Divemedic

INFOSEC

INFOSEC, and its subset COMSEC, takes many forms. Included in that is the security of your persona, your online identity- bank accounts, email accounts, even access to your blog and social media accounts. I am having to tighten my information security yet again.

In 2000, I bought a car from a used car lot. The finance guy used my personal information to steal my identity. It was a financial mess. I increased security by locking my credit reports. Now you need a password to unlock and access them.

Back in 2014, my ex-gf used my passwords to steal my emails, access my social media, and stalk me. She used the information that she obtained to try and get back at me after we broke up. It created all sorts of problems. She also stole the MICR data from the bottom of my checks and used that to go on an online shopping spree.

I massively tightened my information security. The problem is that passwords are a weak spot. If you have a password that is easy to remember, it is also easy to guess. Especially if the person attempting to guess your passwords is using computer assistance. Humans being who they are, they tend to fall into patterns and people tend to be lazy with passwords. More than 80% of people use the same password on more than one account, and people also tend to fall into predictable patterns when choosing passwords. For example, here are the 20 most common passwords of 2022:

  1. password and its variations, like password1, p@ssw0rd, etc.
  2. 123456
  3. 123456789
  4. guest 
  5. qwerty 
  6. 12345678
  7. 111111
  8. 12345
  9. col123456
  10. 123123
  11. 1234567
  12. 1234
  13. 1234567890
  14. 000000
  15. 555555
  16. 666666
  17. 123321
  18. 654321
  19. 7777777
  20. 123

Not wanting to get pwned like that, I tried using a passphrase, something like “4_$core&seVenYearsL8Tr” but it is hard to create and memorize a different passphrase for each account. As a result, I used a complicated phrase for one level of account (financial), a slightly less complicated one for email accounts, and an easier, less secure one for general things like online shopping. That didn’t work for long, because data breaches at different companies meant that one breach compromised multiple accounts. Also, that phrase is still weak. A strong passphrase needs to be random, need not be easy to memorize or type, needs to have a mix of character types, and should be at least 12, but preferably 15 or more characters long.

It was then that I began using LastPass. That software is great. It uses one passphrase to secure and encrypt your password file (called a wallet), and saves the wallet in that encrypted format. That wallet is saved on the LastPass server and is encrypted with 256 bit encryption. Not even LastPass has access to it. This allows me to have long, random, complicated passwords like Gyhu#wyr4o3fuX6$dD83 that are 12 to 20 characters long and are nearly impossible to guess, even for a computer. It’s served me well for about 8 years now. (There are others, 1password.com, for example)

The obvious weak spot is the master passphrase. Since that master passphrase needs to be somewhat easy to memorize, it by definition won’t be random. That is the weak spot. If the encrypted wallet were to fall into nefarious hands, a brute force attack could be used to crack the password wallet’s encryption and the bad guy now has your passwords.

Due to a phishing attack at LastPass, black hats managed to gain access to the servers and downloaded customer password files, including the customer’s unencrypted email address and their password wallets. This is a major breach, because the email address can be used to gain a lot of information about the owner of the wallet, making a brute force attack on the wallet’s master passphrase an easier prospect.

I saw this and was worried about my files being compromised, so I spent several days changing all of the passwords in my and my wife’s password wallets, thus making the compromised passwords outdated and useless. We also changed the master passphrases for our wallets. It appears as though we have come through the breach unscathed and our accounts remained secure. The weakness of this system was a single point of failure that was even discussed when I last posted about password wallets, but I considered it to be a low risk at the time.

Now that the black hats are doing things like this, I am worried about a similar event in the future, so we will be upgrading security again. It’s a major problem. In fact, 31% of people in the US have reported being the victims of a data breach within the last 18 months. Nearly two thirds of breaches are due to stolen or weak passwords, and 85% of cyber breaches due to a human element, such as phishing or reused passwords, so it is important to find a more secure way to INFOSEC. Currently, the most secure way to lock your information is to use multifactor authentication(MFA). The idea behind MFA is to have more than one way to authenticate yourself as the proper user of an account.

The first level of authentication in accessing any electronic account is user name and password. As we have been discussing, this is not a very good way of securing high value stuff. Sure, it may be fine for securing access to your CVS frequent shopper card, it won’t be enough for an account with saved credit card numbers or access to your online banking account. So we use a second, independent method of ensuring that whoever is attempting to access your account is actually you, and not some person intent on stealing your information.

The lowest level of MFA is to have the company you are logging into send you an email containing a link that you must click on to confirm your identity, with the next lowest level being an SMS message containing a 4-6 digit number whenever you log in from an unrecognized device. This sort of message is easier to beat than most other methods, as many phishing attempts center around gaining access to these. The texts/emails are unencrypted, and if intercepted can allow a black hat to have access to your account.

There are also Authenticator applications. This is a separate program that must be periodically used as a second means to verify who you are. You try to log into your bank account, for example, and the login process includes using this app to verify that it is actually you. Google authenticator, for example.

A third, more secure way is to use something else like biometrics. Your fingerprint, voiceprint, or face, for example. Even though it is more secure than an SMS message or email, biometrics have one key flaw- they can’t be changed if they are ever compromised. Your biometric data is stored in a digital format, and that means sooner or later, someone will figure out how to compromise them. This makes them predictable and this is the weakness.

Currently, the most secure way is to use a hardware key. A hardware key is a physical key, like a USB or NFC device that stores and generates a complex, unique code each time it is used. This becomes the second authenticator in the MFA chain. This is how banks, information companies, and other high security infomatics systems are authenticating users.

The two work together- you can’t access an account unless you have BOTH the username/password combo AND the physical hardware key. It becomes MUCH harder for someone to gain access to both means of authentication and provides a high level of security.

After quite a bit of research, I have decided to go with hardware keys. The one I have selected is Yubikey. I selected it because it works well with all of the browsers I use, it works with LastPass, and all of my banks and stockbroker accounts support it. The keys themselves come in a variety of forms: USB-A, USB-C, NFC, and others. Some of them even support biometrics, but I did not select that option.

I ordered two of the Yubikey 5 Series keys, and you can read more about them here. (pdf from Yubikey’s website) I will set my accounts up for both of them- one key I can carry, and a second, backup key that will stay in the safe to allow account access in the event my primary key is lost or damaged.

My keys will be here within the next two weeks, and I will review how easy they were to setup and use shortly thereafter.

As usual, the disclaimer: I don’t advertise, and receive no compensation whatsoever in exchange for my reviews or articles. I have no relationship with any products, companies, or vendors that I review here, other than being a customer. I pay what you would pay. I only post these things because I think that my readers would be interested.

By Divemedic, ago

They Are All A Grift

As of Sunday, you won’t need a permit to carry a concealed weapon in Alabama and Georgia. That’s right- those two states have gone to Constitutional Carry. The cops are opposed to this, and many times they claim that they are opposed to it because it makes it more difficult to fight crime. However, in at least one case, the cops have let slip that the real reason for the opposition is that CWP fees are a major source of funding.

“And those fees that are generated by the permit go directly to law enforcement purpose only…For instance, here at the sheriff’s office in Lee County, we use that for training and education primarily,” Sheriff Jones adds.

With gun permit requirements out the window, Sheriff Jones says they’ve already seen a 30 to 40% decrease in revenue. While it has not put a dent in their budget, he says sheriffs in smaller counties throughout Alabama have expressed concerns about how they’re going to make up for the loss.

It’s all a grift. I ask you this- why do you need a driver’s license? You say that it’s to make sure that each driver knows how to drive? Yeah? So why does it expire? What’s that you say? So they can make sure that you aren’t blind or otherwise have a disability that prevents them from being safe behind the wheel? So how can you make sure of that when a driver renews by mail? My guess is that collecting the fees is the real purpose there.

A Florida driver’s license costs $48 and is good for 8 years. So, $6 a year times the 18 million licensed Florida drivers equals $108 million.

A Florida concealed weapons permit costs $45 and is good for 7 years, or just about $6.50 a year. Multiply that by the 2.6 million Florida permit holders, and you see that the state gets another $17 million a year.

Permits are all a grift.

By Divemedic, ago

Oil

Crude oil inventories as well as inventory in the SPR continues to fall, gasoline inventories rise, but prices rose slightly for the week to $3.14 per gallon. Look beyond the spin and see what it means. The SPR is at the lowest inventory level since 1983 at only 375 million barrels. Gasoline stocks are sitting at 220 million barrels, a 24 day supply at current consumption rates.

So what’s going on? The economy is still being sluggish. A year ago, Americans were using 9.2 million barrels a day of gasoline. Now we are using 8.6 million barrels.

By Divemedic, ago

More Silliness

From Peter, we see this story about a man who is taking hormones to be a woman and is now claiming that he is having menstrual cramps. Impossible. Menstrual cramps are caused by the female reproductive organs responding to hormone changes: thickening endometrial tissue, then shedding that thickening tissue as a part of the monthly reproductive cycle.

Even ignoring the absence of endometrial tissue, the hormone changes that cause this cycle aren’t there. The hormones responsible for driving this cycle are the Luteinizing Hormone (LH), Estradiol, the Follicle Stimulating Hormone (FSH), and Progesterone. It’s a complex dance of hormones that work to control the menstrual cycle.

A gland in a woman’s brain (the pituitary gland) produces Follicle Stimulating Hormone (FSH). FSH is carried by your blood to her ovaries. FSH stimulates follicles to grow. As she approaches ovulation, one of these follicles will start growing bigger and faster than all the others. It’s known as the dominant follicle. It is this follicle that contains the mature egg that will be released when she ovulates.

While FSH is encouraging lots of follicles to grow, LH, luteinising hormone, is also produced in small amounts (by the same gland in the brain that produces FSH, the pituitary gland) throughout the follicular phase. LH encourages the follicles already growing to produce estradiol (estrogen). As a woman approaches ovulation, a surge in LH will help to ripen the dominant follicle and rupture it for the egg to be released. (This surge in LH is what the ovulation test kits try and pick up on.)

When the dominant follicle ruptures, it is now called the corpus luteum. LH stimulates the corpus luteum to produce progesterone. The corpus luteum produces both progesterone and estradiol, with the primary role of these two hormones ensuring that the lining of the uterus is fully prepared for implantation by making it thicker, so that it is ready in the event that fertilization occurs. If the woman doesn’t get pregnant, the corpus luteum breaks down, progesterone production decreases and the next menstrual cycle begins when follicle stimulating hormone starts to rise again.

He isn’t taking any female hormone except for Estradiol. Even though men produce many of these hormones, they do so in a steady level. LH and FSH order testes to produce sperm, progesterone is key in the production of testosterone, and estradiol is produced when men have an excess of testosterone, so it is converted into estradiol by an enzyme called aromatase. You can see that, even though men have all of those hormones, they are not cycling up and down from the actions of the pituitary gland and cannot produce a menstrual cycle.

So even if he DID have a uterus and other female reproductive organs, he doesn’t have the necessary hormone cycles to be having menstrual cramps. He is a delusional, mentally disturbed male who needs counseling, not pills.

By Divemedic, ago

Shut ’em Down

I don’t care if a man is interested in having another man push a penis in his rectum. That’s his business. I don’t care if a man wants to dress up like a woman and introduce himself as a woman. Just don’t expect me to go along with any of it, and don’t parade it around in front of kids. The problem is that the left just can’t let it stay there. They have to use is to groom kids, they have to parade around and demand that we accept it, too. It’s like they are trying to use this as a lever to relive the civil rights marches of the 60’s. This isn’t that.

The Orlando Philharmonic has been advertising a “family friendly” drag show and have been allowing kids inside. The state warned them that they had better not have the show in front of kids. The Philharmonic went ahead and performed the show with children in the audience any way. Look at the content of the show for yourself and tell me that this is OK for children.

https://www.youtube.com/watch?v=MVzD682YfcI

That was one of the milder parts of the show. If you want to see more, you can check out this link, where there are more videos embedded. One of the performed songs was “Screwdolf the Red Nippled Reindeer.” Aimed at kids, but not kid appropriate, in my opinion. That apparently doesn’t matter, because the website was advertising for “all ages” yesterday.

Children were there, so they have raised and called.

Well, the Governor of Florida says he isn’t going to put up with it, but the process takes time. They were warned, and did it anyway. I am going to wait and see if DeSantis is going to actually take action, or if this is simply a stunt to gain publicity. The “drag brunch” that DeSantis threatened to shut down six months ago is still in operation, so I am not holding my breath. This event from last night is supposedly “under investigation.”

There are a number of laws that can be used here. Chapter 847 of the Florida statutes makes it illegal to have sexual performances in front of persons under 18 years of age. Chapter 823 states that anywhere that performs these acts for minors may be declared a place of public nuisance. Once that happens, all sorts of state laws and regulations come into play. No one can carry a concealed weapon there, no liquor license, no business license, no children allowed inside, and all sorts of other legal headaches.

One of the legitimate functions of government is the protection of those who cannot protect themselves, especially including children. This venue, the parents who brought their kids, and the performers all need to be prosecuted.

The Orlando Philharmonic has called the Governor’s hand. I look forward to seeing what the Governor will do about this- is he holding a full house, or is he bluffing with a pair of fives? Governor DeSantis needs to prove that he isn’t all talk- do something to protect those kids, our kids, and our state.

As for the Drag Show? The last event of the tour will be held in Clearwater on Thursday (tonight).

By Divemedic, ago

Yoel Roth

Yoel Roth was the head of Twitter’s safety department and policy. He chose to ban the right while leaving all sorts of pedophile related content in place. Why did he do that? Because he is likely a pedophile himself. Behold my evidence:

Here is a 2017 article where he discussed how social media can be used to influence elections and change behavior.

In his doctoral dissertation, entitled “Gay Data,” Roth argued that minors should have access to Grindr, an app that enables gay men to instantly pinpoint each other using GPS technology. “Make no mistake,” as Vice News put it, “Grindr is more about hooking up than dating. It’s basically a 24/7 theme park of sex in your immediate locale and uses geolocation to provide a location of the closest users. Roth, who is gay, noted in his paper that he was “documenting and analyzing my own use of these services.”

In one section, Roth wrote:

Grindr may well be too lewd or too hook-up-oriented to be a safe and age-appropriate resource for teenagers; but the fact that people under 18 are on these services already indicates that we can’t readily dismiss these platforms out of hand as loci for queer youth culture. Rather than merely trying to absolve themselves of legal responsibility or, worse, trying to drive out teenagers entirely, service providers should instead focus on crafting safety strategies that can accommodate a wide variety of use cases for platforms like Grindr—including, possibly, their role in safely connecting queer young adults.

Roth named Twitter as a platform that had become—and presumably, should remain—a “general-purpose” site for “connecting queer young adults.” Roth’s says that platforms should “focus on crafting safety strategies that can accommodate a wide variety of use cases,” including “their role in safely connecting queer young adults,” in an “overall queer social landscape” that “increasingly includes individuals under the age of 18,” rather than trying to “drive out” these users attempting to engage with “peers about their sexuality.”

In 2010, he wrote on Twitter: “Can high school students ever meaningfully consent to sex with their teachers?” Roth’s tweet contained a link to an article, “Student-teacher sex: When is it OK?” in Slate, a left-wing publication, about the perils and pitfalls of age of consent laws.

“Musk falsely implied in tweets that Twitter’s former head of trust and safety, Yoel Roth—who is gay—has advocated for child sexualization,” wrote Chas Danner at Intelligencer.

I don’t think it was false at all. I think that there has been a concerted effort to groom and sexualize students. When I was a teacher, we were specifically instructed to talk to high school students about the benefits of gay sex (I refused to do so) even back in 2016. There has been a nationwide push to turn children into little sex slaves.

I used to think that the entire “Q” thing was conspiracy theory bullshit. I am no longer quite so sure that it was.

By Divemedic, ago

Work Ends 2022

Christmas day saw me work 13 hours in the emergency department. It was a fairly quiet day. Then came the 26th. Things were pretty quiet until 3 in the afternoon or so, then all hell broke loose. We had drunks and crazies galore.

One guy came in as a Baker Act*. He was screaming that he was a CIA trained assassin and said he was going to kill (pointing at four of us, me included) those guys as soon as EMS let him off the stretcher. My manager was standing next to me. The same manager that had to tell me that I had been suspended for the last time I had to wrestle a patient. Next to that manager were two of our doctors.

Sotto voce (so the patient couldn’t hear) I said, “How good of an assassin could you be? Killing yourself even seemed to be beyond your capabilities.” Coffee immediately shot out of the doctor’s nose. My manager said, so let’s let him off the stretcher and see what happens. I said, “Do you really want to do that? Last time that shit happened, you suspended me for a week.” The manager even laughed. We gave him some Haldol and some Benadryl, which did wonders for his attitude. After an hour or so, he was telling me that I was the smartest man he had ever met. Love that Haldol.

We also worked four codes, some other kidney and blood sugar problems, half a dozen sepsis alerts, and a stroke alert or two. We are also seeing a lot of flu and COVID. We actually had our first COVID death in quite a while. It was legit. He came in complaining of shortness of breath and had an O2 saturation of 65% and a blood pressure of 70/40. We did all we could, and even managed to get his O2 up into the 90’s with some BIPAP, but even Levophed couldn’t keep his BP up. He died about an hour after we sent him upstairs to the ICU.

Yesterday was no better. We had all sorts of craziness. A homeless woman who wanted to fight, three codes, and a dislocated hip. Conscious sedation, one nurse leaning on his pelvis, me pushing on the hip joint, and the doctor up on the bed with the patient’s knee on his shoulder, pulling. We pulled several times, then a loud pop. Nope, didn’t realign. Instead, the hip fractured. So now he’s off to ortho for surgery. Another patient had been prescribed Januvia and Novolog and the combination meant that we couldn’t keep her blood sugar up without a constant D10 drip.

Thus ends my work year for 2022. Now I don’t work again until a few days into 2023. I worked 38 hours in three days, which is why there hasn’t been any posting here to speak of.

A Baker Act is a law in Florida that says a person can be held under involuntary psychiatric observation for up to 72 hours, if a Law Enforcement Officer or Physician feels that the person presents an immediate threat of death or serious bodily harm to themselves or others. It’s generally used when a person either attempts or threatens suicide. Every state in the US has a similar law.

By Divemedic, ago