Tuesday, March 3, 2020

Coronavirus: Panic or Meh.

Image result for don't panic hazmat gif

Disclosure: I am NOT a doctor nor a scientist. These are just MY crappy opinions. They don't represent anyone but me. I'm not claiming to be an expert - without being insanely sarcastic. Follow what I say here with a grain of salt. If you're upset by what you read here, do us both a favor - grab a seat, have a Coke, and calm down.

You ever hear of this thing called the coronavirus? Yeah, if you've been alive, can read, and have decent Internet access, it is highly likely you know what the coronavirus is. Have no fear, I won't waste your time going over too many of the basics here. That said, if you've been online and perused any of your social  media sites long enough, you'd recognize everyone has an opinion on the virus and whether the threat of this virus is exaggerated or worth a panic that would make the Spanish Inquisition seem tame. As your resident "threat mitigation expert/guru/ninja/influencer", I too have opinions on that. Let me borrow a few minutes of your time and I'll explain what they are.

Things we know about the coronavirus (this is entirely too condensed):

  1. The virus has been seen in the "wild" for about six weeks. It's estimated to have infected 80,000 people worldwide. It's likely killed approximately 3,000 with just nine in the United States.
  2. There is no vaccine. Loads of companies claim they have one but none have been tested or vetted through the FDA. That process could take a year before it hits the street.
  3. The virus tends to kill those with weakened immune systems, the elderly, and those with "underlying health conditions". Five of the nine deaths in the U.S. were from a single nursing home in Kirkland, WA.
    • Underlying health conditions which could compromise your immune system include but are not limited to the following:
      • Those in chemo
      • Those with HIV/AIDS
      • Those with autoimmune disorders
      • Those who smoke
      • The elderly
      • Those who already have the flu or pneumonia
      • Those who have respiratory problems
  4. The virus can infect anyone. Scientists are still looking for antibodies; thus why no vaccine yet. So far, only a few of the infected have been reported as children. The former director of the Center for Disease Control believes children could have it but be asymptomatic and infect adults unknowingly. Recently, a 3 year old in NY state was quarantined.
  5. Governments are struggling with containment and seemingly everyday a new crop of infected and dead seems to arise. Quarantines have been implemented for infected persons. Some have left quarantine and been later identified as still being contagious.
  6. It is likely part of the information we suffer from with this virus comes from the Chinese government allegedly not being as transparent as they could. For example, some believe the death toll could be higher.
  7. The virus could share the flu's seasonal patterns. That said, the virus is six weeks old and we won't know for sure until the summer.
  8. Emergency workers have been quarantined and major events, venues, and conferences in various cities have been canceled or closed.
  9. The President has appointed Vice President Mike Pence to head the U.S. government's response to this.
  10. Not everyone dies from this and symptoms seem to dissipate after two weeks. Most of the infected described the symptoms as "mild". That said, these were infected persons who didn't have compromised immune systems.
  1. Wash your hands and cover your mouth when you cough. Buy a mask not to protect yourself but others from catching the virus should you be infected or have symptoms.
  2. Don't panic but be concerned. This could be an insignificant health crisis. Then again, the death toll is rising and the number of infected people seems undiminished. Pay attention to the news for updates on cancellations and quarantine orders.
  3. Don't come into work, if you're sick. Stay home and call your doctor.
  4. Discuss with your family the importance of hygiene with respect to disease mitigation. Talk about the likelihood of a quarantine should anyone in the family be infected. Show your children where to find official and vetted information. Reinforce the necessity of critical thinking when it come to disaster preparedness.
  5. Don't hide your symptoms but be aware some people react poorly in times like this. Be responsible with what you disclose and with who.
  6. Talk to your doctor if you have concerns.
  7. Home remedies won't work. Just stop. Please.
  8. Antibiotics will laugh all the way down the toilet at you. Don't take them. They work against bacterial infections NOT viruses.
  9. Gossip happens in times like these. Stop getting angry about exaggerations and innuendo. Rather educate people on factual resources. Turn discussions away from gossip and focus more on steps you need to be taking towards mitigating this threat.
  10. Calm down.
Final thoughts:
  1. There's a difference between being "concerned" and outright panic. One requires you to invest yourself in the discussion so you can determine what if any risk factors you face and what mitigation strategies you can and should employ. The other requires you to ignore logical thought and critical thinking and boil your skin after every handshake. I'm merely suggesting the former. If you're sick of hearing about the disease and confuse the volume of discussion with the content of the discussion, you're missing a whole lot.
  2. This virus will likely not kill or effect you. We live in the most prosperous country on Earth. The majority of our 300 million citizens and resident aliens should be fine. That said, don't let those factors distort the realities between them and your proximity to this threat. It may not kill or infect you but it could likely do the same for someone you know. You may have more skin in this fight than you may care to acknowledge.
  3. There's ZERO harm in being responsibly prepared. Calm down.

Sunday, October 20, 2019

You're Either Doing OSINT Or.....You're A Cop or a Criminal

Editor's note: I use the term "intelligence" in this post a lot. It is not being used to denote solely government intelligent service activities. If you're a no-shit spook reading this post, you should already have some idea of what I'm driving at.

If you've been in security long enough, you've heard people abuse, misuse, and utterly diminish the meaning and subsequently, the impact of certain security-related buzzwords. Everyone is doing "threat intelligence" or being "asymmetrical" or defending against "information operations" these days. Back when I was somewhat popular, two terms everyone was using (including myself) were OPSEC and OSINT. Most of us were using these terms to articulate very briefly basic methodologies. However; brevity is a serious MOFO. Soon, everything was OSINT or OPSEC. Years later, the infection has spread and I have had enough. We'll cover OPSEC another day but I really want to set the record straight on OSINT. At its best, our collective confusion means mistakes or missed opportunities to provide better answers. At its worst, it places our stakeholders and ourselves in almost certain peril.

Let's define what OSINT is and what it is not. OSINT is an acronym to describe a type of intelligence gather technique which stands for Open Source Intelligence. I won't bore you with the book definition but I will provide you with a pretty standard definition. Don't believe me? Find your nearest neighborhood spy and ask them. I digress. OSINT is merely the collection of actionable intelligence from openly available sources. How about we steer away from saying "public" because some people denote that as being "free"? If you've actually done OSINT, you know a lot of what we do costs some cash. Just because it's "open" also doesn't mean it's always readily available to the public.

There very well could be limitations on the data you collected and whether it can be used by you or even collected in the manner in which you received it. As vague as the Computer Fraud and Abuse Act reads, it behooves anyone collecting online data to have clear legal guidelines and authorization to conduct OSINT operations online.

You would think this would alleviate confusion within the security industry about what OSINT is and what its sources consist of. Nope. Not a chance. I find everyone who has been tasked with researching something or someone online believes they are "doing OSINT" because their sources are "open".

The best way to see beyond this "fog" of confusion is to simply define what the end-result of your research will be.

  • Are we answering a series of questions posed to us by stakeholders who need them to complete their mission? Then, you're doing OSINT.
  • Are we tracking criminals to report a crime? Then, you're conducting an investigation using open sources. 
  • Has a lawyer contacted us to look into a civil case they have pending? Then, you're still doing an investigation.
  • Are we researching "people search" sites and breach data to find dates? Then, you're committing a crime and seem super creepy, dude. Stop.

Aside from being a distinct method of collecting data, a lot of what differentiates OSINT from other methodologies of collection and analysis also has to do with how you're pivoting or analyzing the data. For example, just because I find someone's address doesn't mean I have verification of that address. If I'm authorized, then a pretext and social engineering maybe needed to do that. That part is something else entirely which is called "human intelligence". This involves exploiting human beings to gain information. What if I'm looking at an image I gathered during an OSINT operation? Then, that analysis in part would require "imagery intelligence". 

Too many OSINT professionals forget there's a distinction in these INTs regardless if the collection or source analysis are in one house. This is an important distinction to make because different methodologies require different skillsets which in turn, require different training. Jumping into pretext or getting imagery wrong based on bad assumptions or inadequate training could prove disastrous for you.

I don't have a problem with OSINT collectors answering investigatory questions. I grow concerned when they use certain methods of analyzing data outside of OSINT. What happens when they "solve" a crime using imagery analysis but haven't received training which may have also shown techniques to find exculpatory information? Are OSINT collectors aware of what separates their activities from private investigators? Are their clients?

Finally, a clear distinction between OSINT has a good deal to do with reporting and documentation of your findings. Obviously, in an investigation I'm concerned with authorizations and preservation of any evidence gathered. In many jurisdictions, it's simply not enough to show up to court with a screenshot or even a map. In intelligence operations, those might be all you need to give a stakeholder what they need. My suggestion is to be in the habit of always archiving and reporting intelligence in ways that allow you and your stakeholders to pivot, if need be.

Understanding what OSINT is versus throwing out a term and conducting business based on bad assumptions and worse interpretations could provide your stakeholders and you with better actionable intelligence and less legal headaches.

Monday, September 2, 2019

OPINION: The Problem With The Questions We Ask After Every Active Shooter Incident

Another active shooter and I feel like I'm having the same discussions over and over again. Oh, that's right - because I am. In the course of each shooting, a variety of reactions happen. Some of them are helpful to constructive discourse and some are not. Let's list some of my least favorite reactions and why:
  • "We need to do something, now!" Ugh. I hate "something" for a few reasons. First, "something" is rarely anything specific and is merely a reaction to the status quo. As a security professional who works at mitigating these kinds of threats, I often feel like "something" means "anything" which works contrary to mitigation which does protect us. Finally, "something" is often a veiled attempt at prompting to discuss political solutions which are normally, not multi-pronged nor appreciative or comprehensive of the entirety of the threat. In other words, "something" is almost certainly, a "nothing"-burger.
  • "Why can't we do what XYZ European country does with guns?" Well, for one, we're not XYZ and while they may have had a problem with gun violence, their causality is likely different than ours. XYZ also does not have our proliferation problem. Guns in the United States are everywhere and the means to manufacture and supply them is not difficult. The science to make firearms and their ammunition is not difficult nor is it restricted. We banned machine guns and someone made "bump guns". Our supply chain with guns is likely different than XYZ as well. In XYZ, the government had a monopoly on firearms but in the US, the citizenry has a monopoly on firearms with zero demand diminished.
  • "It's so simple to solve this." Nope. Not quite as simple as you think. First, taking care of the tool does NOTHING to fix what drives people to murder. In fact, the demand for the tool will likely increase. You won't like where mass murderers go for alternatives either. Also, see what I said about proliferation in #2. Legislating your way out of this gets even tougher because America isn't as monolithic as people on social media would like us to believe which means the political landscape in this country is also more diverse and obfuscated than we appreciate.

    This thinking also blinds us to unintended, collateral damage. For example, modern gun control was done as a means to restrict gun possession by extremist groups. As the laws took shape, over the decades, these laws were meant to further limit access to firearms by convicted felons who may have been involved in ongoing criminal behavior. Their access to firearms would only mean further violence. With crime becoming sensationalized as an "epidemic" almost daily by the media and politicians, a "war on crime" was waged and more laws and police officers were ordered to the streets. These laws incentivized police departments to make more contacts with potential criminals or those who they suspected were criminals. How? Every good war needs soldiers and you can't recruit soldiers without a war. More contacts with an armed public meant lower crime rates. It also meant more police officers involved in more contacts. The problem isn't that contacts were happening but they were disproportionately happening with demographics who were often under-represented and owned far less guns than the majority demographic. I don't have to tell you the rest, do I?
  • "Why won't they release the shooter's name?" Glad you asked. It could be for a few really good reasons.
    • The investigation is still ongoing and releasing the name too soon could reveal a great deal to potential co-conspirators.
    • The shooter may belong to a demographic who could suffer collateral damage from vigilantes seeking revenge in a hostile socioeconomic climate.
    • They're following established FBI and scholarly recommendations to not give the shooter any undue notoriety. Why? The police could be concerned about copycats and the potential for harmful distractions to their case.
        • "The hallmark of contagion is seeing events unusually bunched together in time. The details of our analysis, where we fit a mathematical model of contagion to the data to quantify the level of contagion, are quite technical. But really, what it essentially amounts to is seeing if there are unusual groupings of events. In mass killings (four or more people killed), where the tragedies usually get national or international media attention, we saw significant evidence of this kind of unusual bunching. In mass shootings — with less than four people killed, but at least three people shot — we didn't see any evidence of unusual bunching. Interestingly, those events are so common in the U.S., happening once every few days, that they don't even make it past the local news. Because we saw evidence of contagion in high-profile events, and no evidence of contagion in events that mostly just got local news, we hypothesize that media attention may be the driver of the patterns we see. This kind of contagion has been suspected for a long time; our study is the first to quantify it."  
      Various pictures of Christchurch shooter's firearms used in shooting

      • The contagion theory looks especially prescient when we look at the Christchurch shooting where the shooter wrote the names of various other shooters on his weapons he used during the shooting and wrote in his manifesto how they motivated him. How many shooters have mentioned or idolized other mass shooters? How many shooters are glorified and celebrated on various forums where they congregate? Don't we see the same with terrorist groups like ISIS? How many "soldiers of the Islamic State" were "inspired" by the acts of other "soldiers"? I'm not saying these events were caused by other shooters going first but for many shooters, I'm certain it showed how it could be done with minimal effort and little exposure during the planning and execution phase. As I always caution, "the secret sauce is out in the wild."

        What about our own history with a public mob mentality towards "give us a name"?

          A man lynched from a tree. (Library of Congress; 1925)
The simple and painful truth is we may never see the end of mass violence in the United States. That doesn't mean workable and viable solutions are not probable. I believe they are. However; as we examine these events, perhaps it's time we ask how much of our reactions have done less to mitigate these threats and do more to provide us "security". The latter is about addressing what makes us "feel" safe versus doing what protect us by critically going over the data, having constructive discourse within the subject matter experts, and determining what are our most viable, sustainable, and effective solutions.

There is one question we should be asking but we don't. Its absence from  the discourse makes me believe we care less about the victims of these crimes and more about the political solutions we can employ. Few people are asking "why" because they confuse methodology with motive. The problem shouldn't be how these murders are committed but why. Until we ask that question, we'll continue to have discourse which does little except provide cover for murderers and aid and abet political ambitions counter-intuitive to our collective survival.

    About Us