Tuesday, June 30, 2015

I for one welcome our upcoming flirtation with Sharia Law

"I don't think there is any such thing as the separation of church and state" - David Lane, American Restoration Project.


Sunday, June 28, 2015

Just rambling

I have mentioned a number of times that on Friday nights I participate in an online Hackmaster game. At least that is our current campaign setting.  This campaign is scheduled to end in a few months and after that we are planning on a cyberpunk scenario.  Tentatively it is going to be set in Billings, MT in the year 2065, and our characters will probably be some sort of Black-ops agents who did something to get exiled to Billings.

That at least is the plan at this point.

Friday night I was looking at the logs from the previous game (I missed it because I managed to poison my self with some sort of kitchen concoction) and I noticed that Chris (the GM) had mentioned that he had been having trouble coming up with ideas for the campaign.  He didn't want to do the standard hackers attacking the evil corporation thing, so I suggested flipping it and have us working for the corporation(s) trying to track down and foil the hackers.  Some discussion ensued and I think that idea was pretty much shot down but it still got me thinking- what is our environment going to be like in this game?

Here is how I basically envision the world of Billings, MT 2065 (Chris may disagree with this totally it's just the vision I have in my head) -

First off the world is still basically recognizable, the United States still exists with a few extra states (Puerto Rico, Guam, and Saipan have voted to become states and the Philippines petitioned for statehood following a Chinese invasion of some of their outlying islands.)

Russia has continued to attempt to reconstitute the USSR.  Mixed success but they are out there and actively working against US interests

China is our main Geopolitical threat.  India is now a favored ally.  Pakistan has been left to the Taliban after we mounted an invasion and stripped them of their nukes and executed most of the ISI and all their nuke scientists following an attack on Tel Aviv by Iran using a bomb purchased from the former A Q Khan network.  Iran basically ceased to exist as a state after months of bombings and targeted raids to capture and kill their leadership.  Think Somalia without the charm.

The worlds oil supply has been greatly diminished.  It turn out that the Saudis had been inflating the size of their reserves for decades.  They are all but depleted.  Same with Valenzuela, Iraq et. al.  The only real substanatial deposits left are the Williston Basin / Bakken Formation, a couple similar basins in Texas and the Alberta tar sands (Alberta Basin).  To encourage development and exploitation the Bakken Economic Zone has been formed.  It covers Eastern Montana and Western North and South Dakota as well as parts of Alberta and Saskatchewan.  It includes both Billings and Calgary.  The zone itself an amalgam of jurisdictions so most of the administration has just devolved downward to the companies.  as long as the oil flows and the rivers don't catch fire everyone is happy.

Because of it's location at the junction of two interstates, the rail lines and the presence of multiple refineries in the area Billings has overtaken Calgary as the largest city in the zone.  It's population estimates range from 3.5 to 4 million. In general the city is prosperous but the population is heavily skewed towards men, who work in a dangerous heavily labor intensive field.  Most of the newer housing is modular, built in camps, and it is left to the companies to police them.  As you can imagine this tends to attract the kind of element that services large population of lonely men.  Bars, Hookers, and Drug Dealers.  There is now a large gang presence in Billings. (displacing the Nava family and the Pitbull Mafia easily).

I base a lot of this vision on what Billings was like in the 70's and early 80's when we were teenagers and the oil boom was going on in Wyoming.  Also what I remember of Gillette when we lived there in the late 60's during their gas boom.

There are a couple places I really want to make it into the game - Center Lanes, it was a bowling alley downtown that had a bar that wasn't really particular about IDs.  We spent a lot time there after school in high school. and the Arcade bar.  The Arcade was easily the roughest bar I have ever been in in my life.  I went there once and probably the only reason I got out alive is that I was known by some of the regulars beacuse they were friends of my uncle.  This rumor was that the bar was burned in a fire in the 60s  and was condemned and the owner just refused to close. (Urban legend - it moved buildings but given the nature of the place it was believable).

Anyway that's how I see the Billings of the future, we will just have to see what kind of world Chris builds and how close I came.

Thursday, June 25, 2015

Beware the Cloud (no that's not a fart joke) - What I am reading 6/25/2015

Fart innuendo maybe, but not a fart joke.

The Register - Bank of England CIO: ‘Beware of the cloud, beware of vendors’ -

Finch estimates if the reasons for going cloud is to save money, you shouldn’t go to the cloud. “Beware of the cloud and beware of the vendors,” Finch warned. “All those messages I gave a year ago, I passionately believe.”
“Make sure you understand where your data resides, make sure you understand the details of your contract, make sure you understand the security, and make sure you stay in control,” he said.
Finch has realised the cost and flexibility benefits of public cloud instead by consolidating servers and virtualisation, he told The Register.
Finch stressed the importance of getting the details right before floating and said a physical objective is vital, not a technology one.


I have been banging this drum for ever.  The cloud is a nice idea, but once you allow some one else to control the infrastructure maintaining your data you no longer own that date.

Tech Crunch - French Anti-Uber Protest Turns To Guerrilla Warfare As Cabbies Burn Cars, Attack Uber Drivers -
Today’s taxi driver protest is getting out of hand. According to the police, 2,800 taxi drivers are protesting today against UberPOP, the European equivalent of UberX. With UberPOP, everybody can become an Uber driver — taxi drivers see the service as unfair competition as they have to get a special license. Yet, this doesn’t really explain why cabbies are now attacking Uber drivers, burning and breaking their cars.
Come on guys it's not really serious until they start burning the Uber drivers - although the article does report that Taxis are patrolling the city looking for Uber drivers, so maybe that's next.  Sometimes the disruption - she is a bitch.

Ars Technica - TV review: Mr. Robot takes social-media paranoia to the mainstream -

Mr. Robot hinges on Elliot's desire to call out, and destroy, the apparent chokehold that large corporations have on American life (who knows how USA Network is selling any advertising for this series), and he uses social-media paranoia and computer hacking as his platform. That's an intriguing and unique entry point, especially for a cable network drama—you know, check out our apparently legitimate hacker as a series hero, one who furiously types server commands into a terminal window to get stuff done.
But corporate-America hatred, social-media bashing, and hacker authenticity can only carry a series—and even a single pilot episode of a drama—for so long.

I wrote about this show a couple weeks ago here and here.  Basically it is an OK show but it is definately more concerned with it's social message than storytelling.  




Wednesday, June 24, 2015

I've turned into a giant wimp

I checked the weather this morning and it is predicted that the temperature tomorrow will be in the 90s and up over 100 over the weekend and high 90s all next week. In the past I would have just gone with it, but in a sign of my increasing decrepitude I actually went out and bought and air conditioner today.  I am so ashamed of myself.

On the other hand it's et up in my home office and I have been at the computer for a couple hours now and I am not stewing in my own fragrant juices yet.

(I should mention this is the first time I have ever had an air conditioner in one of my apartments.  My Dad refused to pay for one when we were kids and I guess it stuck with me.)

Everything is coming up OPM - What I am reading 6/24/2015

The Register - Login creds for US agencies found scrawled on the web's toilet walls -

A threat intelligence report into the availability of login credentials for US government agencies has identified 47 agencies across 89 unique domains may be compromised.
...
The report comes after the February 2015 Office of Management and Budget (OMB) report [PDF] to Congress, which highlighted 12 agencies which did not require their most privileged users to log in with any form of two-factor authentication.
All 12 of these agencies, (including the Departments of State and Energy) had possibly valid login credentials available on the open web, according to the new report by Recorded Future, a web intelligence company.
Jesus.  At this point why even bother?  Between Manning, Snowden, and the Chinese (and our own crappy infosec practices) every secret the U.S. Government could possible want to protect is out there.  And if it isn't they are busily manufacturing documents to make it look like it is - which I firmly believe to be the case in most of the Snowden revelations.

Washington Post Cyberattack on USIS may have hit even more government agencies -

The massive cyberattack last year on the federal contractor that conducted background investigations for security clearances may have been even more widespread than previously known, affecting the police force that protects Congress and an intelligence agency that helped track down Osama bin Laden. 
...
“Based on this new information, the data breach at USIS appears much more damaging than previously known, affecting our intelligence community, our immigration agencies, and even our police officers here on Capitol Hill,” he said. “It is unclear why USIS withheld this information from Congress for so long, especially since I raised this question more than seven months ago.”

One of the concerns is that the hackers who hit OPM got their login credentials from this previous attack.  Given that, it's disturbing that these companies are still not being fully forthcoming with the extent of the hit they took.

Washington PostComputer system that detected massive government data breach could itself be at ‘high risk,’ audit finds -

OPM “has initiated this project without a complete understanding of the scope of OPM’ s existing technical infrastructure or the scale and costs of the effort required to migrate it to the new environment . . . In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure,” it says.
...

The upgrade project includes a full overhaul of the agency’s technical infrastructure and then migrating the entire infrastructure into a completely new environment.
“While we agree in principle that this is an ideal future goal for the agency’s IT environment, we have serious concerns regarding OPM’s management of this Project. The Project is already underway and the agency has committed substantial funding, but it has not yet addressed several critical project management requirements,” the alert says.

So basically they are just throwing money at the problem without a real plan and hoping things get better.  It's almost a guarantee they won't.



Monday, June 22, 2015

Google is STILL evil and Uber still sucks - What I am reading 6/22/2015

Privacy Online News via Instapundit - Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth -

Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.

Not quite accurate.  What they are talking about is the "OK Google" feature which allows you to do voice searches without first clicking the microphone icon.  No a feature I personally have enabled but some people like it.  I first saw this at Instapundit, where in typical internet fashion his readers a) jump to the wrong conclusion immediately, b) start spouting nonsense and c) ignore the fact that Google both announced this and that it requires agreeing to a separate terms of service.  I am not saying that this is a good feature or that I agree with the Internet of Things and devices listening to me all the time, but for craps sake know what you are agreeing to before you install it instead of years later bitching about it.

Ars Technica “EPIC” fail—how OPM hackers tapped the mother lode of espionage data -

The OPM breaches themselves are cause for major concerns, but there are signs that these are not isolated incidents. "We see supporting evidence that these attacks are related to the group that launched the attack on Anthem [the large health insurer breached earlier this year]," said Tom Parker, chief technology officer of the information security company FusionX. "And there was a breach at United Airlines that's potentially correlated as well." When pulled together into an analytical database, the information could essentially become a LinkedIn for spies, providing a foreign intelligence organization with a way to find individuals with the right job titles, the right connections, and traits that might make them more susceptible to recruitment or compromise.
...
OPM is not alone in neglecting basic security guidelines spelled out for them by both federal regulations and executive orders for much of the past decade. Even those agencies that have implemented systems to comply with the letter of FISMA (Federal Information and Security Management Act) and other regulations have had problems keeping on point because of the constantly changing nature of information security threats. And the complex plaque of information systems that agencies have built up often defies any sort of security management because the vendors who built many of the systems have long since disappeared.

By and large, government agencies in the last 20 years have become increasingly dependent on outside contractors to provide the most basic of information technology services—especially smaller agencies like OPM. The result has been a patchwork IT systems and security, and the Office of the CIO at OPM has a direct hand in fewer and fewer projects. Of the 47 major IT systems at OPM, 22 of them are currently run by contractors. OPM's security team has limited visibility into these outside projects, but even the internally operated systems were found to be lacking in terms of basic security measures.

In addition to the above it turns out that the contracts often had foreign nationals, including some located in the People's Republic of China, servicing them.  It just doesn't get any better than this. (remember back in the good old days when the world was all atwitter about how Obama was going to revolutionize technology in government beacuse he carried a smart phone and he didn't want to give it up?  I long for those days)

Related Idea:  There is a big push (well 4 or 5 nuts somewhere in CA) to require all kids to learn to code in school.  Fine I will back that if we also require a basic cyberhygience class. That includes things like using encryption and multifactor authentication, patching your systems, how to spot a phishing attack, how to read terms of service etc.  

Bloomberg Business Week - Instacart Reclassifies Part of Its Workforce Amid Regulatory Pressure on Uber -

I am not real sure who Instacart is, but this is obviously in response to the California ruling that found a woman was an Uber employee, not a contractor (the CEO denies this and claims it is for customer service reasons).  And probably also in response to articles like this

Pando - Uber stops people from carrying guns on vehicles it doesn’t own driven by people it doesn’t employ -
there’s still something funny about Uber making a rule that stops people from carrying firearms onto vehicles it doesn’t own that are driven by people who are considered “independent contractors” instead of actual employees
Aamzing, something I agree with Pando on.


.

Saturday, June 20, 2015

Regarding my "Currently Reading" list

Yes I know it is looking a little static.  There are reasons -

1.  I am currently working on a Risk Management Class - which ties in with The Definitive Handbook of Business Continuity Management:2nd (Second) edition, one of the books on the list.  It will probably be up there for the next couple months.

2.  Work occasionally requires that I do outside reading, like that mentioned in the previous post, since most of that is transient reading I don't post it in the list, but it eats into my time for working on the books listed.

3.  Have you ever read some of these books?  They are not page turners.

4.  I am actually making progress and I intend to finish off one or two in the next week to week and a half.

That's my story and I am sticking to it.  BTW I am looking for suggestions for replacement reading as books come off the list.

Interesting Series on Software Defined Networking

 I was planning on integrating this is with a couple other things, but I was deathly ill yesterday (as I posted on my twitter feed but did I get any sympathy? Nooooooo...) so it didn't happen.

Anyway at work I am on a team that is trying to increase security and integrate some ideas for smart substation implementation while moving towards NERC-CIP v.5 compliance.  (I know, I know, "but Chad you're a moron.  How can you be on this team?"  I said I was on it not that I contributed anything useful)

As part of that effort we had a vendor visit a few days ago.  Part of their demo was a discussion of their newest SDN switch.  I have to admit that I am only vaguely familiar with SDN (as in I know that they are 3 letters in the alphabet) but I knew enough to ask a couple reasonably intelligent (hah!) questions, recognize that the rest of the team was immediately smitten by this new threat to my professional existence and realize I better start doing some reading on the subject.  Google being my friend (well no, Google hates me like everyone else but being a computer program it does have to return answers) I found this series of articles: The New Stack - SDN Series

I admit I haven't read all of them yet but I have skimmed them all and they seem fairly straightforward, easily understandable and relatively well written.  Of course these aren't going to be my only resource but "Software Define Networks for people to dumb for the For Dummies books"  hasn't released yet.

Thursday, June 18, 2015

But wait - Proposition 8, Javascript creator Brendan Eich is trying to kill it with new language - Webassembly

Dubbed WebAssembly, the new effort is a kind of successor to Asm.js, the stripped-down JavaScript dialect that backers describe as an "assembly language for the web." Like Asm.js, it executes via a JavaScript engine. The difference is that WebAssembly is a new, low-level binary format, like a bytecode, which allows it to load and run even faster than Asm.js.
The long-term goal, Eich said, is for WebAssembly to become a kind of binary object format for the web, one that can be used as a compiler target for all kinds of languages - including but not limited to JavaScript.


But it was really, really, important that the Mozilla Foundation dismiss him because of his opposition to gay marriage.