Thursday, March 29, 2018

Georgia leads in privacy legislation

Credit reporting agencies collect data on you. Then they charge customers, (banks, or others considering loans), money to use that data. They also charge you to try to protect that data.

When one of them was breached, Equifax, it affected 143 Million Americans. I tried over 10 times to freeze my accounts waiting on hold for hours. In 2018 Congress decided to take no action. This, even though the breach may have been more serious that initially realized. Some even claim this treasure trove of data is a ticking time bomb waiting to happen again.

A spot of good news, the Georgia Senate voted 51-0 on Thursday to give final approval to a bill that would prevent credit reporting agencies from charging customers to lock their credit reports. A locked or frozen credit report can’t be changed.

Friday, February 16, 2018

A look at currency in 2018

Could Currency Be Destabilized?

In 1933 the United States began to move away from the gold standard, the process was completed in 1971. To destabilize the currency of a country on the gold standard you would need to:
- Invent a method to produce lots of gold very cheaply, OR
- Run in with lots of tanks and GI Joes and steal their gold.

Most of the world depends on fiat currency, the value of money is related to the power of the nation, its sovereignty, and its balance of trade. It's essentially a trust model and it worked well and still works. The question is are there chinks in the armor?

Growing evidence indicates a variety of attacks could cause significant economic harm to a target, an attack specifically designed to destabilize a currency might now be possible especially if sponsored by a party with significant economic power (i.e., a major country) or executed with precise timing during a high stress period on the economy.

Internet-based Electronic Warfare

Traditional economic warfare seeks to disrupt the flow of commerce in a nation or reduce the confidence or willingness of participants to engage in economic activity. In the Internet world, the main tools are denials of service, identity (or information) theft, or fraud.

Paul Kanjorski, the chairman of the House financial services subcommittee, went on C-Span January 27, 2009 and said that $550 billion was withdrawn from money-market accounts on September 15, 2008 in the space of "an hour or two", that Treasury "closed down the money accounts", and that if they hadn't done so, "by 2 PM that afternoon $5.5-trillion would have been withdrawn". The speech is documented on Youtube (hang tough till you get past the panicked lady.)[1] Kanjorski further said, if the Treasury had not responded by guaranteeing $250,000 per account the entire economy of the United States would have collapsed, followed by the rest of the world in 24 hours. If you are interested in learning more what actually did happen that week, I suggest Felix Salmon's blog posting.[2]

You may not have heard about this on mainstream media, because it does not appear to be based on solid sources, though it would make an excellent novel. However, there are chinks in the US Treasury: in a Moody's Triple A bond rating, the US and the UK were put in a class above that of Spain and Ireland, but below Germany, France, Canada and the four Scandinavian countries.[3] In 2008, Worldnet Daily reported, ""We decided to raise the flag," Tom Lemmon at Moody's told WND, "because the underlying credit rating of the U.S. government faces the risk of downgrading in the next 10 years if solutions are not found to our growing Medicare and Social Security unfunded obligations." In May 2009 Standard & Poor released a warning over Britian's credit rating, though they did not actually downgrade.

Economics of Currency Trading

The valuation of currency, at least in economies using "fiat" money, is based on the perception of that currency's general worth. This perception is based on several factors, the strength of the government's economy behind that currency, the willingness of governments to invest in that economy, and general geopolitical factors. For instance, the perception that the United States is overextended with its trade and budget deficits could adversely affect the valuation of the dollar.

Those who buy and sell currency each day, currency traders, are considered a savvy bunch. Because the information they rely on to make decisions crosses international boundaries into countries which may or may not necessarily be open with information, they have to rely on both conventional and unconventional information sources. In order to have a successful impact on a currency's value, one would need to successfully change the perception of a bulk of these currency traders.

Likelihood of Success

There are plenty of analogous examples that short-term influences can be made on valuations of stocks and such. For instance, several companies have been subject to false press releases that had dramatic effects on their stock prices. In those cases, the perpetrator was caught quickly and the stock resumed its previous value. People were able to make money trading options on that stock, but the long-term fundamental value of the company remained unchanged once people discovered the fraud.

This would be likely true for the case of currency. Currency traders, a savvy bunch, might be able to be duped into believing false information that could cause a run on the currency. But likely value shoppers would find the scam and buy low when people rushed back in after the fraud was discovered. In the cases of manipulation of stock prices, the fraud was discovered in days, if not hours. If a similar fraud were attempted on a currency, the full weight of that nation's government would be levied to fix the problem quickly.

In order to have an impact on an economy the assets involved would have to be significant. For instance, the United States had a Gross Domestic Product (GDP) in 2008 of US$14.3 trillion.[4] Even launching an attack with $100 million would be like trying to bankrupt a major international corporation by running out the door with a fistful of nickels from petty cash.

One successful attempt at currency manipulation (or savvy investment, depending on your opinion on the matter) was Black Wednesday in 1992. George Soros bet 10 billion pounds against the Bank of England and broke the currency.[4] In that case, England's currency was already having problems and Soros was the "straw the broke the camel's back". At that time, he used an amount of money roughly equal to 1.5% of Britain's GDP. With significant investment of resources, a currency "on the brink" can be successfully attacked.

Concerns from Asia

Dr. Manzur Ejaz blogs about "Recent currency destabilization in the East Asian countries (Thailand, Philippine and Malaysia) by international speculators was a preamble to an unfolding of a broader picture." And a PBS interview with Dr. Mahathir bin Mohamad descibes the havoc he has had to deal with concerning the Malaysian currency. "In the old days you needed to conquer a country with military force, and then you could control that country. Today it's not necessary at all. You can destabilize a country, make it poor, and then make it request help. And [in exchange] for the help that is given, you gain control over the policies of the country, and when you gain control over the policies of a country, effectively you have colonized that country."


One of the main attractions to investors, (other than hoping they will get rich quick), is that the currency is outside of nation state control. Nations, such as Venezuela have floated the idea of nation state sponsored cryptocurrency, in this case backed by oil reserves.

It will be years until we know if this is a lasting idea. For now we can simply watch the rise and fall, but one big idea in crypto currency is the idea of a coin trader. If you have X branded digital assets you can use a coin trader to make a purchase from a seller that requires Y branded assets.

This is not limited to digital money. Ripple has two payment products for banks: xCurrent and xRapid. Only xRapid utilizes Ripple’s XRP token. Many banks are testing/using xCurrent. Western Union just became the fifth customer to test xRapid.

This is important because one of the most important measurements of money is velocity, how fast the money can be spent and reused. Coin traders and trading instruments like Ripple greatly accelerate the velocity of money.

With these incredible advantages come risks. Coin traders, can and have been hacked and robbed, after all digital currency is bought and sold using imperfect computers. And speed also means if it goes bad, it can go bad quickly. The idea of a trillion dollars in value destroyed in the wink of an eye is becoming possible.

Debt, Inflation, Hyperinflation

A result of leaving the gold standard for most nations was the creation of debt. In the US today, we have record levels of personal, corporate, and national debt. Inflation is the friend of debt. If I borrow $100 from you and inflation occurs, the dollars that I pay you back with are worth less than the dollars I borrowed, i.e. I borrow $100, but pay you back with the equivalent of $85. However, one of the main jobs of the Feb in the USA is to ensure inflation does not morph into hyperinflation where it takes a wheelbarrow of money to purchase a loaf of bread.


In order to have anything but a short-lived and transitory effect on the value of a currency, it would take a significant amount of assets and other factors that have already placed the currency in a weakened state. With the combined weight of a government who has a vested interest in correct deception and savvy investors who would quickly discovery it, perception based electronic attacks would not be likely to succeed.

It is possible that a large-scale denial of service attack could disrupt an economy enough to eventually lead to currency devaluation; however, the scale would have to be many orders of magnitude larger than has yet been seen. September 11th has shown that the American economy can sustain several days of suspended economic activity and few denial of service attacks have been able to be maintained for that long.

In short, without the full backing and commitment of another nation, a significant investment of resources, and a willingness to be identified (at least the nation) as being behind the attack, direct long-term currency manipulation is not likely. If anyone can disrupt the US economy, it is China, they hold something on the order of $2 Trillion dollars in US debt, they would have to take a loss to do so, the impact on the Yuan which has been tied to the dollar for a very long time can not be calculated.[6]

This article is based on earlier research by John C. A. Bambenek and Stephen Northcutt
John Bambenek is an academic professional at the University of Illinois at Urbana-Champaign and a handler for the Internet Storm Center.

Additional links:

Friday, January 26, 2018

Tips for success: How to draw a simple historical map

We will use the land given by God to Israel for this example.

1) Locate that part of the world. Joshua 1:4 NIV
Your territory will extend from the desert to Lebanon, and from the great river, the Euphrates—all the Hittite country—to the Mediterranean Sea in the west.

We are in the Middle East.

2) Orient your paper, North is usually pointing to the top.

3) Find the edges. Use a search engine to find a map that is bigger, (covers more territory), than you need. That is to prevent you from running out of paper. We need the boundaries for North, South, East, West. Here is one map that has Lebanon, the Euphrates, and Mediterranean Sea marked. Now we need to find the Hittites, check several maps, it is that blob between the Black Sea and the Mediterranean Sea.

4) Use a pencil so you can erase if you are badly out of whack.

5) The Euphrates is a boundary. It goes on the East, (right side) of the paper. It travels South East, (down and right) and ends in the Persian Gulf, a handy landmark. The river should go from the top of your paper, to at least the bottom third. When you draw a river, use this pattern  ... ____ ... ____

6) The Black Sea. We don't know exactly where the Hittite boundary is to the North, but putting in a bit of the Black Sea will give you a handy landmark. It goes on the top left of the paper. When you draw a sea, add some parallel lines in areas you are not using for labels.

7) The Mediterranean and Red Seas. These go on the left side of the paper and are essentially the same down and right angle as the Euphrates. Make sure to leave some room on the left hand side of the paper for Egypt.

8) The desert. We do not know the boundary exactly, but it terminates to the North at the Mediterranean Sea. It runs South in a strip of land to the West, left, of the Red Sea. It runs South to be about even with the South end of the Euphrates, (where it terminates in the Persian Gulf), and from that Southern point, East to the Euphrates.

9) Modern cities. One of the easiest to place is Beirut, because it is in a bend of the Mediterranean Sea. That makes it easy to locate and position Damascus.

Monday, January 8, 2018

Tips for Success: Description for an optional talk

There are two types of presentation opportunities: mandatory and optional. This post is a discussion of the latter.

The two pieces of information that your prospective audience uses to decide whether or not to attend your talk are the title and the description. The title is discussed here:

After a reader looks at the title, they decide whether to inquire further, that usually leads to the description of the talk. It may be called the introduction, summary, abstract, or something else, but for it to be useful it must describe what the talk is about. For this reason, we are using the term, "talk description".

A talk description is similar to an abstract, it should be short, (target 200 words, shorter, or, longer may make sense). It should cover the four Ws: What, Why, When, Where. The better ones inform, delight and invite.
- We inform by briefly covering the subject matter of the talk, (what).
- We delight by sharing an insight, touching on a shared emotion, giving the potential audience a reason to want to attend our talk, (why).
- We invite by making sure they know they are welcome, cover the when and where, as well any costs or requirements.

It should read/play well in both written and oral forms. Some people consume information better by reading, others by listening, the description should support either. Never assume it will only be published in one form or the other. Many speakers have been surprised by a host "introducing" their talk which often consists of reading the speaker's bio and talk description. When I was a SANS instructor, we read the "morning announcements" to the class. This included the optional evening talk presenters, title, and description. Most importantly, the world is changing; ten years ago we consumed most of our information by reading, today, more and more people connect to information by speech and sound, (just look for the earbuds).

Tips for Success: Selecting a title for an optional talk

There are two types of presentation opportunities: mandatory and optional. This post is a discussion of the latter.

A quick scan of your local community news, a visit to a conference, the monthly meeting of your organization all tend to have something in common, optional talks. A busy reader scans the information making a decision on whether they might be interested in attending.

The headline, most important piece of information is the talk title. Consider these five titles taken from upcoming webcasts at SANS January 2018:

Improving Your Defenses - CredentialGuard in Windows 10
What Event Logs? Part 1: Attacker Tricks to Remove Event Logs
Head Hacking
How to Build & Maintain an Open Source SIEM
Are You in Control? Managing the CIS Critical Security Controls within your Enterprise

Assuming you are interested in the general topic of cybersecurity, are there any titles that cause you to reject further investigation of the talk by reading its title? Do any really reach out and grab you?

Different things appeal to individuals, here are off-the-cuff thoughts of two of them:
Head Hacking
= What's that? Probably social engineering. Do I care enough to click to read more?
How to Build & Maintain an Open Source SIEM
= Boring, but possibly useful. I would probably click to read more.

Now let's look at the two longest examples:
What Event Logs? Part 1: Attacker Tricks to Remove Event Logs
= Consider: Attacker Tricks to Remove Event Logs

Are You in Control? Managing the CIS Critical Security Controls within your Enterprise
= This one is hard. The word "control", used twice, has a different meaning in each use. This causes cognitive dissonance. Most people will probably ignore this talk because of its title.

Tips for titles:
- Keep it short, while explaining what the talk is about. 
- Feature the subject matter, if you have chosen a subject people want to hear about they will be interested.
- Avoid humor unless your presentation is about comedy. You are vying for time from busy people.
- Avoid abbreviations and acronyms unless you are certain your audience regularly uses them.

Thursday, January 4, 2018

Tips for Success: Powerpoint summary presentation of a research paper

Executive Summary: the most common medium to summarize research papers has changed, but the underlying concepts and goals remain the same.

Introduction: before the PC and PowerPoint, when you completed your research paper it was very common to create a poster summarizing your paper. Many young scientists and engineers remember what it is like to be one of twenty posters in a large hall at technical conferences. You would stand next to your poster and recite the elevator pitch summarizing your research and paper to other scientists that walked by with glasses of wine and plates of hors d'oeuvres.

PowerPoint: today instead of a poster, most researchers use PowerPoint and give a short presentation. The goals have not changed, they are:
- To inspire colleagues to read your paper
- To build name recognition for yourself and your work
- To share your passion for a problem, issue, and/or potential solution

Presentations regardless of medium: the same guidelines apply whether the medium is poster, PowerPoint, or increasingly, short video presentation:
- Match your presentation to your audience's knowledge level. If they are working in the field, do not waste their time with the basics.
- Focus your message, what are the three golden nuggets you want them to "take away?"
- Convey your message visually. Avoid tiny print, very busy slides, charts that do not actually inform, and be aware of red/green colorblindness with both the slides and laser pointer.
- Distance, be aware of the distance between your screen and the audience. This applies to live presentations and presentations viewed over the Internet. In a large room, people sitting in the back row may lose out, but people in the middle of the room should be able to understand.
- Remember some of your audience may be non-native English speakers or of a different culture, be careful with jargon, jokes and idioms.
- Be professional, avoid "cutesy slides", be consistent with fonts and font sizes.
- Be organized, tell them what you are going to tell them, tell them, tell them that you told them.

1.1 Added fonts and font sizes thank you S. Ramsey

Tips for success: The Research Proposal

There is a “chicken and egg” problem associated with almost all research proposals. Before submitting the proposal, the student is expected to:

1) Come up with an idea of something they would like to research.

2) Conduct first level research, (also known as Google, and perhaps other, searches), looking for information related to the topic. When you fill out the research proposal this is the information that is referred to as:

Review Existing Literature.
- As you learn more, by reviewing literature, it should be possible to refine your topic idea.
-You may also discover that your initial topic has been heavily covered by material that has already been published.
-If the topic has been researched and the results published, then there may be a more focused approach to the general topic area that is not already researched and published.

Please go through this process before filling out and submitting the research proposal. With that in mind here are some tips for the remainder of the research proposal:

Discuss the literature. The template states between 2 - 5 pages. There is a danger in being wordy, your thoughts and intents may be lost. Make your first effort to explain your research topic idea in the context of existing literature in 2 pages. If you need more that is fine, but, in general, do not feel like you need 5 pages.

Identify the research question. This is where the faculty research committee that evaluates your proposal will turn first. What is the problem you are trying to solve? If you are having a hard time putting that into a paragraph, that could be a bad sign. The research question should be obvious to you and to others.

Research methods. If you have a topic and question and there is no way to conduct original research to prove or disprove a thesis, this is not a workable proposal. We understand that some of this has to be figured out as we go along, that is what research is all  about. However, it is imperative that you have a way to start. Hope is not a strategy, have a plan on how to prove or disprove your thesis.

Significance of the study. We are talking about a lot of work, let’s all agree this is worth doing before we dive in.

Proposed title. This comes last for a reason. At this point you have given this a lot of thought. They tell writers that your title is your contract with your audience. Try to avoid cute titles, you would be amazed at some of the title proposals that are submitted to the committee. Instead try to summarize the point, the thesis, in a single title. If you absolutely need a subtitle the world will not come to an end, but precise and concise is best.