Sunday, August 19, 2018

If I Could Live Anywhere In The World.....Hmmm.

If I could live anywhere, I'd pick anywhere but places where the was even a hint of activity on this heat map. The map comes from the folks at START and highlights terrorist attacks in 2017. Yup, if you see your state, sleep tight, kiddo.

Are Those Spikes Along The Side of Your Building or Are You Just Happy to See Me?

Uhhhhhh. What. In. The. Heck. Is. This?!?! Oh and can I get one, please? For my house.

I'm Sorry. You Said Your Drone Has What?!?!

Ummmm. Yeah. I got nothing.

Sooo. I mapped the 2000 to 2014 Laser Strike Incidents - Sorta

UPDATE: Soooo. I kinda didn't like the map. I looked over the map and noticed I was missing some information. I'll plug it in, when I get a sec. Until then, I embedded the data itself. Oh and I included 2015 to 2018. Yeah. I'm awesome like that.

Huge nerd here. Yup. I was talking with Doug Patteson, one of the dopest people on the Interwebz, about laser strike incidents. Basically, it's when some idiot decides to take a laser and aim it at flying aircraft. It's incredibly stupid because it could potentially blind pilots and crash airplanes. Law enforcement has stepped its game up since we first heard of these things. Alas, I digress.

Check out the map. I didn't collect the data. These dudes did and they did some great analysis on it as well.

Saturday, August 18, 2018

The Tale of a Very Bad Gun Safe

So this is terrible. Like super duper bad. I LOVE me some Harbor Freight but this gun safe sucks.

This dude hits the lock so many ways that it seems unfair. Seriously. It's a very bad gun safe.
  1. You can do it without leaving any discernible forensic trace. Tool marks might be found on the interior and may some small nicks on the front. That's if you're sloppy.
  2. The entire security of the safe rests in the PIN code and a reset button. Both of which are easily bypassed.
  3. The front door of the safe has a gap large enough to allow any thing tool access to the reset button and the release.
  4. The top peels off and exposes a hole for access to the interior.
  5. There are holes along the sides which allow access to the reset button.
Thankfully, it's been recalled by Harbor Freight. It's bad. Have a watch. (h/t @DeviantOllam)

Deviant Ollam Is Thinking About Doing A Smartphone App

Update: It looks like a Twitter user brought up, Haven - The Guardian Project's physical security app developed by Edward Snowden.

Welp, it looks like @DeviantOllam, the physical security penetration tester and trainer, is looking to do a hotel room security app. If he can check off all the boxes and can provide some more features, I'd be all in.
What would I be looking for in a physical security smartphone app?

  1. Various ways to notify users of an event. Push alerts to my other devices would be great, as well as home AI integration with Alexa or Google Home.
  2. Motion sensor sensitivity and detection range settings that are user-friendly. Other apps do this but they don't walk you through these settings.
  3. The ability to choose between cloud storage or phone storage.
  4. The ability to use a tilt sensor for drawer openings.
  5. Noise detection.
  6. Customized annunciation. I like customized audio messages for various intrusion-related alerts.
  7. Integration with a door stop physical device. When bumped by a door, it would set off an alert. Great for closets in hotels.
  8. The use of your phone's flash as a strobe when an intrusion has been detected.
  9. Using a combination of alerts to determine the nature of your alert. I may want to know if the maid came into my room but I'd really be interested to know if they entered that closet I placed the door stop at.
  10. Remote SMS alarm disarm.
What would you want to see?

Wednesday, August 15, 2018

OPINION: I Need to Vent About The State of Security

You may have noticed I haven't blogged in like forever. Yeah, I know. Look, I've been busy with life and stuff. Welp, I'm back. Wait. I've said that before? This time, I promise to be much more regular and consistent with my posting. I digress - I have a grievance about the state of our industry to air and dang it, you're going to read all about it.

So, you may have noticed a minor thing called a "national election" occurred while I've been away. You may have noticed the same thing I have since the election ended. EVERYONE HAS LOST THEIR MINDS!!! Seriously. It's been a strange time for every one of us. What's crazier than the public going bonkers over politics? Security professionals drunk on hype, the erosion of our professionalism, and fraudulent credibility have corrupted our analysis, jeopardized our assets, and enabled ineffective and inefficient security risk mitigation.


Obama: President strike's McKayla's famous pose as U.S ...

We're a failing industry, in short. Sure, we do our jobs and pretend as though none of this has an effect, while the public and the industry embrace perceptions based not on sound and trustworthy data but fear, uncertainty, and doubt (FUD). The public is encouraged to view threats based soley on identity rather than capability, opportunity, and motivation. Add in FUD and you have a consumer base who desire more and more radical solutions to solve what we, as security professionals over-complicate, due mostly to our intentional ignorance and discipleship to partisan rancor, confirmation bias, and ego.

New attacks can't simply be the products of luck or one-offs. No, these attacks, according to our "experts", are "advanced", "sophisticated", or "impressive". I could include other superlatives but you get my drift. These professionals are constantly being impressed by attacks whose effects are often unclear.

After the drone assassination attempt on Maduro, security professionals on social media were aghast and seemed almost terrified at the prospect of a massive global pandemic of wayward killer drones.

Okay. Okay. I'm a terrible human......

I admit it - I called the Maduro assassination attempt a "game changer". It wasn't because I assumed the worst. The drone attack was interesting and certainly, a bit surprising. I'm a guy whose job it is to address and mitigate such threats. While I was intrigued, I didn't lose much sleep. Why? Because there was a lot that could have gone right but didn't in that attack. In fact, the attackers chose a methodology which required far more resources and placed unnecessary risks on its operatives. This is especially true when you realize there were far simpler and effective means of killing Maduro. In fact, the drone attack placed innocent people in danger and had any one of them been killed, perhaps the attackers would have lost a great deal of support.


Huh!!!!!!? - Jacky meme on Memegen

These same "experts" are often impressed by al Qaeda and other groups for doing simple attacks. There are many counter-terrorism and physical security folks who often declare after every attack, we should embrace more and more drastic security measures in response. They never consider the drag on existing resources, the ability to stay in this threat reaction posture for long-term, and whether they're only inviting more problems by creating additional threats. These folks will suggest everything to include putting soldiers in classrooms after shootings, increasing security at hardened facilities, and demanding tools which have shown they're barely appropriate for their current use.

Have no fear! Your consummate security professional is up at night defending our honor and challenging these professionals to consider better solutions. I find a lot of folks in security who happen to do social media can be very reactionary and haphazard about how they communicate threats and mitigation. Is it appropriate or wise to denigrate how others mitigate threats, when your situational knowledge might be minimal, at best? Some people would argue that it is. I'm no badge defender and I certainly challenge bad practice. I also get how often we try to get mitigation in place, only to be told stakeholders would rather allocate resources or funding elsewhere. It happens all over practical security organizations. In fact, having to adjust your mitigation programming is one of the toughest parts of this gig.

For me, the asset is never "soft" or "hard" - it's about what attracts the bad guys to the target. I surmise most kinetic attacks occur on crowded spaces not because of a lack of visible security but because there is a crowd. I could go on and on about crowds but there's a real and transferable reason why wolves hunt sheep. The reason is easily deduced if you've ever seen wolves hunt sheep. Sheep can't stop being a part of a crowd. Wolves either hunt stragglers or those caught in the herd. Why? Because they're slow and they have limited egress points.


Boondocks Funniest Quotes. QuotesGram

I've blogged here before about the ways in which fraudulent "experts" taint our profession, so I won't beleaguer the point here. Here's what I will say:
  1. There is an ever-growing field of "experts" who lack credibility or credentials who often imagine threats and mitigation, based on how it impacts their "bottom line". Don't get me wrong - I like to network and certainly, respect your hustle but I might be more inclined to buy your product or promote your ideas, if you weren't always trying to sell them to me like an over-eager crack dealer. Slow your roll. Again, I digressed.

    None of the aforementioned points I made aren't why I question someone's credibility or their credentials. They do cause me and others to take someone less seriously and see further marketing less as attempts to grow the industry with your knowledge and insight and more about how you line your pockets. I blame our collective anger and angst on 9/12 to be the root of the problem.

    The inconvenient but honest truth is after 9/11 the American people wanted two things: more security and revenge. Our industry, seeing the potential for unlimited growth, went bonkers trying to meet this demand. The government created the TSA. The Internet became a weaponized instrument against our foes both at home and abroad. We believed we were unprepared and needed to adhere to everything "unconventional" pertaining to security. We sold buzzwords like "hybrid warfare", "dynamic", and even my own favorite, "kinetic", without even a semblance of critical thought on whether if any of what we were seeing was "new" to everyone or just "new" to us. 

  2. Rather than fixing a problem which required some TLC, we demanded everyone become Jack Bauer and lined our budgets and pockets with cash which promised not only job security but the most coveted of all security prizes - relevance. Naturally, the fakes and phonies came like vultures and they've been picking the meat off the bodies ever since.

    To be quite fair and honest, I've been called an "expert" by media and I know firsthand, they often mislabel you based on what sells their narrative or topic area to be discussed. When it happened to me in ways I couldn't articulate, I challenged those attributions. I've blogged about it here and explained how it occurred to friends and people I know in that community. As I saw the problem getting worse and seeing audiences and studios seemed less and less interested in what I said versus how I said it, I felt my work as a professional was more important than how awesome I did on an appearance. While I'm grateful for the opportunities that were given to me, my focus will always be on professional development, promoting sound mitigation ideas and best practices, and perfecting my craft. Just cast Cuba Gooding, Jr. in my biopic when I sign the movie deal.

  3. What's worse than creating a side industry filled with the fake and greedy? Giving them a seat at the table of influence and policy. I'm not just talking media. No. I'm talking about Cabinet positions. I'm talking about boards. I'm talking about senior staff positions in major departments. The greatest danger we face from these people is not their inevitably, bad advice. It's their untested and untenable security "solutions" backed by flawed analysis and threat perceptions which we declare as "factual" and "balanced" because they suit infectious and malignant ideas which tarnish our industry and ruin public trust.
What can we do about our fellow practitioners and the public who are engorged with hubris, ego, and
grift? Can we save our industry before we transform into a conflagration of our parents' Facebook pages and the worst of Twitter, LinkedIn, and major news media?
  1. Address their knowledge of the topic and the process from which they've derived their conclusions. 
  2. Challenge how they receive data. 
  3. Challenge who they vetted it with. 
  4. Ask them if what they're seeing is repeatable. 
  5. How do they establish credibility with their sources? You'd be surprised how many professionals subscribe to ineffective ideas on mitigation from sources who have no connection to security or our best practices. 

We're All Going To Die!! | Daily Vlog - YouTube

Whew! That's the bright spot. Wait until I cover all the stuff I hadn't covered in two years.

About Us