Another Tony Mendez book

Leave a reply

So at some point, copy write / library of congress page says 2007, Tony and Jonna Mendez wrote a book for the “Scholastic Ultimate Spy Club”.  It’s a basic little book written for kids, on the basics of tradecraft. The book title is “Gather Info, Getting the Scoop by Using Your Wits”. When I first saw it on Amazon, I was expecting an adult book on tradecraft, not a kids book.

Since the book arrived last week, without the spy glasses (mirrors on the inside), I kept asking why I paid that much for an out of print kids book. I however went through it in one sitting tonight, since it was 32 pages, and actually was happy with the purchase. The majority of the stuff in it I knew how to do already. Not surprising since this is written for kids. I did have some flash backs to my own mis-spent youth in the 80s and 90s.

The Visual sweep technique, while only one page was really useful. I’m going to put that in to more practice. Short version, stand in the door, look over the room left to right, and observe. Granted I do something like this already, maybe not always left to right, usually as a whole, but still nice to read.

Is it worth the price you’re going to pay for it if you order from a re-seller on Amazon? No, but I bought it because I want to have all of Mendez’s books, for a proper and complete collection. Although, if it had the glasses it would have been even better. There was even a page on OSINT.

“it’s working don’t touch it, it’s not broken”

Leave a reply

A running theme I noticed as of late has been the “it’s not broken, because it’s working, so don’t touch it you’ll break it”. John Strand mentioned it, when talking about Windows XP hitting end of life, on Paul’s Security Weekly 367. Ben Ten and I talked a little about it today in regards to HeartBleed. Lastly I just got off a 4 year project that existed mainly because it wasn’t broke, so don’t fix it.

Here is the problem. IT / IT-Security sees something as “broken”, when it is at end of life / end of service. When we can’t get parts for it anymore, when patches aren’t being made, etc, we say we have to replace it. We say it’s “broken”, or at risk, etc. However that’s not how management sees it. They see it as a system that is still doing what it was purchased to do. It’s not broken, it’s just old but works fine.

IT / IT-Security doesn’t get to say when it’s broken, it’s the “business” that gets to say when it is broken. However it is usually our fault, as IT for not having a new system in place when it finally stops doing what it was purchased for. A good example is a publishing company I worked at. We had Reel to Reel microfilm duplicators, these were devices that the company making them went out of business. They ran NT4. The last I heard, they were still working like a champ, and the company still didn’t see a reason to invest in something new, because those were not broken, they were just old.

To a point it seems a little silly. Company’s get to write off new equipment via deprecation. Investing in what they need to have to do business makes good business sense. But we live in the cut to spending and the bottom line in the name of profit world, so we end up seeing the don’t fix it if it’s not broke attitude come out.

Like I said I just finished a 4 year migration project, I only worked on it the last 9 moths, but every single person I had to interact with, to migrate said the same thing. This solution works, migrating will cost us time and money, we’re not moving because doing so will stop the production lines of the product the company makes. The “business” backed those people, because without justification, they said things would stop. The stance the “business” took was, the old stuff is working today it is old, but not broken. Don’t fix it.

Preventive maintenance is like getting your teeth cleaned. You don’t do it because you like it, or can afford it. You do it because the cost of prevention is cheaper and less painless than the alternative. You don’t fix things when they’re broken, you fix them before they break so they don’t break. We need to learn to tell the business that in better terms than we have now in both IT and Cybersecurity.

Crime Profiling Project

Leave a reply

For the last several weeks, I’ve been working with three other students from Eastern Michigan University’s Information Assurance program researching and mapping the Campus’ Crime Stats. If people take the time to look, they can find a map of the last 60 days and the daily crime logs for the last 60 days. We’re looking beyond those, but it’s interesting none the less.

Continue reading

WordPress and some security

Leave a reply

I was recently listening to Paul’s Security Weekly episode 366: How Security Weekly got defaced, and started thinking about my own security posture around my WordPress sites. When I first created The Rats and Rogues Podcast site, I read everything I could find and on WordPress security. There wasn’t much. Later when I created this site, I still wasn’t impressed.

Continue reading

Credibility and Critical Thinking

Leave a reply

One of the classes I’m taking for my General Education requirements is Psychology. It has a 1 credit hour lab, which is separate from the lecture class. The very first night of class in the Lab, the professor went over Credibility and Critical thinking.

This week we talked about Facial Emotions and Goal Driven Imagery. He stated up front that he didn’t like either topic and was going to push through them as quick as he could. Which is fine if you’re a professor and don’t like the topics. Even if you admit that you use one in your daily clinical work.

So on the Facial Emotion (and on body language) he was talking about how it was bunk, and when we started talking about the work of Paul Ekman, the professor started going off about how Ekman was recently completely discredited, proven to be a fraud, etc. Now I have a couple of Ekman’s books, and I’ve skimmed them. So I asked the professor what research hew as talking about. To which he destroyed his credibility by saying he wasn’t sure.

Enter twitter: I asked @humanhacker (Chris Hadnagy) about it. He provided quick background (after a little prodding) to @PaulEkman’s public reply. The reply also links to the original article. Which is both interesting stuff.

However, my point is, if you’re an “authority” figure by being a professor, and you don’t agree with a branch of your industry, don’t show your bias and take glee in saying it’s been debunked, while not having the proof to back it up. Your first night told us to question you on that stuff. Don’t be surprised when there is a non-psych major willing to call you on it, and be able to quote your sources.

Operational Security: It’s harder than it looks

Leave a reply

So the other week, I noticed the large collapsible antenna in a back the van in the drive had an amateur radio plate near a friend’s house. Lots of radio amateurs get the plates. No big deal. I pulled out my phone and loaded up my QRZDroid app. It lets people look up who a license is assigned to. For example, if you look up mine it gives you my address and other pertinent info.

Continue reading

I doubt people are wondering…

Leave a reply

I doubt it, but in case people are wondering why I’ve move to more of a book review format… My class load is taking up a lot of my free time. In fact I should be working on my Art project for EMU Gen-Ed Right now (well now when I’m writing this, not when you read this).

Doing homework is more or less preventing me from doing a lot of the things I would rather be doing. Granted I have a nice stack of books that tie in to Information and Cyber Security to read as well. However, while my Digital Forensics class occasionally brings up interesting things to talk about, the majority of my time is spent in Psych 101 and Psych 103 (Lab). This week has been tied up with a 1 week accelerated class, but it hasn’t left time for me to do other things. It’s not as easy as the Counter Terrorism class was last year. Ok, yes my Saturday’s are tied up with an interesting OSINT project, but I can’t talk about that yet.

Anyway, back to the point of this post. I know it seems like my content has gone from a really cool OSINT post (which I have at least 2 follow ups to), to mostly book reviews, but I’m trying to kill 2 birds with one stone here.

I do have some topics from other books I’ve been reading (I’m usually reading more than one non-school books at a time), the project above, some followup OSINT posts, a paper from last year to finish water marking and sharing on here, and a few other things. But those have to wait until I have some free time. Now… where did I put those crayons for intro to art?

Book Review: Infiltration Presents: Access All Areas

Leave a reply

I’ve finally finished “Infiltration Presents: Access All Areas – A User’s Guide to the Art of Urban Exploration” by Ninjalicious (Amazon affiliate link). This is one of a handful of books I have on Physical Security, and it’s taken me a couple of years to read it, because it kept getting lost in moves, and forgotten about when I when class loads got heavy.

I like this book, because it’s about accessing the area’s that are normally off limit to the public. It talks about Social Engineering, the equipment you’ll need (hint leave the lock picks at home), but most importantly HOW to find the places to explorer, and how to by-pass the systems put in place. Nice alarm there, shame you disconnected it due to all the false rings.

If you have an interest in the physical side, or an interest in historical building and abandoned things, this is a decent read.

* Update 2024-10-05: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.

Zero Day by Mark Russinovich and Howard Schmidt

Leave a reply

I recently finished reading Zero Day (Amazon affiliate link). Over all I liked the concept. The end was interesting but easy to see coming. The biggest issue I had with the book though was it came off under-researched when it came to the cultures.

The portrayal of foreign cultures in the book were very stereotypical of what we’ve seen from American propaganda, known as television and movies. It doesn’t fit with other books that I’ve read that have taken place in those cultures. Mostly they have been non-fiction and travel books.

Over all the story was pretty good, but the they were not as good as Daniel Saurez‘s books, I’m not sure if I’m going to get the book by Mark Russinovich yet.

I like the fact that we’re seeing more techno-thrillers coming on to the market, especially since they’re written by people that know the technology. They’re good reads, for general mass market reads. It also makes what we do accessible to people outside of our industry.

* Update 2024-10-05: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.