Wednesday, November 8, 2017

Sears Failed: We're Not a "Stuff" Society Any More

Sears failed. They had great stuff, the best tools, they stood behind their products. Lots of theories about why they failed, but I have a hypothesis: we're just not that "into" stuff anymore.

In the late '70's I loved music, and would lug my huge speakers, turntable, receiver to college, to co-op job. Agonizing. Now - to enjoy music requires much less stuff. A smart phone and tiny speaker with great tech delivers most of what most people want.

In the late 1980's, personal computers were purchased in huge boxes, a bunch of them. Heavy, lots of packing materials, tons of documents and paper. Now - you buy a smartphone or laptop - the purchase can literally fit in one hand.

In the 1970's, 1980's and to a lesser degree the 1990's, stuff was expensive. It was desired. Then Chinese/overseas manufacturing cheapened stuff.

Grandmas bemoan sending gifts to youngsters and not getting formal thank you notes. The gifts they send are typically stuff. Why would a kid want stuff when now stuff is cheap and experiences, virtual entertainment and services are king. Grannies are working from a different perspective maybe.

People aren't needing those awesome Sears tools as much. Many people don't use them at all. They get online, find a pro, make a call, get the work done.

Clothes and TVs are cheap, cars are cheaper than they used to be. Appliances, furniture, all the stuff you need to live comfortably are relatively cheap.

Minimalists suggest going around your house and getting rid of any item that does not give you joy.

Don't get me wrong. Certain items are not considered "stuff" - really nice things, luxury items, are still in high demand. Apple products, very fine wine, craft beer, online entertainment/games, fun, trendy cooking items, fashionable clothes and fine accessories are very much in demand and command top dollar. We want things that make us feel like a million bucks.

We spend huge on vacations, experiences. Not unusual to spend $500 for a really good concert.

Hell, I've heard from people my age that their kids don't even want cars. Why? Use smart phone and get a Lyft. Safer too

Sears didn't carry such items. Sears carried stuff.

Sunday, October 29, 2017

I Got Unfair Advantages in the '80s Entering High Tech as a Woman

Back in the '70's and '80s and '90s - women had it tough in tech. But, not as tough as now. Women in tech now, have it worse than I did back then.

In high school in the '70s, Catholic school, but I lucked out. My teacher in chemistry and physics was an amazing man, Mr. Lonnegan. He found it amusing when I whipped the guys on tests and experiments. I had male support. It made me bold.

Guidance counselor advised against Georgia Tech college choice. No surprise :( I chose Tech.

Then I got lucky again. had to work my way to pay for college - went into Co-op program. Found an advisor who placed me at Procter and Gamble with my roommate, figuring we could help each other out. I was so lucky. Damn that roommate and I stuck together, we would study late into the night - she was smarter than me and I did better than I would have studying alone.

Not saying P&G experience was perfect, but it surely hardened me, working in a union factory. Again, weirdly lucky with the women on manufacturing floor supporting me and my projects. When supervisor, Gordy, went out on vacation, we had the highest production rate in history, as I was allowed to be their supervisor in his absence and I think the women were tired of Gordy and thought it was fun to make me a hero.

Graduating Georgia Tech. I had 10 job offers. Before you think it was because I was a woman, yah, no, high honors, Co-op degree with great references. I really wanted the Alcoa job, but ex-husband wanted a PhD at North Carolina State. So I chose IBM in Raleigh.

Lucky again. Then again, back in my day, women in tech had it luckier than women now.

Tim Cook, yep that Tim Cook, was my office mate.

IBM in the early '80s treated women engineers well. I think they still do. When it came to training opps, my chain smoking anti-women manager had no choice but to give them to me. I learned CADAM, GPSS, other stuff I forget now - know this means nothing now, but at that time it was grand.

Yep, career went very well. Quit IBM 3 times, for startups, So lucky, so very lucky. In the late '90s being female in high tech was an advantage, not a disadvantage.

Long story short, I mentor young women entering tech now, I interact with men in tech on a regular basis nowadays and with exceptions, it is utterly depressing. Women are not welcomed. They are doubted, treated with disrespect.

Why though? Why? I would think by now we would be moving forward, not backward.

I had a lot of unfair advantages, but were they? Just a high school teacher who told me I was good at engineering. Just good treatment by employers. It is not too much to ask that young women in tech get this too.

I don't think they are getting the advantages I had way back then.


Tuesday, October 24, 2017

What to Do if Sexually Harrassed at Work

Do not go to HR. They are responsible for protecting the company, not you.

If you are physically attacked at work or an event, call law enforcement. Physical abuse is a crime, punishable by law. Dial 911.

If it's subtle innuendo, total crap-shoot. Unfortunately, you as a victim are going to need to be smarter. You go to HR - you will likely be labelled as a trouble-maker, and it's going to impact your career negatively.

So, what do you do? Debug the problem. Find out, why is the person doing this. Attempt to work with the perpetrator to remove misunderstandings.

Assuming the perpetrator of the abuse was truly intentionally malicious - ugh. So, step one, find someone in management who you trust, and present the problem to them. It is quite likely they can solve your problem.

If you have no such trusted person in management, consider leaving your position. It's easier to find a job when you still have one.

Depressing, unfair to you as a victim, yep! But it is what it is.

Friday, August 25, 2017

Hurricane Experience - Wilma

When I was a kid in Florida, I remember trees down and people taking boats down the "roads" in hurricane Ingrid. Did not feel afraid. Many other hurricanes, no problem.

We lived on barrier island in Boca Raton. Hurricanes have a problem getting to us because of the Bahamas. Evacuated twice, both times we just went to brother-in-law's house and it was fine, just loss of power. Hurricane Wilma 2005 - different story.

For Wilma, we were not evacuated. It ended up terrifying.

Wilma was deemed not a risk. After evacuating twice in the past couple years, we were pretty happy.

Here's what happened. We were in our billiards room playing pool and noticed my car getting pounded by debris. It was parked out front. I ran out to pull it into garage, and a 70 pound palm frond narrowly missed me going 80 MPH. Ran back inside, screw the Infiniti.

We went to sleep. Middle of the night, wind was howling, transformers were popping, trees were falling, hitting the house.

In the family room, the sliding glass doors were arcing due to wind. We watched our screened porch over the pool fall - and parts of it were swinging violently toward the sliding glass doors.

Walked from window to window, watching fences fall, trees fall. Didn't see the neighbor's roof land in our backyard - saw that in the morning.

My ears popped. It was life-threatening bad. We went to the most reinforced bathroom to wait it out.

It was bad. Remembered seeing Andrew tragedy, which we missed by being in Boca Raton.

So, we got through it. Took in a professional chef who had his roof destroyed. Best move ever - he was master of grill. We didn't have power for 2 weeks. No internet for 6 weeks. No food in grocery stores for 2 weeks.

We ate MRE's. They aren't bad. Best source of food was the neighbors' freezers though. With a chef and propane, we fed the neighborhood & family for many days with the goodies from their freezers.

You can't be prepared for the smells, we took people into the house who didn't bathe for - literally weeks. No fans, no A/C - oh and the dogs, they smell too.

Anyway, on the bright side, we made it through, and made some good friends.


Monday, August 21, 2017

Mandiant “Breach”: A High-Level Case Analysis & Understanding the Data Leak

Post is from my friend https://twitter.com/CryptoCypher

What is Mandiant?

On July 31st, nameless attackers released a document claiming they breached the security of Mandiant, an American cyber security firm. In this document, attackers claimed that they had penetrated the Mandiant network infrastructure with remote access and monitoring capabilities to their analysts’ systems.

What happened?

On August 7th, FireEye, the parent company of Mandiant, released a statement denying the alleged breach within their network infrastructure. FireEye claims that the attackers had accessed one threat intelligence analyst’s online accounts through external pre-existing data leaks that included account credentials, specifically passwords. Through an internal investigation at Mandiant, the employee’s credentials were found in 8 external database breaches, many of which likely had the same login credentials as other online accounts where company data was stored. Presumably, the analyst’s accounts were accessed with stolen credentials, and the limited company data affecting two customers was stolen. Mandiant nor FireEye are at fault at all, it is a flaw of an employee’s account credential usage, which could happen anywhere.

Why do these breaches happen? Targeted attack, tarnishing brand name reputation, personal attack, etc.

I suspect this attack was executed for three likely reasons:

  1. Brand reputation: damage the companies’ reputation
  2. Personal vendetta: damage the analyst’s reputation through a dox-oriented effort
  3. Publicity: advertise the #LeakTheAnalyst hacking campaign

Brand reputation is easily tarnished through the media. Even if allegations are false, it will not look good on any company’s reputation. FireEye and Mandiant handled this particular situation well by offering public transparency in their investigations, explaining that their network infrastructure and customer data is safe.

Personal vendetta’s often lead to people being digitally attacked with the intent of negatively impacting the victim’s life through exposure of information via doxing or other tactics. The goal of a targeted attack like this could be to cause internal politics with a victim’s employer, future employer’s who search for their name on Google or even to simply just bother the victim.

Publicity for the attacker’s #LeakTheAnalyst campaign could have also been the goal of this targeted attack. By claiming responsibility for the attack through the hacking campaign, the media will do the rest of the work for them by spreading their message.

Regardless of the reason, we need to look at how these targeted attacks are happening. The answer is loud, clear and nothing new to the security industry: people are re-using passwords, and as a result, personal accounts are being accessed for data exfiltration.

What data is included?

It is important that we understand how exactly data is stored in databases. Every field included during the account registration process will also be included as a field in a database entry. Here is an example of what the database entries look like to hackers and administrators behind the scenes:

hackforums.net.sql:     ,(37337, 'Cypher', '7274ed7f77a35fc8b090a36df4e8535c', '7NSymPAH', 'j7fFx7OGpz1F69mPi1NV8c65kCKi4mXrqVvOsbfd2ygZNWnypY', 'crypto@cypher.ca', 0, 0, 0.00, NULL, NULL, NULL, 2, NULL, 0, NULL, 1296257475, 1296314097, 1296314097, 0, NULL, 0, NULL, NULL, NULL, '1-1-1992', 'all', NULL, NULL, 1, 0, 0, 0, 1, 2, 0, 'linear', 1, 1, 1, 1, 0, 0, 0, NULL, NULL, -8, 0, 0, NULL, NULL, 0, 0, 0, 0, NULL, NULL, NULL, 1, 0, 0, '75.46.83.65', '99.138.48.174', 1670000814, 1261327169, NULL, 2555, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, NULL)

In this fabricated sample using the HackForums.net SQL data format, we can see multiple things:
  • User ID: 37337
  • Username: Cypher
  • Password (MD5 hash): 7274ed7f77a35fc8b090a36df4e8535c (Decrypted: @cryptocypher)
  • Email: crypto@cypher.ca
  • Date of birth: January 1st, 1992 (1-1-1992)
  • Past IP addresses:  75.46.83.65, 99.138.48.174
  • Other random data

Naturally, people use the same passwords on multiple accounts. Once that hashed password that we obtained from a third-party database is cracked, that is when unauthorized access to social media, cloud storage, email accounts, government documentation, and whatever more could be accessed with similar account credentials.

There is a lot of information contained in these accounts; private messages, personally identifiable information, corporate documents, project source code, and more. As a result, doxes are created (ie. Mandiant employee), companies are attacked (ie. Mandiant), identities are stolen, competitors can steal project ideas, and reputation is tarnished all-around for all parties included upon attacks being carried out.

How can this data be obtained? LeakedSource, HIBP, etc.

Public services like HaveIBeenPwned (HIBP) are freely available to check to see if any of our information is in any known public data leaks. As of this time of writing, HIBP currently has data including:

·         228 hacked websites
·         3,999,249,352 account entries from leaked databases
·         53,121 pastes containing personally identifiable information
·         50,181,662 pastes containing account information

Among these breaches, data is included from LinkedIn, VK, DailyMotion, Brazzers, and even websites as old as Neopets. For an extensive list of websites who have experienced data leaks, you can either check this page on HIBP or visit “The Breached Database Directory” hosted by Vigilante.pw.


The Vigilante.pw breached database directory data statistics.

There are also paid data search engine services that frequently come-and-go due to legality issues. These services operate similarly to HIBP, but they actually show the parsed data, based on account entries like the HackForums SQL entry example displayed above. A popular example would be LeakedSource, who sell data for any of their 3,109,103,084 accounts on record. There are also data trading rings where cyber criminals trade data among themselves.

How can I prevent an attack like this from happening?

Do not use the same password. But really, take advantage of two-factor authentication where possible, try to use different passwords if you can remember them, and use a password manager like KeePassX for the passwords that you cannot remember.

Inevitably, companies will be vulnerable to these types of attacks for as long as passwords are used to authenticate account ownership. Respective to this, the fault lays in human error. Tech folks should raise awareness in their offices by using examples like the Mandiant case to explain to directors and co-workers the dangers of poor password management hygiene. Penetration tests including phishing attempts on employees could also be considered.

Companies could also consider using these public data services to their advantage if they are legally capable of doing so. I propose that security departments start scanning these third-party database leaks to find information tied to their own domain and employees. This will ensure that our employees and clients are aware of the leaked data prior to an adversary having the chance to take advantage of this information. LeakedSource offers API services for this, but a lot could be done in-house if the data can be found in a public archive.

We can also setup Google Alerts to alert us whenever content is archived by Google containing specified pieces of personally identifiable information. There is also a HIBP email list that we can subscribe to so that we are alerted whenever our email is discovered in future data breaches. These are all preemptive steps that we can take to ensure our personal information’s security.

Conclusion


People everywhere are gaining unauthorized access to places that they should not be accessed due to the poor practice of password storage. We need to educate our users, actively test our own companies security, and search for company emails that are included in third-party data breaches. People are constantly accessing company and political data that they should not be accessing, and it is all preventable.

Monday, May 15, 2017

How Snake People Can Have Wealth, Not Money

OK first thing, you will not like this advice if you're a fun-loving millenial. You will get older though, and what really sucks is being a poor old person. We do not want this, as much fun as you're having now, that outcome needs to be avoided. Caveat, like everything, pick and choose what you are willing to do of these ideas. Here goes if you're still listening:

 - When you sell a house, if you've lived in it 2 of past 5 years, those gains are basically tax free in US. Had to place this high because we have made big bucks this way. See below on buying houses. BTW I freaking love houses as assets.

- Don't take on any debt. If you don't have enough $ on hand, do not buy it. Save up, and when you buy what you really want, it will mean all the more.

- Pay off student loans and any other (aside from mortgage on house) as soon as you can. Attempt to get family members to help you pay this "hangsman's noose" off - it's choking for young people!

- - SPEND LESS THAN YOU MAKE (golden rule)

- Cook at home. Eat snacks at work. Avoid restaurants (yes this includes Starbucks), Enjoy avocados and other healthy foods, at home. Eat lavishly at home - enjoy life. I recently spent $500 on a fancy doctor to get this advice: eat whole foods you prepare at home. See, you've already saved $500, and made it more likely you'll live to be a rich old fart, should you do this :)

- If you do eat at a restaurant, take home leftovers and eat them dammit

- Try to get rid of your car, If you don't live by public transportation, you may have to temporarily drive a very unimpressive car. No worries, the best people you will know will like you for you, not your stuff.

- Buy energy-efficient minimally-polluting stuff. Even if a bit more expensive. So far, we just have this one earth.

- If work offers 401K max it. Nevah walk away from matching funds too. After tax it's pretty good.

- No pets - too expensive when you're young. If you need a fix, help a friend out by petsitting :)

- Any roommate must pay rent. Exception being a roommate who cooks and stuff, maybe in school. Just avoid people who take advantage of you :( Later in life, when you can afford it, help such people out.

- Don't f-up a windfall (co goes public or inheritance, etc) - bank most of it and party / splurge with 5- 10% maximum.

- At your age, equities are the play. Find a fund with research and don't necessarily trust financial advisors. Always diversify and don't put all of your eggs in one basket. Buy equities and other investments over time, not all at once. Things change, and plunking down a lot of dough at one time has always failed for me.

- Negotiate for more when taking a job. Don't be afraid to ask for a raise.

- No expensive hobbies - the idea is to have money and time for that when you're old and rich.

- Don't buy watercraft. Find friends who have boats and buy the beer. They are holes in the water the owner pours money in.

- Children are expensive. Maybe just have one - people say you should wait, but it's OK to have one or even two when you're young. Kids will make you tougher (and softer).

- Furniture is not an asset. It's an expense. Same with jewelry. Don't get me started on expensive knick-naks. Ugh.

 - Buy clothes at a Goodwill or summat in a great neighborhood. That stuff rocks. If you are leery of used clothing, just go to conferences and collect that swag - which tends to include clothing :)

-  Anything called a "loan" you make must be considered a donation. Loaning money to friends is a super bad idea :(

- Home buying tips:
  • Location. Buy where people will want to live when you sell. Buy worst house with good bones in great neighborhood. Way to figure out bones on house is looking at attic and basement. That's the part fancy realtors won't get seller to fix. Look for watermarks in garage.
  • If you're up to fixing up, do it.Weigh data on the investment on home improvement vs. return. A great neighborhood weighs in.
  • Consider privacy - land is king
  • Watch those HOAs and arrangement where you can be arbitrarily "assessed" for big money.
  • Look for property that comes with land you can subdivide and sell later (never have done that, but way population is increasing, might be a good idea).
  • If you get a bad vibe on neighborhood - listen to it
  • Even if a house is worth $500K one day, no guarantee it will be that way a year from now. If you're way up, do like in Vegas and pull your chips off the table. Real estate bubbles suck.
  • First home likely not the one you stay in for life. I've owned 14 houses so far. Then again, I *like* houses! Property is an asset, not an expense.
- If you've made a bad investment suck it up and move on. I've stuck with bad investments before - it doesn't work. Chalk it up to experience. Hesitate to make investments "friends" prod you to do. Take care.

- Don't smoke cigarettes, drink or do drugs. If you must, these expenses are in the "Exception - Cheating Allowance" category. Feel guilt for this and do what you must to make it up to the older you who wants to be wealthy.

- Think about being self-employed (contractor) Self employed upside - write off all the stuff you shouldn't be doing (see aforementioned). Downside - complicated and no bennies. Upside is you are young and unlikely to have huge healthcare expenses. Get a good tax guy if you do self-employed option.

- Don't be a douche - if you go to dinner or drinks, pay your fair share and a little plus. These are friends. Getting to wealth over money entails loyalty and being a good person. If it's a work event - don't pass it up if the exec to pays because they can likely expense.

- New cars: don't do it. You will pay a premium. I did that once, never got satisfaction. Now I buy 2 -3 YO cars from CarMax. Cars are an expense, not an asset. Kind of people think well of you for having a new car, well - suboptimal because they might not be very smart :(

- If you do have debt, consider this https://en.wikipedia.org/wiki/Debt-snowball_method - Kk but try to avoid this debt situation :)

 Money does not relate directly to the fun you will have. Remember that. Stupid purchases will ultimately make you feel stupid. Some of these ideas seem no-funl at this time. But think of the older you, and how bad it would suck to be old AND poor someday. Having said that, travel, enjoy life, but think about that older person you will be, and be smart about your finances.