reliance on high-tech solutions and minimal manpower, a learned forager can easily defeat most security measures in a protracted grid down scenario using basic tooling.

What’s your thoughts on this?