Frederick Douglass once said: “The limits of tyrants are prescribed by the endurance of those whom they oppress.” This is a universal truth. We get as much tyranny as we are willing to endure without taking action. That’s what caused me to write the post about workplace violence from today.
It’s also caused me to write my opinion on the Taqueria shooting in this post. We all know the story. A man is sitting in a restaurant enjoying dinner when an armed robber comes in. The armed robber takes everyone’s money, and our hero pulls his weapon and smokes his ass. Now the law is talking about prosecuting the hero.
There has been a lot of debate as to whether or not the man should have taken as many shots as he did. I will grant you that the law says shooting someone who is down and out of the fight is illegal. That’s where I have a problem. See, the dirtbag who was killed had already murdered one person while committing a similar robbery in 2015. He shot and killed a man and saw his charges pled down to aggravated robbery, for which he was sentenced to 15 years in prison. He served only about a third of that reduced sentence. For killing someone, he served about 5 years in prison. Keep in mind that there are people who committed the crime of trespassing in the US Capitol during the J6 protests that are still in prison awaiting trial two years later.
We as a people should decide that we have had enough. The law is not there to protect law abiding people from criminals. There are many more law abiding citizens than there are criminals. No, police are there to protect accused criminals so that they are ensured of getting a fair trial.
That system is broken. Now the criminals are getting more lenient punishment than are the law abiding.
I will never get put on a jury because I am a gun owning, employed white male. However, if I ever was, no one who takes out the trash like this would EVER be found guilty. I wouldn’t care if he had tied his hands behind his back and put a bullet behind his ear. As far as I am concerned, that would have been a public service.
Perhaps his lawyer can make the case that the critter, having been shot 8 times was already dead, and therefore his client’s only violation of the law was abuse of a corpse, then plea it down to something else like vandalism.
I firmly believe that no employee should have to sit at work and be threatened with physical violence. While at work, I am threatened with violence against my person and family several times per week. Since I was suspended for the patient’s accusations the week before Christmas, I have been threatened at least three more times.
A Baker Act said that she would follow me home to see where I lived, then return to my home while I was at work to murder my entire family. She kept saying “you just wait until I catch you out in public.” I demanded that management call the cops. They did, but the police did nothing but take a report. That’s fine. At least there is a record if I have to smoke the crazy bitch at the end of my driveway. I carry nearly everywhere when I am not at work. “Catching” me outside of work and attacking me would be a critical, terminal failure in her victim selection process, but still expensive and time consuming for me.
The very next day, a patient came in with a complaint that aliens mutilated his genitals and he wanted them removed. When the Doctor discharged him, he said that if I didn’t let him stay, he would kill me. I had security remove him. He came back in 3 hours later and security refused to do a thing about it. Finally, four days later, he was Baker Acted and sent to a mental health facility.
Later that same night, a man came in and demanded to be permitted to see his wife, who had been brought in by ambulance and was off at radiology getting an X ray. I told him that she would be back in about 10 minutes, but he wanted to be taken to her NOW. I told him to have a little patience, and he replied that if I didn’t take him to her, we were gonna have a problem. I told him that if he wanted to issue threats and cause a scene, I would have security remove him. He kept yelling, so I had him tossed out.
One of the nurses that I work with told me that I have too short of a fuse when it comes to threats, and I need to understand that most people are just venting and don’t really mean it. I agree that most people don’t mean it, but how do you really tell the difference? Why should I have to? If a person has so little impulse control that they can’t stop themselves from issuing threats of death or physical violence every time something doesn’t go their way, when does it stop?
My hospital, like most employers, doesn’t permit concealed carry for employees. So what happens when one of these people who doesn’t mean it comes in and decides that they DO mean it? The one who pays the price for misjudging the idiot’s ill intent is me, but certainly not my employer.
It’s the attitude displayed by this fellow nurse that results in no one saying anything when a mass shooter turns out to have been saying all sorts of disturbing things, and people inevitably say “Why didn’t anyone report this before he snapped and killed half a dozen people?”
That’s my problem with the cop who threatened to kill me before physically attacking me. The police wouldn’t press charges because they said that the man had a medical problem and was delusional, therefore wasn’t responsible for his actions. OK, I can see that. But then why does someone who isn’t and can’t be responsible for their violent actions still permitted to carry a weapon under LEOSA because he is a retired cop?
It isn’t just my employer, it’s most employers. They have taken the attitude of “the customer is always right” to the extreme, and now we see attacks and threats by customers becoming commonplace. Why is that? Because our legal system absolves employers of liability for customers’ actions while at the same time punishing employers by making them liable for the actions taken by employees in self defense. It sets the stage for making employees more easily and cheaply being replaced than violent customers.
When I was younger, I was told that locks are there to keep honest people honest. I look at passwords the same way. Make your passwords as secure as they can be, but know that a thief can target you and take your stuff with enough effort. Just try to make your stuff harder to steal than other people’s stuff. They will move on to more easily stolen loot.
Hackers have advanced to using computers to crack passwords. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. When you have to guess from billions of combinations, computer assistance is required, and they are very good at it. These tools are easily downloaded from the Internet, and each tool has its pros and cons.
Here is a list of the most popular password cracking tools.
1. John the Ripper
Featured in many popular password cracking tools lists, John the Ripper is a free, open-source, command-based application. It’s available for Linux and macOS while Windows and Android users use a version of the software called Hash Suite.
John the Ripper supports a massive list of different cipher and hash types. Some of those are:
Unix, macOS, and Windows user passwords
Web applications
Database servers
Network traffic captures
Encrypted private keys
Disks and filesystems
Archives
Documents
There’s also a Pro version with extra features and native packages for supported OS. Word lists used in password cracking are on sale, but free options are available as well.
2. Ophcrack
Ophcrack is a free and open-source password cracking tool that specializes in rainbow table attacks. To be more precise, it cracks LM and NTLM hashes where the former addresses Windows XP and earlier OSs and the latter associates with Windows Vista and 7. NTLM is also available, to a certain degree, on Linux and freeBSD. Both of these hash types are insecure – it’s possible to crack a NTLM hash in less than 3 hours with a fast computer, but there are still companies out there that use this hash, simply because they are too cheap to upgrade to newer, more secure software.
As you can see in the screenshot above, it took Ophcrack merely six seconds to crack an 8-symbol password while using a rainbow table that includes letters, numbers, and uppercases. An 8 symbol password using upper, lower, and numerical characters has 62^8 combinations (218.3 trillion possible combinations) doing nothing more than adding in symbols and increasing the number of characters to 10 would make the password 500 million times more difficult to crack. That six seconds becomes 5,700 years.
The password 9136668099 is 10 characters long and only made of numerical characters, and took 4 days to crack. Imagine how much longer that would have taken, had upper, lower, and special characters been added.
This tool comes with free Windows XP/Vista/7 rainbow tables and a brute force attack feature for simple passwords. Ophcrack is available on Windows, macOS, and Linux.
3. Cain and Abel
Downloaded almost 2 million times from its official source, Cain & Abel is another popular tool for password cracking. But contrary to John the Ripper, it uses GUI, making it instantly more user-friendly. That and the fact that it’s available on Windows only makes Cain & Abel a go-to tool for amateurs, also known as script kiddies.
This is a multi-purpose tool, capable of many different functions. Cain & Abel can act as a packet analyzer, record VoIP, analyze route protocols, or scan for wireless networks and retrieve their MAC addresses. If you already have the hash, this tool will offer a dictionary or brute force attack option. Cain & Abel can also display passwords that are hiding beneath the asterisks.
4. THC Hydra
The biggest selling point of THC Hydra is the large number of protocols it supports. This is an open-source network login password cracking tool that works with Cisco AAA, FTP, HTTP-Proxy, IMAP, MySQL, Oracle SID, SMTP, SOCKS5, SSH, and Telnet, to name but a few.
The methods available with THC Hydra include brute force and dictionary attacks while also using wordlists generated by other tools. This password cracker is known for its speed. It can even run checks on different protocols simultaneously. THC Hydra is available on Windows, macOS, and Linux.
5. Hashcat
The world’s fastest password cracker, Hashcat is a free open-source tool that’s available on Windows, macOS, and Linux. It offers a number of techniques, from simple brute force attack to hybrid mask with wordlist.
Hashcat can utilize a computer’s CPU and GPU at the same time. This makes cracking multiple hashes simultaneously much faster. But what makes this tool truly universal is the number of supported hash types. Hashcat can decipher MD5, SHA3-512, ChaCha20, PBKDF2, Kerberos 5, 1Password, LastPass, KeePass, and many more. In fact, it supports over 300 hash types.
But before they can crack your passwords, black hats need to have the password hash. Here are some of the most popular tools for getting hash:
Mimikatz. Known as a password audit and recovery app, Mimikatz can also be used for malign hash retrieval. In fact, it might as well extract plaintext passwords or PIN codes.
Wireshark. Wireshark enables packet sniffing. It is an award-winning packet analyzer used not only by hackers but also by business and governmental institutions.
Metasploit. This is a popular penetration testing framework. Designed for security professionals, Metasploit can also be used by hackers to retrieve password hashes.
The best defense against password cracking is using a strong password. Using enough symbols and different types of characters ensures that even the fastest computer won’t crack your account in this century. And since remembering multiple strong passwords is unlikely, the best bet is to use a reliable password manager. Multi-factor authentication (MFA) is still a pain in the rear for any hacker, so adding that to your arsenal will go a long way to making things more secure. More on MFA later.
How did they do that? Because of the overly broad wording of their new assault weapons ban (edited to clean up the text to make it more readable, but not change the wording):
(3) "Assault weapon" means:
(snip of irrelevant sections A and B)
(C) A semiautomatic rifle that can accept or can be modified to accept a detachable magazine and has at least one of the following: (i) A folding, telescoping, or collapsible stock. (ii) Any grip of the weapon, including a pistol grip, a thumbhole stock, or any other stock, the use of which would allow an individual to grip the weapon, resulting in any finger on the trigger hand in addition to the trigger finger being directly below any portion of the action of the weapon when firing.
emphasis added
Now picture any semiauto rifle you can think of. Now tell me which one, if any, sees the pinkie finger of the trigger hand not being below the action of the rifle.
Thus, all semiauto rifles in Illinois are now legally defined as assault weapons and are thus illegal to possess, transfer, or own.
So I decided to take the new 1911 with me to range morning. I arrived at the range with my EDC pistol, the new 1911, 100 rounds of 9mm, and some CCI Blazer in .45ACP. I setup my lane, loaded a magazine with 5 rounds of .45, and squeezed off the first mag full of ammo when I felt a tap on the shoulder. It was the range officer telling me that only brass cased ammo is permitted at the range. But if I wanted to buy some .45 ammo, they had some for sale at $40 a box.
American Eagle at 80 cents per round? I can buy that elsewhere for 54 cents per round, and can buy PMC brass cased at 46 cents per round. No thanks. I don’t want to sound like an old man, but I remember when .45ACP was $8 a box, and that wasn’t all that long ago.
I had to switch to the 9mm and finish my shooting for the morning. After I was done, I asked the RSO why the ammo restriction. It’s because the range sells the used brass to a recycler, and they can’t sell steel or aluminum cases. So not only do they sell the ammo at nearly double the going rate, but they are selling the brass and making more money there.
I would love to find another gun range, but this one is only 20 minutes from my house, and there is only one other range within a half an hour’s drive. That second range is owned by a dishonest meatsack that I wouldn’t trust to sell me a stick of gum. So I can either suck it up and get fleeced by the brass recycling buttheads at the range 20 minutes away, or I can make the 40 minute drive to the third closest range and see if they are any better.
At any rate, I am going to have to order me some brass cased .45 and try to shoot the new 1911 some other time.
So are we ready to throw Presidents in jail for retaining classified documents after they leave office? Or is that no longer a thing, now that Biden and Obama did it?
The employer claims that they weren’t tracking him, but his location just happened to show up on the supervisors screen. I’m betting that every employee’s location was known 24/7 with this app.
It looks like it was hardly ever fired. Wear is consistent with a pistol that had maybe a box of ammo put through it, then was put in a nightstand drawer and never fired again.
The match barrel has no wear on the bluing.
There is a 2mm scuff on the bluing near the top of the slide.
The bluing is warn around the top of the only factory magazine I have for it. The other magazine that shipped with the handgun is apparently missing.
The bluing is a bit warn on the outsides of both safety levers, and on the points at the front on both sides of the slide, as if the pistol spend a lot of time sitting in a drawer.
On the contact points of both sides of the grip safety, the bluing has rubbed off.
There is gunpowder residue on the feed ramp and the breech face. The bluing on the locking lugs is quite worn, but the lugs are in good shape.
Most of the bluing is still present on the face of the hammer.
The only thing that I can find wrong with it, is the tritium sights no longer glow, but that isn’t surprising since Para USA was absorbed by Remington in 2012, and the Para pistols were discontinued in 2015.
This thing is a boat anchor, I mean it is heavy, weighing in at 42.2 ounces with an empty magazine inserted. That makes it 10 percent heavier than a GI model. The guy wanted a good price, so I took it. I will get some new sights for it and then take it for a spin.
Here is the continuation of password security. So you have a password manager, which has some serious advantages:
You have secure passwords that are 12 to 20 characters long,
made up of upper and lower case letters, numbers, and symbols
are random(ish) by not containing dictionary words or their variants (like p@$$woRd)
You can have a different password for every online account, stored away in an easy to use and retrieve format
You can also store answers to challenge questions in your wallet. When the bank challenges you to name your third grade teacher, you can respond with “Mrs. Smith” or you can answer the challenge with a random string of characters stored in your password wallet. Look at the “notes” field (not from my real account or wallet).
This picture is from the Internet. It isn’t my account.
Down there in the “notes” section, I will put the challenge question and its answer. I always use the “generate random password” feature to generate a random password and use that as the answer to the challenge question. Good luck guessing that, hacker bitches.
All of your passwords are secure in your encrypted password wallet. Or are they?
LastPass was recently hacked, and a black hat used the credentials of an employee that was compromised in a phishing attack to gain access to and download their entire database of encrypted user files. I’m not blaming LastPass for that one- it could have happened to any company, and to their credit, at least they came clean and let everyone know.
This created two problems for LastPass users. Now that the black hats had the files, there are two ways that they can access them:
They can try to brute force the master password for the file. This is where a strong master passphrase works to your advantage. If you are smart, as soon as you learn of the breach, you change the most important of your passwords (master password, followed by bank and email accounts, then others) before they get a chance to guess the master passphrase. By the time they have your passwords, you have already changed them and it won’t matter.
Since LastPass encrypted file doesn’t encrypt the websites, only the login, password, and notes, the weakness here is that the black hat can do a targeted fishing attack similar to what was done to this Australian woman or this woman who was targeted by a man claiming to be a Chase fraud investigator. These attacks can be quite convincing.
To guard against someone compromising some or all of your passwords, you can use Multifactor Authentication (MFA). All MFA is, is a second way of ensuring that the person who is accessing an account is the authorized user. The most common of those is sending a code by SMS. You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly-switched telephone networks (PSTN), and they are the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong authentication now – the authenticator app provides an immediate and evolving option.
Alex Weinert of Microsoft
Don’t rely on just a password. Don’t rely on one password. There are tons of scammers out there who want access to your stuff. Keep it as secure as you can make it.
The authenticator app still relies on you being in possession of your cell phone, and in my opinion creates a single point of failure- the loss of your phone, that places both the password wallet and the means of MFA in someone’s possession.
I don’t worry about the three letter agencies getting my stuff. If they want it, they are going to get it. They don’t need to steal my passwords, they aren’t going to spoof my phone, and they aren’t going to use my IOT devices to spy on me. You know what they are going to do? Present a national security letter to my bank, my employer, Google, my ISP, and anyone else they feel like, and the companies involved are going to tell them anything they want to know.
The purpose of the security I am writing about is protection from scammers who aren’t the government.
Still, there will be a future post on MFA, since this one is getting a bit long. On a side note, this series of posts represents my ongoing research into ways for securing my information. I tend to research and look into things that I am adopting. I figure that you can benefit from my research efforts.
