Monday, December 12, 2016

ProTip: When In Prison, Try To NOT Have Your Face In a Mannequin Challenge Video!!

I try not to be one of those "Check out this Darwin Awards Winner" kind of guys. Granted, in our industry, we see a lot of fail. One could say our very survival depends less on FUD and more on fail. Or is FUD a component of fail? I digress. There's a lot of stupid in the video below. The gist is simple:

  1. Geniuses, in prison, decided to FILM THEMSELVES IN PRISON doing the widely popular, "Mannequin Challenge".
  2. Said "geniuses" uploaded video of their collective stupidity to YouTube.
  3. Caught by San Diego County corrections dudes who are "currently investigating this incident".

Saturday, December 10, 2016

Somehow I Don't Think That Drone Has Been Registered With The FAA - ¯\_(ツ)_/¯

Check Out This Old School Intelligence Community Surveillance Detection Video

Note: Dude, again, I am not an intel dude. NOT my lane.

A few days ago, I wrote an article about how political parties could deal with a hostile foreign intelligence service actively targeting them for exploitation. One of the techniques I recommended revolved around avoiding physical surveillance. The video below goes into a lot of detail regarding surveillance detection routes. It appears to have been a declassified intelligence community video from the 1970s(?). This is for purely entertainment purposes. If you think you need to add this to your repertoire, then I suggest doing two things:
  1. Hire a professional to teach you. A video is no substitute for actual training. That said, the materials in this are dated and I would imagine any serious surveillance would have a suitable counter to any SDR. However; this sets a nice introduction into the topic.
  2. If you need this and you're going against any significant intelligence threat, you might be already screwed. Seriously.


This guy seems to know a lot more than I do on this stuff.

I Got Two-Factor Authentication For Days - 12 To Be Exact

Note: I am not a cyber or infosec dude. Never have been. Never will be probably. It's not my lane. That said, I try my best to find good advice in these lanes and share them when possible. Your mileage will certainly vary.

So the Electronic Frontier Foundation (EFF) is having a "12 Days of 2FA" thing starting December 8. I may not agree with the EFF on some things but they're advocacy for a more private and secure Internet is something I am all for. Making folks more aware of the benefits and techniques necessary to enable two-factor authentication is awesome in my book. I'm not a tech dude but I will tell you a little about two-factor and why you should do it on EVERY SINGLE FREAKING ACCOUNT YOU HAVE THAT ALLOWS FOR 2FA.

  • The EFF has this to say:
    • Relying on more than a password to secure online accounts is so important because passwords are relatively easy to steal or compromise. Passwords can be vulnerable to eavesdroppers on cafe and airplane wifi, to tech company data breaches, and to phishing attacks. Add in a second factor, though, and an attacker needs more than just your password to access your accounts.
    • That second factor can take several forms, including: 

The Benefits
  • If passwords are compromised in a breach, there's an additional layer of defense for the attackers to overcome.
  • It nullifies a lot of brute force attacks. Even if you "guess" the right password, you still have to overcome 2FA.

Final Word of Advice
  • Having 2FA is NOT an excuse for a crappy password or for password reuse. Let's be clear - we all have passwords we've reused. That doesn't mean we should. In fact, we should remedy that as soon as possible.
    • Get a password manager
    • Register with sites that allow for
      • Lots of characters in passwords
      • Take security seriously (bug bounties, HTTPS, limited account enumeration, etc.)
    • Monitor your logins
      • Most major sites will show the IP of your last login. Monitor this regularly to ensure your credentials haven't been compromised.


Friday, December 9, 2016

And You Thought You Saw The Last of The Terminator. He's Back - As A SWAT-Bot!

So, I've been watching Westworld and it seems like killer robots are becoming a thing again. There are some really cool things with the bot featured in this slick ad:
  • It's seemingly quiet. For obvious reasons.
  • They went the fashionable "combat black" look. It's mandatory for anything being called "covert" these days. (snark)
  • It has loads of cameras. One of the primary purposes of the bot is to give human operators tactical situational awareness. The field of view seems to be okay and has what appears to be some PTZ stuff going on, though the cameras appear to be very stationary. If it relies on the vehicle to move the camera, then I'm curious whether that compromises noise discipline.
  • It comes with a Glock. Yeah. It's "G'd up from da floor up". My bad - that's street vernacular for "It has a working gun that can kill people". That said, I'm curious if the vehicle has a stabilizer to compensate for recoil. Also, where does the "brass" go? Surely, it's not optimal to have it eject in a way that it could lodge between the gun and the bot chassis.
My overall complaints about the bot:
  • It looks great in a video which means it will perform like crap once it gets deployed.
  • I need to see more Army-proofing. Ahem! How long before crazy G.I.s break it on its first run? Trust me - you need to be asking this question.
  • Humans have been doing a bang-up job of clearing rooms thus far without bots. Not sure how this helps in real world tactical environments. Yeah, shooters may not have to get too close to make the hard shots but....What happens when your suspect sees this thing and decides you're trying to make entry and kills hostages preemptively before you do?
  • Finally, I worry about the trial and error part of figuring out its limitations in the real world. An EOD bot is easy to square away because testing and training go hand-in-hand especially in a semi-controlled environment. This bot's armament would need to be tested along with its operators under conditions that mirror the real world both in risk and realism. In other words, let's see it clear a "trap house" with a barricaded homicidal subject armed with an AK-47 and has kids as potential hostages. We tend to be very "meh" about collateral damage (civilian deaths) in combat zones during drone strikes - I have a feeling we'd feel differently about a bot who killed a hostage due to operator error or mechanical failure. Thankfully, it's under human-control. Imagine what it can do if given analytics.

Extra! Extra! Read all about it! RNC After Action Reports!!

2016 was a huge year in security especially in light of our recent presidential elections. The election is always a big security event but unlike previous elections, the last few years have seen the country becoming seemingly more divided and somewhat consumed with protest activities. Additionally, cities that hosted political conventions had to have significant mitigation measures in place. A piece of public records information I'm always very curious about are the after-action reports of cities who have to host these events.

A fellow MuckRock user, Melissa Hill requested the after action reports from from several law enforcement agencies. She's gotten quite a few and I suspect others are forthcoming. I'll post more as they become available and I sift through the chaff.

Ohio Highway Patrol

Wisconsin State Patrol

Florida Highway Patrol After Action Report

City of Cleveland's Information Releases to the Public and Media

NOTE: I decided to add this, even though it's not an AAR. Still worth a look to get a scope of the various organizations which supported the security mission at the convention.

DoD-NORTHCOM Defense Support of Civil Authorities Republican National Convention 2016 Presentation

Thursday, December 8, 2016

2016 - The year of the creepy dudes in clown costumes

Other than the election that was "interesting", 2016 had some very memorable moments. One of those "moments" was the "clown scare". For a few months, the entire country seemed to be besieged by reports of creepy dudes in clown costumes. If you're not familiar with American customs, I'd like to be the first to inform you that many Americans are terrified of clowns. Some of these sightings were of clowns in the woods who were trying to entice children to go into the woods with them. Yeah. I told you - creepy. As time wore on, it became apparent to the American people many of the sightings were the result of false reports, hoaxes, and the rare creepy dude in a clown costume. Thanks to the awesomeness of MuckRock we have a real live police report of such an incident. Have a look - if you dare!

VIDEO: DEFCON 19 - Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes

Before you watch this video, let me clarify a few things:
  1. I TOTALLY support the right to bear and keep arms. Period. Full stop.
  2. The words "gun safe" is a HUGE play on words. Most of these "safes" aren't safes at all and solely designed and engineered to keep a weapon secure from inadvertent breach from children or other curious individuals and readily accessible. They offer little in the way of any of the protection safes tend to provide.
  3. I fully expect you to comply with laws in your jurisdiction. Don't mess this up. Follow the rules. Just understand what the "gun safe" is there for and deploy them with that in mind.
  4. Consider other mitigation strategies to go along with the safe. There are a few products on the market. Personally, this is one of my favorites.
This presentation took place during DEFCON 19. Deviant gave an awesome talk. It's great to see the perspective a gun owner who happens to know a ton about physical security when discussing these devices.


Yeah. I know. Me too. I TOTALLY want one of these. If you want more information on how you can get one, then you should probably click here and sign up to be on their mailing list.

Also, here's a video of the lock's mechanics in animation. Yeah. It's pretty freaking awesome. I'd like to mention this lock gives me hope. As a non-fan of the consumer lock industry, this lock is a VERY development for the sector. Unpickable. Unbumpable. That said, you should probably look at other door strengthening techniques just in case your adversary doesn't bring a pick or have a key bump but has a good size boot and a decent pair of thighs.

Saturday, December 3, 2016

Security Awareness. Sigh.

In the annals of military history, there are countless examples of commanders finding unique and interesting ways to get security awareness training to their people. I imagine Hannibal having posters that made coy references to the "element of surprise" and OPSEC. You can guarantee Ceasar had posters ironically about insider threats. In today's modern military, commanders have been less creative and still don't get why marketers declare "Location, location, location!"

About Us