Memory Lane: Syria & the Model UN

BobbieLeave a comment

In 1992 or 3– memory is a little fuzzy — I was part of the Model United Nations and the country we were representing was Syria. I remember thinking “I know nothing about Syria” and having to cram as much information as I could to prepare. There was a delegation of us, I think… 8? 12? I just remember probably six of us crammed into a hotel room in New York, where the final event is held, toward the end of the school year. It was my first trip to New York, and I learned a lot.

West Point had, if I remember correctly, Burkina Faso. I do not know why I remember that. I just remember seeing what looked like two very white bro-dudes representing Burkina Faso and then looking at our delegation of mostly female persons representing a country that only superficially extended any rights to female persons.

To establish the zeitgeist of the moment: the US had just “won” the first Gulf War (fun fact, I was on an airplane to Australia for the student exchange when we declared war. The pilot shared that on the overhead. I and some 30 other exchange students didn’t know what to do with that), the “Middle East” was and had been for some time a scary place (inasmuch as all the news we got at the time was about scary things happening there). There was no internet (or none that was easily navigable to), and news was something you either got from a physical newspaper or from 6pm-8pm on TV. Heading to New York to effectively pretend to be Syrian — as a female person, in the company of *mostly female people*– was going to be an interesting prospect.

It was straightforward – act in “your own” interest. In the case of Syria, that was one of a wedged country – Syria participated in the Gulf War on the side of the US (because the alternative was siding with someone who would be interested in invading Syria) but also had a history of cracking down (murderously) on its own people. On one hand, Syria could be simply oversimplified into “bad guys in the Middle East that we had to work with against a worse guy” (plus assorted other stereotypes) and on the other hand how do you concentrate millennia of cultural history into context for play acting over 3 days? Not terribly well.

In pursuant years Syria remained a talking point on the nightly news as a Player In The Middle East and the older I got the more I understood (or thought I did) about how they moved in their local sphere (or internationally). Remembering my time in the Model UN meant I attached a little asterisk in my head to mentions of Syria; thinking back to “oh remember when you oversimplified their international stance over a 3-day period in an ironically mostly female representation?”

All is not wine and roses in Syria now; they still have crushing poverty and homelessness; they still need medical support and humanitarian aid. Yet this morning, I opened up the latest article in my inbox from the Economist to see that Syria is the Country of the Year – much improved and more democratic (yes, a subjective take), having shed itself of a dictatorship (and put in some measure of stability in the ensuing year). It had stiff competition — as noted in the article — but really, a transformative year. One that cannot, and should not, be oversimplified.

You can donate to UNICEF in support of Syria here.

If you’d rather donate closer to home, you can donate to Habitat for Humanity here.

You can learn more about the Model United Nations here. Most schools have to fundraise for their delegations and materials, so if you have an alma matter and if you have an interest, you can reach out to them and provide support.

It’s the Most Wonderful Time of the Year, Part II

BobbieLeave a comment

Working on the premise that during these holidays you find yourself in situations where you are “the explainer” and/or see the need to be one, here’s a guide on what you can do about data.

Specifically, your data. Or encourage people to do with their data.

The very first part of this is a bummer so you may want to pull up a glass of eggnog while choking this down (if you aren’t already choking on the eggnog): your data is not 100% private no matter what you do. Not ever. The only thing you can control (somewhat) is the length to which it is shared and the compartmentalization of that sharing so as to reduce the amount of destruction that can happen with a Data Breach. The other bummer with Data Breaches is that they are not something YOU did wrong – some entity that was responsible for storing data was infiltrated by Bad Persons who now have your data. Even if you had a unique password, even if you had MFA. Usually what gets stolen are credentials (the ID part of them, hopefully not the actual passwords) because what is supposed to happen is that sensitive things like social security numbers, credit cards, etc. are supposed to be “hashed“. That said, there are clever hackers and there are dumb companies, and so you don’t want to trust that everything works “the way it is supposed to”.

The following are suggestions for discussion/implementation as you get called in as The Person Who Knows These Things. If you actually do get a data breach, the most immediate steps are:

  1. Change the password for the given site(s) that was(were) breached.
  2. Check your credit cards/bank accounts to see if there are any fishy charges.
  3. Make sure they have 2FA on them
  4. Pull a credit report and freeze your credit – and in the credit report look for anything fishy (new accounts, for example).

Otherwise, we’ll assume the time slots you have below are based on how much time you have — or are willing to have — to disseminate knowledge :).

15 Minutes

With 15 minutes you have a selection of things you can do/advise:

  • Unique passwords for each site (at least, at the very least, for anything tied to finance – bank cards, store cards, etc.) – this reduces what a potential attacker has access to if there is/was a data breach with that one site. With 15 minutes you probably can do like, 2, but you can include the explainer on why they should do this for the rest of their sites.
  • Provide an explainer on data breaches:
    • They are somewhat inevitable because no system is perfect,
    • This is why you don’t want to do things like store credit card information with retailers or on your browser,
    • This is why people should have two emails (or more) – one that all their finance stuff goes to vs. the “spamhole”,
    • This is why you activate 2FA or MFA on all your stuff (again, if data found in data breach is being leveraged by bad guys then at least make it a little harder for them).
    • Whenever you get a notice of one you change the password on that site – and any you think may be tied to it – immediately.

30 Minutes

  • Show them how to freeze, and temporarily unfreeze, their credit, and why.
  • Discuss options like Delete Me.
  • Take the free credit monitoring
    • Almost every data breach notification comes way too late after this particular horse is stolen from this particular barn, BUT, free credit monitoring is free credit monitoring.
      • When they sign up for that it should be with a unique password.
      • Put in a reminder for the couple of weeks before the monitoring is set to expire so they can/should decide if they want to continue it on their own payment or cancel it once it is no longer “Free”
        • (An unfortunate reality is with the frequency of data breaches you could probably stack these 😦 ).

45 Minutes or Longer

  • Get a Password Vault app (e.g., Bitwarden) and an Authenticator app installed
  • Set up that 2nd email and update accordingly to financial sites
  • Google yourself and see what comes up. If you don’t want whatever does come up, file a request with the owner of that site or leverage something like DeleteMe.

The last thing I’d point out is that there is an astonishing amount of information out there on you that is publicly available. County assessors include your information and real estate tax information publicly, county and state court websites have records, etc.

The Real World

I will end with an example: recently, some folks I know were buying a house here in WA. Specifically in King County. They had seen a house, and they wanted to know more about it. Naturally, working with a realtor, they got some information. However, through about 15 minutes of searching, I could see: every permit that had been applied for, and accepted/rejected (and why) for that house, the previous homes the current owner lived in, how much they bought and sold those homes for, the current owner’s court records including their recent altercation at their house, a speeding ticket, their previous marriage, their previous divorce settlement, their current partner, their place of employment, their previous employment, the location of their families across the country, their voter registration, etc. etc. This is/was all publicly available data- I didn’t have to pay anything or even register anywhere to search it. Bonus: the folks I knew were checking with their own realtor about their own house to see how it was titled. and I was able to pull their title -an actual copy of their title – in 5 minutes.

This is what I mean when I say you will not be able to be 100% private. Certainly, there are ways to obfuscate this: you can get court records sealed, you can register your home in the name of a trust or a shell company, you can scrape your name off of as many sites as possible, etc. When you get the notice of the data breach, pay attention to what was breached – and respond accordingly.

It’s the Most Wonderful Time of the Year, Part I

BobbieLeave a comment

As we sit in meetings and hear “yeah, so let’s circle back to that in the new year”, as we receive out of office emails, as we get quite literally bombarded with solicitations (to go buy things or donate money), we find ourselves yet again at the end of a calendar year, heading into “the holidays”.

It is “the holidays” because it incorporates a selection of them with a variety of observances and customs, and I can get behind any seasonality that involves getting together with the ones you love and eating things. Oh, and pretty lights.

This is also the time of year where you may be dragged into being tech support for a friend or family member and remember that it is an honor and a privilege: You Are the Techie Person. You get to say stuff like “it works on my machine” and “have you tried turning it off and turning it on again”. Practice holding your coffee mug in your non-dominant hand while gesturing at screens, it will help.

If, however, you do not want to spend all of your time at a gathering doing tech support, and you’ve allotted a specific amount of time to do the Good Work, here’s some suggestions. For all of these you should explain to the recipient what you are doing and why, so they understand when things change. It also means that they can’t wander off and leave you by yourself to play tech support (unless you, and they, want it that way).

15 Minutes

With 15 minutes, grab the phone(s) of the intended persons (WITH THEIR PERMISSION) and:

  • Ensure they are updated with the latest patches – this will help guard them against security issues and could help performance.
  • Adjust the text sizing/accessibility features as needed – sometimes these are hard or confusing to get to.
  • If the phone is a sea of apps, make sure they know how to search for apps and/or reconfigure their first page of apps to the ones they use the most.
  • Establish a family code word for human MFA – AI has gotten savvy and so if Grandma gets a call from her “Grandson” explaining he’s in jail / trapped in a town someplace else / needs money, Grandma can ask for the passphrase. The kid will know it, AI will not. (You may need to show Grandma some examples of AI real-time deepfakes, so she understands the abilities of the bad guys).
  • Depending on the state of the person and what kind of support you do, you may want to enable location sharing to you. If you do that explain why.

3o-45 Minutes

With this additional time,

  • Make sure they are storing passwords someplace safe. IF THAT IS A PIECE OF PAPER, make sure they understand that that piece of paper needs to be hidden and not just hanging out and visible to anyone who visits the house. Pitch solidly for a password manager — the one Apple has built in is fine; Bitwarden is good too.
  • Make sure they understand to NOT STORE THEIR CREDIT CARD INFORMATION IN THEIR BROWSER. If they are doing that, walk them through why it needs to be removed, and teach them how to use Apple Pay or Pay Pal. Yes, this may take more than 15 minutes.
  • Walk them through how MFA works (if they don’t already know it) and ensure it’s set up for any/every instrument tied to money (bank accounts, shop/store accounts, subscriptions, etc.)

An Hour or More

  • Check to see if the router ADMIN password is unique and not the one the router shipped with. If it is, change it, make sure they add it to whatever they’re using to manage their passwords, and explain to them why (I find it useful to use the “Garage Door Opener” example: there was a thing a few decades back where folks discovered that if you bought a garage door opener and drove through neighborhoods eventually you’d find one you could open).
  • Make sure their Wi-Fi is not open for all – it should be password gated and that password should be stored accordingly.
  • If you have crazy amounts of time and inclination – let’s say you’re visiting from out of town and staying at the house a few days? –
    • Consider setting up a guest Wi-Fi and/or IoT Wi-Fi network. Separate things-that-touch-money from “smart” things (e.g., smart fridge, smart thermostat, etc.), and also separate “visitors”.
    • Go through browser hygiene on all machines – how cookies work, what you do and don’t get for them (explain that this is how Facebook knows you were shopping for boots).
    • Make sure machines are on auto-update for patches.
    • Consider getting a separate authenticator, and walking them through how and why to use that.
    • Explain passkeys.

Stocking Stuffers

  • Don’t plug your phone in to charge at any rando USB port. Instead, use a USB Condom. And with this, let the recipient know that they should never have to download an app just to charge their devices.
  • You can also get them a portable charger, especially if they travel a lot.
  • Bitwarden has a free tier but also for $1/mo or $3.33/mo you can get extras.
  • Ghostery is free but does accept donations.
  • Signal is free but does accept donations.
  • Credit Monitoring – even though we all get it “free” every time one of our accounts is compromised, it’s a good idea.
  • Authenticator Apps – Wirecutter and PC Mag have covered these.

Next post: why the Credit Monitoring is a good idea, and how to deal with the never-ending Data Breach issues.

One Foot in Front of the Other

BobbieLeave a comment

One of the things I do to relax – particularly when I need the hands to be doing something (e.g., knitting project, cross stitch project, etc.) is “watch” YouTube. I have a handful of subscriptions but the ones I’ve enjoyed most of late are History Hit and the “Tech Support” series from Wired. The most recent one I watched was with a polar explorer, and I listened as he answered questions from a wide selection of forums.

In answering one of the questions, he started talking about a time he was on day 4 or 5 of a 50-day solo expedition – this guy legit goes out there with a tent and a stove and assorted gear and no one else — and he lost his iPod. (His white iPod, in the snow and ice, the irony of which was not lost on him). It meant that for 45 days then — if he was to continue — he was alone with his thoughts. No podcasts, no music, etc. This was disheartening and he had to park himself for a bit to work through a mental impasse; he ended up using his satellite phone to call a friend who in turn talked him through how to deal. Then he continued, for the remaining 45 days, with only his thoughts. As he put it: he started by putting one foot in front of the other, for a thousand feet, and just kept doing that.

I will not even pretend that anything I do in life is that hard. There’s not a chance. I can still take a lesson from it.

If you are at this moment a corporate worker bee of some sort, you are watching very likely as coworkers get Reduced in Force, as the job market dries up, as we are increasingly asked to do more with less in the name of Efficiency and Cost Savings. AI, whilst somewhat useful for the basics, hasn’t (yet, knock wood) really replaced human capability (barring the impression it has from some CEO’s). The more load you pile into a machine — think of increasing the number of pages you put through a shredder each time — the more bogged down it gets, the less productive it is, or feels.

It’s review season again where I work, meaning that each person sets aside a nominal period of time (some do this in 20 minutes, some do this over agonizing hours) to identify their *impact* over the last 6-ish months. Not delivery.

You can have a lot of delivery with little impact. If you ship a bunch of code and no one uses it, you had a lot of delivery, and not much impact. If you write a lot of docs and no one reads them, ditto. You can mop the floor six times a day 7 days a week but if no one is walking on it there’s not much impact. I’m not even going to pretend that this is in the sole control of the worker bee: oftentimes we are directed to Do the Thing and if your boss tells you to Do the Thing you Do the Thing because capitalism and rent and groceries.

Whereas you can *feel* like you’ve delivered relatively little but had serious impact. It’s a bit of “proving a negative” but if you are beating your head against a wall with a project and making only the slightest headway, *but still making headway*, that can be impact – because you’ve either found a way to NOT do it again (hey, document that so others can learn) or you’ve blazed the trail and figured out how it was supposed to go, so others can find it easier (and hey document that too). *Someone* had to do it first, and it wasn’t going to be easy. It’s also not what we normally think of when we think impact.

Dollars. Views. Customers. Reduced time to X. We tend to think about impact in objective numbers and quantitative measurement. There is also room for qualitative feedback and the value of pivoting. There is value in slogging through things but, and I want this to be copiously clear, there is no value in slog for slog’s sake, and having to repeat a slog. If you’re the first one to explore and slog, share that out so it’s less of a slog. If you find yourself slogging through the exact same stuff with the exact same people, it’s time to convert that into impact – pull back/up/out and figure out how to break the cycle (if you can).

I am equally not going to pretend that it’s that simple – there are and will be situations in which you’re told to do the thing because you were told to do the thing, in spite of objective evidence that there’s a better/different/impactful way. The best you can hope for there is a workplace that apparently rewards delivery, vs. impact. If you’re very very lucky, you have an environment, resources, and work community that lends itself to impact over delivery.

And in the meantime, you put one foot in front of the other for the next thousand feet.

Supply Chain Attack: an Explainer

BobbieLeave a comment

I have told you to Do Your Updates, twice. A good example of why is the recent news about supply chain attacks in popular npm packages, which may mean nothing to you, and I figured I’d break it down.

Firstly, most folks understand that a supply chain is… a chain… of supplies. Tautology aside, it specifically means the chain of manufacturers, people, places, and companies through which various stuff flows through to an endpoint. Let’s take my fake coffee shop, Bobbucks, as an example. Bobbucks sells fancy coffee and (of course) pastries. Bobbucks does not want to have to have individual bakeries in every city/county/country that it owns, because Bobbucks’ primary focus offering is *coffee*, not pastries. Therefore, Bobbucks contracts with local corporate bakeries across the world.

Those bakeries make pastries according to Bobbucks standards, but key ingredients are fairly universal: for example, flour. All of those bakeries need to get flour, and they probably don’t all get it from the same place across the world, but there’s a good bet they get it from the same place in a geographic region. We’ll take that part of the chain. Now we have Bobbucks, which contracts with Starbakers for pastries, which in turn contracts with Queen Guenevere Flour company. Queen Guenevere Flour company in turn gets the wheat from Alan’s Wheat Farm.

Those products don’t magically flow, though, so for this supply chain we need trucks, and trucking companies. The trucking companies that are used in each part of the chain are contracted between the two links, e.g., Bobbucks and Starbakers have one trucking company (probably more, but we’ll say one to make it easy) between the two of them; Starbakers and Queen Guenevere Flour may have a different one.

If someone wanted to attack this supply chain, they could do it at different spots, with different results. For example: if someone were to put some laxatives in the pastries at Starbakers, then Bobbucks is unknowingly buying laxative danishes and selling them to people, who will then get sick. Bobbucks will need to do some investigating to figure out where it’s coming from, would probably quickly find the culprit in the danishes, and push back to Starbakers. Now Starbakers has to figure out if it’s one of their staff, or one of their ingredients.

Maybe it *wasn’t* some gremlin at Starbakers, maybe it was a gremlin at Queen Guenevere Flour company putting laxatives in the flour. Or maybe one of the trucking companies. Each company has to spend time and money to figure out where it happened, to rectify it. In the meantime, people need to be notified to get their pastries elsewhere and to take Imodium.

Specious examples aside, you also see this not so much in supply chain *attacks* but general “oopsie” like when a farm has questionable fertilization practice and ships a bunch of lettuce with ecoli– which then gets washed and chopped up in a processing plant (but maybe not washed enough) — which then gets packaged up with authentic Pirate Frank’s packaging for all the Pirate Frank stores — which then ends up in your cart. How many food recalls have you seen lately?

“But Bobbie”, you say. “Bobbie, that is concrete hard things that move from place to place. How do you attack a software supply chain?”

By poisoning a package. Or several.

As we’ve discussed previously, it is not efficient for you, the developer, to create a formula every time you want to say, convert Celcius to Fahrenheit. Someone else has done it and they’ve put it available for others to use, up in a registry. If you, a developer, need to create a shiny new website for your Ancient History Studies college courses, you would go searching for a package that already exists on the registry that, say, converts Julian dates to Gregorian dates (or vice-versa). You wouldn’t hand-code it yourself because you value your time and also your sanity.

That registry is visible and more importantly, open source. That means that if Person A has built that Julian to Gregorian date converter, and Person B has a Mayan Calendar conversion they want to add, they can publicly add to that package to make it more useful for them and others. That add is visible, and can be checked both by the registry and subsequent editors/adders/changers. There are all kinds of places and ways the content can get scrutinized.

For each fine cat, a fine rat. A particularly fine set of rats have gone to the very most popular packages – packages that handle string pattern matching, or prettifying things, or cleaning up things, or converting things – and put some poison in them. Sometimes the poison is to capture credentials (e.g., your logins or suchlike). Sometimes the poison is to silently watch what you do on your machine for ages to see if you go to any crypto sites (so it can grab your wallet) or banking or whatever. The little code injection captures what it needs and sends it faithfully off to the architect of this chaos, and sometimes you find out right away and sometimes you don’t.

The thing about supply chain attacks is that it isn’t just you, or a handful of yous. Much like with our flour analogy, those packages get used by Company A to build a thing which Company B buys, and uses in their thing that they in turn sell to Company C. Each of those companies have customers who use their products and it’s possible a customer is a customer of all 3 and so tracing back to “where did this come from and what is it doing” can take an appalling amount of time. Also, it’s not just one package. They use more than just one package. They may use dozens, or even hundreds, throughout a large product offering. And sometimes it’s a combinate poison: part 1 of the poison is in package Foo, but part 2 of the poison is in package Bar, and engineers tend to use both Foo and Bar packages.

Once the real origin is figured out though, time is still of the essence. Companies and developers have to update to the last known good or the newest known good version of those packages, push those updates out to *their* customers, and *also* have to sanitize all their stuff, change their passwords, their 2FA/multi FA, etc. It’s not enough to take Imodium, you’ll also want a probiotic and lots of Gatorade. And you may stop getting pastries from Bobbucks.

So do your updates.

PS – “how were attackers able to poison the packages in the first place?” – Phishing. They sent official looking (down to the return address) scary mails to package owners telling them they had to update their 2FA credentials and used that data to gain access to multiple packages and locations. They sent the same kind of official mail, with lots of urgency in it, to lots of package owners, and lots of package owners fell for it.

DO NOT click links in official sounding scary emails. All of those that purport to come from your bank, or important places like this, have actual websites you can actually go to directly without clicking on specious links. Same thing goes for phone calls from “the bank”, “social security”, “the IRS”, etc. Thank them for calling, tell them you will hang up and call them back. Then call back on the phone number from the *website*, not the number they called you from. (The IRS doesn’t call – they don’t have anywhere near the human capacity for that).

Do Your Updates, Part II

Bobbie1 Comment

Firstly: a new Apple iOS update is out for phones/pads/Macs, and you want to take it *as soon as possible*. Not only does it have a zero day in it, that zero day is under active exploit. This means that a problem is/was identified before a fix was identified (zero days to fix) and professionals are already abusing it (under active exploit). Granted, the typical target of these things are journalists, government officials, etc., but also folks working at corporate offices. Maybe even you.

One of the questions I have fielded since Do Your Updates is best distilled as “why can’t developers do it perfectly the first time”. Aside from the unrealistic expectation that an engineer not be human, there’s a few reasons for this.

  1. The biggest vulnerability in any system *is the humans* and it’s not just the humans building the system, it’s the humans *using* the system. Phishing and social engineering – those emails asking you to click a link urgently or telling you “here’s your PayPal receipt” for a transaction of several hundred dollars (designed to make you panic) are phishing. Social Engineering is more like the person calling you on the phone saying they’re calling from Chase to verify a recent fraudulent activity and asking you for things like your passcode, to verify a 2FA, etc. These methods rely on the target feeling *vulnerable* and have a sense of urgency.
  2. Code evolves and so does technology. There was a time where a very strong password was sufficient to guard your stuff — but then we had data breaches. So then we added 2FA (second-factor authentication, e.g., when you get a text with a code to support your log in) — but then we had SIM swapping. So then we added MFA (multi-factor authentication), physical YubiKeys, etc. etc. — for each fine cat, a fine rat: engineers on the malicious side are not resting, so engineers on the corporate side cannot, either.
  3. We talked about packages and post-deployment vulnerabilities in Do Your Updates. That is still a thing.
  4. There are *a lot* of ways an attacker can poke at the platform or the code:
    • They can insert things into text boxes for forms that interrupt the inbound form contents (e.g., the text box in which you give your feedback on a thing) to try to get into the database in which those contents exist (this can go by a variety of terms and also has a variety of methods, one of which is called SQL Injection and is/was the first thing I learned about cybersecurity, aside from “never share your password”, back in 2002).
    • They can do something called a “brute force” attack which is just like it sounds: employing a variety of clients to just pound the ever-loving crap out of any intake on a site to either force it to give up/let you in and/or just take the site down (Ddos: Deliberate denial of service). 2FA helps with this but so does throttling (making it so that only so many requests are allowed before it locks you out), or Captcha/Re-Captcha. Except now AI can pick out all the parts that are a “motorcycle” in the image, even if you can’t. And so now engineers have to figure out the difference between a less tech savvy person reaching for their paper-written passwords and typing those carefully but incorrectly into the little box, vs. an AI acting as such.
    • They can code up sites that *look* like the site you want to go to and the URL even looks like the site you want to go to — except maybe instead of a “O” it’s a “0” in the site name. You go to the site that looks legit, that the engineer has scraped/copied the design from a legitimate site, and you type. your login as always. Because it’s not the real site, it tells you “oh gosh we need to verify it’s you, please type in the 2FA code” and instead of you sending that code to the real site and doing a real authentication, you are providing that code to the attacker so they can go log in as you.

AI is also not going to solve our security problems — it will make them harder to (as malicious folks have access to AI, too)– but it can help. AI can be used to detect anomalies faster (in most cases you don’t have to tell your bank you are traveling as it employs AI to figure out whether or not that was you booking a 7 night trip to Cancun or not), or even predict patterns for exploits. When it does, it will not be replacing the engineer or even making what the engineer does perfect. This dance does not end.

So do your updates.

Burner

BobbieLeave a comment

I recently had the opportunity to travel internationally, and to test a few things. Namely, using a “burner” phone.

To be super clear: it is very hard to do this perfectly and I did not do it perfectly. We’ll discuss some hypotheticals further down, but I felt the need to start with that. This was a test, it was only a test, and it went pretty much how one could expect it to.

Why

There’s a lot of discourse in the media about phone confiscation, personal privacy, etc.; this shows up in articles hearing about journalists being issued “burner phones” or the advice to acquire one yourself before international travel. I wanted to see firstly how that would work and secondly, frankly, if I would actually need it. I am not the target demographic for the sort of privacy harassment (yet?) that would require a burner phone (I am not a journalist and I hold no real position of power) so the likelihood I was going to have to hand over my phone to a Cellebrite was small, but not zero. How painful, then, would a burner phone experience be?

Who

This phone was just for me, in my private travel, to talk with about ten people in two countries. The number, once acquired (see “How”), was shared with those people via What’s App and/or Signal. The phone wasn’t used by anyone else during this period.

When

The actual phone was acquired about 3 weeks before my trip which, with life being as busy as it is, did not leave me much time to set up the necessary infrastructure. The plan was to have it set up pre-trip, test it a bit, and then evaluate it for the trip.

How

There are the “right” ways to do this for “ultimate privacy” (and I put that in scare quotes for a reason) and then there are the “okay” ways to do this for like 80% of scenarios, and I went with that one. Firstly, you have to acquire a phone. You could, for example, revive an old one of yours or a family members’, or purchase one off of Swappa. I did the former, but for “perfect” you would ideally do a cash deal off-record for someone else’s phone. Once you have the phone, you need to install a phone plan. You could, in theory, get a prepaid phone plan through a different carrier and in some cases they don’t actually require an ID (as long as you’re paying with cash and/or a prepaid Visa card) but note that everything, on some level, is traceable. There’s cameras at the phone store, there’s call recording for the wireless provider, etc. I didn’t bother with that, I just added it to my current plan.

I will note here that adding a phone to your plan immediately gives it some tether to you. The phone, when added to my plan, got “my name”, and anyone with a warrant, or really good phishing, could probably divine that this “Bobbie Conti” on the phone plan is related to that “Bobbie Conti” on the phone plan. They can also then probably get that other phone number, and my address, which in turn means they would know already quite a bit about me. BUT, the *phone itself* doesn’t impart all of that – in order to get there you need to do that “hop” and either that warrant or phish. Moving on…

If you have an Apple phone – and for security reasons I prefer them – you are best placed to get an iCloud account, so you can load apps and suchlike. For that, you need at least an email address. For a Google email address, they like it if you have a backup email and a phone number for 2FA. So the phone comes first, but where do you get the 2nd email address? Proton mail. Armed with my new Proton mail, and then my phone number, I got a Gmail account and wired that all up to the Burner. Great! I now have a phone, with the ability to load apps, text, etc., that on the surface level isn’t “me”.

A really, really driven person would have gone to a public forum of some kind (e.g., Best Buy when busy and using their demo machines) and used their computer to set up the Proton Mail account, then gone to a second one several miles away to set up the Gmail account, and so forth. I did none of that, but I did use a VPN on the machine that I set them up with. That said, Google almost certainly was able to figure out it’s me, since the machine I logged into was the same machine I use my personal Gmail (note: my gmail is my spam hole and I do not use it for anything important).

From here I did some final tweaking and followed some basic principles:

  • I removed location services from all the things – including even weather.
  • I deleted a bunch of apps I did not need.
  • I installed Signal. Yes, What’s App was on there, too, but if one has to choose one chooses Signal.
  • I did NOT load up any other accounts (emails, etc.), and absolutely did not tether any cards/payment forms to the phone.
  • I brought my own chargers, charging cables, etc. and never hooked up to public USB, nor to any bluetooth.

This left me with a phone I could use to search the internet (Duck Duck Go for the win), send texts/Signals/WhatsApps, and… that’s about it.

A truly driven person would probably purchase, with cash, some Visa gift cards, load those up in the “wallet”, would add in one or more VPN’s, and would almost certainly have not used What’s App. I know what they say about What’s App being private. However, What’s App *can* read your texts if a recipient requests them to, e.g., if you’re getting reported for fraud or abuse. If they can do that under that circumstance, they can certainly do it under others. Additionally, What’s App shares data with other Meta products, so if you are traveling with others who use those, the proximity tracking (and more if those folks are your friends and taking pictures in which you may be, *tagged or otherwise*), it’s not much for them to figure it out.

What

What happened was an exercise in frustration for me, and not much else.

Not having access to “tap to pay”, location services (hello maps!), etc. meant for a substandard experience to the one I could have had, had I had my phone. Instead I relied on others and/or visual directions, and physically pulling out my card to tap it. It also meant I wasn’t getting health tracking benefits, etc. If I had been on a trip by myself and not with friends, the maps/location piece would have absolutely driven me nuts.

The phone itself received generic text message phishing (in this case offering a job), allowed me to text the group I was in, and that was about it. There was no case in which it was compromised, invaded, etc., and there was no indication that someone or thing actually cared about it (other than me). It’s hard to prove a negative, and as I said earlier, I’m not that important :).

The final curiosity was to see if it were to get plugged into the aforementioned Cellebrite on the return trip and… it wasn’t. Not a hint of it. In theory, an Apple phone equipped with Signal and not voluntarily unlocked is fairly “protected” (thus far) from Cellebrite forensics but nothing lasts forever and I would imagine that Cellebrite, having preemptively declared victory in the past only to have to walk back their words would, in future, not advertise a capability until proven. Still, the plan had been to see if any of the account information stored on the phone (with the new emails, etc.) were to show up elsewhere post-plug-in.

Addenda

You could fit the “what ifs” and caveats in this scenario into a small football stadium.

If the concern is a government acquiring the data to do things with it (whatever one might imagine those things to be) then it should be noted that so much of our data is available to JUST ANYONE at any time it’s scary. With a first name and last name, you can search court records, find addresses, see property tax records, etc. With a social security number (which, erm, the gov’t gives you), you can run a credit report, know where someone is banked, and (if again you are said government) know their income and income streams. The things the government would need a warrant (purportedly) for would be specific financial transaction information, and possibly what calls were made at what time and to whom and for how long. If one is to believe the news of the early oughts, the NSA is already listening in anyway. What is left, then, is texts to/from the device itself, the contents of which you have and the person to which you texted have; and either can be forced via warrant.

The other concern is non-government entities or government entities that are not your own and, in my case, again, I’m not that important :). I would imagine the same holes in the process apply to those, if not more. I also generally ascribe to the notion one should not say out loud anything one is not willing to defend in court or another public forum.

The core scenario in which we hear about burner phones (e.g., journalists) are different from mine – I don’t imagine journalists using tap to pay from a burner phone in the middle of a war zone and I don’t imagine foreign officials using said burner phone to send sensitive messages (or if so I imagine some sort of Mission Impossible self-destruct smoke thing happening). For their sakes I hope it works, but my own scenario is nothing so dire.

One should remember the name here, too: a burner phone is so named because when it ceases to be useful and/or is compromised, you burn it; the real purpose of a burner is to get a message from point A to point B and then discard it, hopefully with no traceability back to your thumbs.

You can donate to Signal here.

You can donate to Reporters without Borders here.

Now What, Part III

BobbieLeave a comment

They say history does not repeat itself but boy howdy does it rhyme. Another quarter, and another batch of layoffs. This builds on previous guidance.

If you are Leaving

Firstly, I am sorry. I really am. Go check out Now What, and Now What II, for some initial guidance (especially about that RIF package you may or may not have gotten).

Resume

In addition to everything else in those other pages, you will want to use modern tools for modern solutions. While I do not believe AI is a golden hammer, it *can* help you brush up that resume. The key here is to use it for *parts* and then review it and add your voice and finishing touches. Things to particularly pay attention to:

  • a concise summary at the top – by concise I mean 240-character-tweetable concise.
  • bulleted skills list.
  • tailoring to different role types that are adjacent – a given person is perfectly capable of being a Technical Program Manager or a Product Manager, but how you slant your resume will differ for those two roles.
  • clean design – you want enough white space to not make it cramped and not so much that it creates extra pages of reading or the eye falls off the page.

Before you send it out, triple check it for accuracy, and remove any “the user” or other phrases that signal AI use.

Networking

Find local chapters and meet-ups of folks who are in the same industry/specialty as you. Yep, meetup is still a thing, as is dev.events. You may be an introvert (Hi. It’s me. I’m an introvert.) but you’ll want to get out there and network – this can lead to consulting gigs, soft intros, expanding your LinkedIn (up next), etc.

LinkedIn

OK I mean yes, you can post how you are/were impacted. And your feels. But after that you need to look at LinkedIn as a tool.

  • “Link” to those you worked with that you had a good working relationship with – because now you can see jobs that get posted on their pages, by *their* network.
  • Clean up your profile like you clean up your resume: get yourself a headline, an “about” section, make sure your experience and skills are up to date.
  • Did you know you can set the “Open to Work” feature to Recruiters only?
  • Use it to find companies that say they are hiring (more on that later). When you reach out to recruiters or folks hiring, add a short note about why you’re messaging them (personalize it). It will help you stand out.
  • Take a look at your post history – is there anything there that *might* give a recruiter or a company second thoughts? I’m of a “hey if I say it at all I will shout it in a public square” mentality, but not all are.

Job Hunting

Indeed, LinkedIn, etc. all post roles that are “open”. I say “open” because you know and I know that some organizations aren’t great about their job posting hygiene, leave roles online that have been filled, or (in some cases) have “ghost” roles open. You don’t want those, you want real jobs.

If you can, look at the posting date. Focus more on applying to things posted sooner to “now”, than older. Those are less likely to be well into the interview and/or hiring process, and more likely to be legitimate and still funded.

If you know someone who works at that company, reach out to them and ask them for a soft intro to the hiring manager, or a referral.

Stress Management

Touch grass. I’m serious: go out for a walk, make sure you’re hydrated, and so forth; this is a stressful time and stress management is going to be a requirement, because stress can impact a lot of things including your immune system. You don’t want that.

If you are Left

Yes, this sucks for you too; go see “Closure“.

LinkedIn

You get LinkedIn homework too.

  • Find the folks you know are impacted, that you have a good working relationship with them, and “Link” them. This gives them an extended network and exposes them to more opportunities.
  • As fellow Linkies post jobs available, repost them. You don’t have to add your thoughts if you don’t want to, but reposting them extends the visibility of the opening through *your* network directly.
  • For closer impacted folks, you can help them eyeball their resume. Sometimes when you’re in the thick of a role you don’t realize all that you do, so you can be that “realizer” for your impacted friends.

Referrals

  • If your company has open positions, offer referrals for those you know would be a good fit. Referrals may sometimes feel like a black hole via the “system”, so if you can (without too much political capital) reach out to the hiring manager of the role your fellow Linkie is applying for, that can absolutely help.
  • If a position has been open for longer than 2 weeks, *definitely* check with the hiring manager if you can before referring. In the current market, that role is likely already filled or deeply in the hiring process, and it may be too late.

Stress Management

This applies to you, too. Both from a survivor’s guilt perspective, but also from a “there’s bound to be a shuffle in the work structure or the workload”. Try to maintain good sleep hygiene, get some cardio, and stay hydrated, because it’s going to be icky for a bit as you juggle what you see online and what you experience at work.

Deep breaths, and do the best you can, with what you have.

Ripping

BobbieLeave a comment

Ask any sewist or person who works with fabric what their feelings are about their seam ripper, and they will either tell you it’s complicated or that it’s their favorite. Most of us think it’s complicated.

A seam ripper is a little tool with a sharpish-hooked edge that you use to rip seams (“it’s that easy!”). “Ripping” sounds more violent than it is — it cuts through the threads that hold the seam together whilst (mostly) preserving the fabric on either side and is used for either letting you take something that wasn’t right for you and make it right for you, or for tearing out a mistake.

In knitting, if you have to do that it’s called “frogging” and it’s where you yank the yarn free of the needles and, row by row, disassemble the knit into an unwieldy pile of yarn.

For the most part, NO ONE is having a good time doing these things. At the very best, these are an impedance to actual progress, a necessary correction on the way to doing the thing you actually wanted to do. More often, they are an admission of error, and a painstaking reminder at that. By the time you are frogging or ripping seams, you are watching as you undo dozens, perhaps scores of hours of work. It hurts.

At the very least, though, you have control – you can choose to let the seams stay as-they-are, or you can choose to undo them and refashion them into something you want — but you choose. If you’re one of the thousands laid off last week — or millions over the last year — you didn’t get to choose (or likely didn’t). You have been forced into a Very Large and Very Painful change.

I’ve got some older posts on the practicalities of handling this situation but for the most part they do not address one of the more problematic aspects: what if you’re old?

I speak as someone who is “old”. At least, considered “old” in the workforce for technology: this year I will be 52. With the power of hair dye and wrinkle cream and soft focus and carefully applied makeup I may still be “looking” mid 40’s but the reality is I’ve been in the corporate workforce now for 32 years.

Mind you, “age” isn’t a problem for the person who has it. *I* think my brain works just fine, thank you (or at least as fine as it did some 10 or 20 years ago), but the perception on the exterior could be that I am not as “fresh” as someone younger in career, or as “raw”. (Why do we use phraseology for candidates that we would for produce?). Older folks who have been hit by the layoffs are going to have a harder time getting a new job, and that can mean a forced early retirement or a forced early cliff in finances, neither of which sound great.

The irony is, of course, that we need people to be working as long as possible to support the infrastructure our government uses to support the *really old* people. With the largest generation — Boomers — retiring, the more of us Gen X-ers that can be kept in play, the better off “the system” will be. Gen-X has more in common with Millenials in terms of why we stay at a role, and while I don’t necessarily agree with everything in this infographic, I do think that our generation’s skeptical approach to most things — rebranded as “critical thinking” by the time I got into the workforce properly — is and proves to be quite useful.

Which is not to say the pain is solely borne by us “semi-olds”. Millenials are still paying off student loans while trying to hold a mortgage and save for their kids’ college. Gen Z are coming in with student debt and skyrocketing housing expenses. Getting yoinked out of your job, and also your health insurance, with no notice, is catastrophic. Sure, the unemployment rate — even today — isn’t as bad as it has been (the Great Recession and COVID both created huge spikes), but that is cold comfort to the person evaluating their current situation in what is hopefully a “garden leave” period.

This could be a post that tells one impacted to “buck up”, refashion that resume, pound the pavement, work your network, etc. There are plenty of those posts. This post is to acknowledge it sucks, and for some in a specific stage and circumstance, even if eventually they do get something bigger and better, it sucks hard.

Do your updates.

Bobbie2 Comments

Usually I try to figure out a pithy title as a draw, but for the love of whichever entities you respect and/or follow, please do your software updates. Specifically do your platform updates: on your iPhones/Pads/Macs, on your Windows machines. Update your apps. When the little red notification comes on, do not ignore it, just do it.

How to Update

(If you have other devices/platforms just use your handy dandy search engine — I use Duck Duck Go — to identify how to get your updates in a timely fashion. Bonus points if you set it up to automatically do it.)

Why Update

There are some that believe the updates are for feature funsies: e.g., if I update my phone I will get the new AI this or the new UI that. This is true, for most “regular” updates there are some feature releases and you get to read all about those (and decide if you like that or not). There are also “bug fixes”. I feel like this does disservice to what those fixes are: if I think of a “bug” I think of “annoying thing that happens”, I do not think of “wide open gaping hole for bad actors to waltz in through”.

Your platform updates often include security patches. These patches are, for the most part, NOT because the engineers made a mistake when crafting the platform, rather, they relied on packaged convenience libraries to do some standardized work and *it is those libraries* that have problems. Think of it like this: the engineers baked the cake, but the problem was hidden in the flour they used, and would not have been visible when they baked the cake and someone found out the flour had something in it long after the cake has been baked.

This happens *all the time*. There are thousands, probably millions of little packed up conveniences in the software world, because writing something *from scratch* takes a very long time and it’s kind of silly if someone has already done it (and done it so well that All the Other Kids are Using It). When a vulnerability is discovered in a package, it is given a CVE number (Common Vulnerabilities and Exposures), and a detailed write up on what the vulnerability is, where it is, and oftentimes suggestions on how to fix it. Companies worldwide use MITRE’s CVE database to understand what and where those vulnerabilities are, and how to fix them, so they can iteratively update their software and further secure it. Vulnerabilities are discovered by engineers around the world, sometimes on their own time, and sometimes on their company time: they are written up and shared with package users to make sure they get fixed.

How Bad Can it Be?

A vulnerability or exposure has roughly four stages of severity: low, medium, high, and critical. YOU as the consumer don’t really know which basket of vulnerabilities is addressed in “bug fixes”, but the company you depend on does: high and critical vulnerabilities, and their address, are often why you get off-cycle security patches (ever had an update on your phone that seemed awfully soon after the last one?). These vulnerabilities are “publicly disclosed”, meaning, their existence and how they can be exploited is also disclosed. The analogy here is: there’s a catalogue of all barn doors that are unlocked in your area, and anyone who uses those barns should be aware of that, and the barn owners should be aware of that, so the barn owner can lock the door. This also means that bad actors (who, let’s face it, are probably serially trying all the barn doors through the area anyway) who are lazy and did not do their homework now have a legit directory of which barns are probably unlocked.

Hence the haste.

These vulnerabilities are discovered and there is a Very Short Window in which the companies that use them can get a heads up on fixing them and getting those fixes out before they show up in the public discourse. (Meaning, the CVE doesn’t show up formally in the MITRE database until which time as the organizations and libraries dependent on fixing it have at least had a *chance* to fix it). This means that the original discoverer(s) of the exploit know how to break in, but it isn’t available to everyone else to see: that happens after (theoretically) everything has been fixed.

“Everything has been fixed”, in this case, means that your software has been patched and updated, *or you have been asked to do an update*.

If you wait, and the longer you wait, the more exposed you are.

Modern convenience often comes with modern inconvenience: we have computers that are smaller than our hand that literally tether to all global knowledge, they help us stay in communication with others and they help us track our lives and livelihoods. They also are fragile and need care and feeding, and it can be easy to defer it in light of convenience (“oh, I won’t do the update now because it will take too long, I’ll wait until ‘later'”). Please. Don’t wait until “later”.