Training

INFOSEC

INFOSEC, and its subset COMSEC, takes many forms. Included in that is the security of your persona, your online identity- bank accounts, email accounts, even access to your blog and social media accounts. I am having to tighten my information security yet again.

In 2000, I bought a car from a used car lot. The finance guy used my personal information to steal my identity. It was a financial mess. I increased security by locking my credit reports. Now you need a password to unlock and access them.

Back in 2014, my ex-gf used my passwords to steal my emails, access my social media, and stalk me. She used the information that she obtained to try and get back at me after we broke up. It created all sorts of problems. She also stole the MICR data from the bottom of my checks and used that to go on an online shopping spree.

I massively tightened my information security. The problem is that passwords are a weak spot. If you have a password that is easy to remember, it is also easy to guess. Especially if the person attempting to guess your passwords is using computer assistance. Humans being who they are, they tend to fall into patterns and people tend to be lazy with passwords. More than 80% of people use the same password on more than one account, and people also tend to fall into predictable patterns when choosing passwords. For example, here are the 20 most common passwords of 2022:

  1. password and its variations, like password1, p@ssw0rd, etc.
  2. 123456
  3. 123456789
  4. guest 
  5. qwerty 
  6. 12345678
  7. 111111
  8. 12345
  9. col123456
  10. 123123
  11. 1234567
  12. 1234
  13. 1234567890
  14. 000000
  15. 555555
  16. 666666
  17. 123321
  18. 654321
  19. 7777777
  20. 123

Not wanting to get pwned like that, I tried using a passphrase, something like “4_$core&seVenYearsL8Tr” but it is hard to create and memorize a different passphrase for each account. As a result, I used a complicated phrase for one level of account (financial), a slightly less complicated one for email accounts, and an easier, less secure one for general things like online shopping. That didn’t work for long, because data breaches at different companies meant that one breach compromised multiple accounts. Also, that phrase is still weak. A strong passphrase needs to be random, need not be easy to memorize or type, needs to have a mix of character types, and should be at least 12, but preferably 15 or more characters long.

It was then that I began using LastPass. That software is great. It uses one passphrase to secure and encrypt your password file (called a wallet), and saves the wallet in that encrypted format. That wallet is saved on the LastPass server and is encrypted with 256 bit encryption. Not even LastPass has access to it. This allows me to have long, random, complicated passwords like Gyhu#wyr4o3fuX6$dD83 that are 12 to 20 characters long and are nearly impossible to guess, even for a computer. It’s served me well for about 8 years now. (There are others, 1password.com, for example)

The obvious weak spot is the master passphrase. Since that master passphrase needs to be somewhat easy to memorize, it by definition won’t be random. That is the weak spot. If the encrypted wallet were to fall into nefarious hands, a brute force attack could be used to crack the password wallet’s encryption and the bad guy now has your passwords.

Due to a phishing attack at LastPass, black hats managed to gain access to the servers and downloaded customer password files, including the customer’s unencrypted email address and their password wallets. This is a major breach, because the email address can be used to gain a lot of information about the owner of the wallet, making a brute force attack on the wallet’s master passphrase an easier prospect.

I saw this and was worried about my files being compromised, so I spent several days changing all of the passwords in my and my wife’s password wallets, thus making the compromised passwords outdated and useless. We also changed the master passphrases for our wallets. It appears as though we have come through the breach unscathed and our accounts remained secure. The weakness of this system was a single point of failure that was even discussed when I last posted about password wallets, but I considered it to be a low risk at the time.

Now that the black hats are doing things like this, I am worried about a similar event in the future, so we will be upgrading security again. It’s a major problem. In fact, 31% of people in the US have reported being the victims of a data breach within the last 18 months. Nearly two thirds of breaches are due to stolen or weak passwords, and 85% of cyber breaches due to a human element, such as phishing or reused passwords, so it is important to find a more secure way to INFOSEC. Currently, the most secure way to lock your information is to use multifactor authentication(MFA). The idea behind MFA is to have more than one way to authenticate yourself as the proper user of an account.

The first level of authentication in accessing any electronic account is user name and password. As we have been discussing, this is not a very good way of securing high value stuff. Sure, it may be fine for securing access to your CVS frequent shopper card, it won’t be enough for an account with saved credit card numbers or access to your online banking account. So we use a second, independent method of ensuring that whoever is attempting to access your account is actually you, and not some person intent on stealing your information.

The lowest level of MFA is to have the company you are logging into send you an email containing a link that you must click on to confirm your identity, with the next lowest level being an SMS message containing a 4-6 digit number whenever you log in from an unrecognized device. This sort of message is easier to beat than most other methods, as many phishing attempts center around gaining access to these. The texts/emails are unencrypted, and if intercepted can allow a black hat to have access to your account.

There are also Authenticator applications. This is a separate program that must be periodically used as a second means to verify who you are. You try to log into your bank account, for example, and the login process includes using this app to verify that it is actually you. Google authenticator, for example.

A third, more secure way is to use something else like biometrics. Your fingerprint, voiceprint, or face, for example. Even though it is more secure than an SMS message or email, biometrics have one key flaw- they can’t be changed if they are ever compromised. Your biometric data is stored in a digital format, and that means sooner or later, someone will figure out how to compromise them. This makes them predictable and this is the weakness.

Currently, the most secure way is to use a hardware key. A hardware key is a physical key, like a USB or NFC device that stores and generates a complex, unique code each time it is used. This becomes the second authenticator in the MFA chain. This is how banks, information companies, and other high security infomatics systems are authenticating users.

The two work together- you can’t access an account unless you have BOTH the username/password combo AND the physical hardware key. It becomes MUCH harder for someone to gain access to both means of authentication and provides a high level of security.

After quite a bit of research, I have decided to go with hardware keys. The one I have selected is Yubikey. I selected it because it works well with all of the browsers I use, it works with LastPass, and all of my banks and stockbroker accounts support it. The keys themselves come in a variety of forms: USB-A, USB-C, NFC, and others. Some of them even support biometrics, but I did not select that option.

I ordered two of the Yubikey 5 Series keys, and you can read more about them here. (pdf from Yubikey’s website) I will set my accounts up for both of them- one key I can carry, and a second, backup key that will stay in the safe to allow account access in the event my primary key is lost or damaged.

My keys will be here within the next two weeks, and I will review how easy they were to setup and use shortly thereafter.

As usual, the disclaimer: I don’t advertise, and receive no compensation whatsoever in exchange for my reviews or articles. I have no relationship with any products, companies, or vendors that I review here, other than being a customer. I pay what you would pay. I only post these things because I think that my readers would be interested.

By Divemedic, ago

Dry Firing

One of the people who comments here made the comment that no shooter should ever dry fire a firearm. I would say that if you are not making dry fire a part of your training regimen, you are missing out on an important training tool that will make your trigger control much better.

It isn’t just me who says that. The shooting instructors at the Sig Sauer academy recommend it:

“The key to shooting is manipulating that trigger to the rear without adding movement to that front sight,” says SIG SAUER Academy instructor Allison Glassick. “That’s the secret to shooting.”

For beginners, the blast and recoil of a live round often causes a natural human reaction to flinch or anticipate the shot which can disrupt their grip and trigger manipulation. But taking away those live fire distractions and working through some drills with an empty handgun can pay dividends when it’s time to head to the range.

“The bang inevitably will disrupt my senses and my ability to focus in on what’s important—that slow, deliberate process of pulling the trigger from front to rear while managing that sight alignment,” says SIG SAUER Academy instructor Justin Christopher. “The best possible way to train your body how to do this is without any bullets in the gun.”

Even the people at the US Concealed Carry Association recommend it, as long as it is done in a safe manner. When I dry fire, I make sure that there is no live ammunition in the same room. That way, you are less likely to have an ND (I learned that one the hard way- I once shot my dresser when dry firing) because you aren’t tempted to load and then pull a trigger on a loaded firearm. From the USCCA, dry fire safety rules:

1 No interruptions! Turn the ringer off the phone and make sure the front door is locked. If you are interrupted, start again from the beginning rather than picking up where you think you left off.

2 Unload your gun.

3 Check that the gun is unloaded. Use both your eyes and your fingertips. Lock the action open and then run your pinky into the empty chamber to be sure it’s really empty. If you have a revolver, run your finger across each hole in the cylinder. Count the empty holes to be sure you touched them all.

4 Remove all ammunition. Get it out of the room and out of sight. I even go so far as to lock the door to the room where the ammunition is kept so that it takes several deliberate steps to get the ammunition back together with the gun.

5 Choose a safe backstop. A backstop is anything that will reliably stop a bullet from the most powerful load that your gun is capable of firing. Never dry-fire without a solid backstop.

6 Place a target in front of your backstop. To avoid a “just one more” mishap, do not dry-fire directly at anything that will remain in the room. Use a target that will be taken down when you are done.

7 Double-check that the gun is still unloaded.

8 Mental shift to practice. Say to yourself, “This is practice. I have checked and double-checked the gun. Ammunition is not present. This is only practice.” Say it out loud, and if you find yourself wondering if it’s really true, go back and check again.

9 Dry fire. Ten to 15 minutes is as much dry-fire practice as most people can safely handle. If your mind begins to wander, stop immediately. That’s a sign that you are not paying attention to what you are doing — an important red flag.

10 Take the target down immediately — before leaving the room and before reloading the gun. Never leave the target up after you are done practicing. As you take the target down, say aloud, “Practice is over. No more dry fire. Practice is over.” This helps you make the important mental shift back to the real world and prevents the infamous “just one more” mishap.

11 Put your gun in the safe or if you are unwilling to lock your defense gun away for an hour or two, at least get yourself out of the practice room. Stay out of that area until your conditioning to pull the trigger there has been replaced by conscious thought.

12 Reload out loud. When do you reload the gun, say aloud, “This gun is loaded. It will fire if I pull the trigger. This gun is loaded.” Say it three times and say it out loud. This allows you to think, speak and hear that the gun is no longer in dry-fire condition.

If you want to do it on the cheap, balance a coin on your front sight. Pull the trigger without losing the coin. It’s a good way to learn to pull the trigger without moving your point of aim. Once you see the improvement, you can try a training system like MantisX.

Once you are proficient with dry fire from a prepared stance, you can advance to trying it while drawing.

In summary, dry fire is an important part of my firearms training. Maybe you should make it a part of yours.

By Divemedic, ago

It Gets Worse

On the Brevard county deputy ND homicide. He pointed the gun at the other deputy and pulled the trigger. When it didn’t go bang, he racked the slide and did it again. The second time he pulled the trigger, the pistol functioned as designed.

One thing that makes it worse is what the Sheriff got from the entire event:

he still believed the firearm was unloaded but should have known the magazine containing ammunition was possibly in the firearm by the weight of the gun,

Just like the Baldwin shooting, the shooter in this case deserves to be prosecuted to the fullest extent of the law. I would also suggest that the entire Sheriff’s department be forced to undergo a 4 hour firearm safety refresher course. This incident is a sure sign that training is lacking and attention to firearm safety is not being taken seriously.

By Divemedic, ago

Carbines

Yesterday was shotguns. Continuing the series on defensive firearms, we explore carbines. I’m going to use this definition for carbines as opposed to rifles: A carbine is a a compact, short-barreled rifle that has a barrel length of less than 20 inches.

Most self defense shootings happen at a range of less than 7 yards. For that reason, it’s my opinion that rifles are not effective as self defense weapons, because they are too long to be wielded in close quarters. However, if you were to tell me that I could only pick one firearm to own for all purposes for the remainder of my life, I would go with a carbine. They are the Swiss Army knives of firearms.

Carbines have rifle-level muzzle energy, good accuracy out to a hundred meters or more, and can be effectively used inside of a building or from inside of a vehicle. The most popular of all of these in the US today (by a fair margin) is the AR patterned carbine- the M4gery. Parts and accessories are widely available. You can still even roll your own with an 80 percent lower, and they are relatively easy to repair and maintain. Lightweight, low recoil versions in .223 or 5.56mm are handled well by both women and children. Ammunition is light enough that a large amount can be carried.

I build my ARs with a 1:8 twist rate. That way, the rifling is optimized for bullet weights of 55, 62, or 77 grains, giving me a fair amount of latitude on ammunition selection. If I am planning on using the AR mostly in close quarters, I mount a holographic sight on it, like an EOTech. Those are good sights out to 100 yards or so and are fast to use. If I am anticipating medium to long range work, then there are other options like an LPVO or ACOGs.

Another mention is what I referred to as my “skirmish rifle.” Using the definition of carbine from above, the rifle that I built to this spec is a carbine. It’s on an AR10 receiver and chambered for .308 with an 18 inch barrel. Weighing in at only 7.65 pounds without a scope, it is lighter than many of my AR15’s. It shoots like a dream with a LPVO scope on it, I am getting 3 inch groups at 100 yards. Not bad from an 18 inch barrel. The bonus is that, being .308, it will defeat most body armor, especially at close range.

I once owned an M-1 carbine. I am sorry I got rid of it, because it was fun to shoot.

I am going to also include my Scorpion EVO in this category, even though the ATF says it’s a pistol. Mostly because it shares with carbines the disadvantage of being too large to conceal. Pistol caliber carbines, even though they are less powerful than their rifle caliber brethren, share many of the attributes of other carbines. I regularly mount a suppressor on mine, and when firing it with subsonic ammunition like 147grain hollowpoints, it’s report is about as loud as dropping a large book on the floor. Sure, there is less power at those muzzle velocities, but I have the 32 round magazines for it, so I plan on making up for that with fast, accurate follow on hits. Three or four headshots with 147grain 9mm hollowpoints will do a number on a home invader.

Of course, the disadvantage to any long gun in a self defense situation is that it cannot be concealed and is difficult to carry everywhere. Still, if I had to be in a gunfight, I would not feel undergunned with a carbine and a couple of magazines.

These posts are not intended to be a complete discussion of all of the merits, but are intended to be food for thought. There aren’t enough pixels on the Internet to completely discuss every facet of every type of defensive firearm.

By Divemedic, ago

Shotguns

This began as a single post, but quickly became too long for one post. So let’s make it a series.

Yesterday’s post talked about stopping power and how it is a myth. Today I want to tackle the topic of what you should be using for self defense. Remember that a bullet is simply a means of transferring energy from gunpowder to target.

Lets start with shotguns.

Shotguns are a great self defense weapon for short to medium range, say 10 to 50 feet. They aren’t the cone of doom that many people think they are-the rule for shotgun patterning is that you usually get about 1 inch of spread for every yard from the target. So at 50 feet, you get a 16 inch pattern. In the distances involved inside of an average house, say 21 feet, you are looking at a pattern that is only about 7 inches.

In shotguns, the most effective self defense loads are not birdshot, as many people claim. The problem with lighter shot is that it frequently doesn’t penetrate. To me, the lightest shot that is suitable for self defense work is number four shot. So let’s take a look:

  • Number 4 buck has 20 grain pellets that are 0.24″ in diameter travelling at ~1300 feet per second.
  • #0 shot has 49 grain pellets that are 0.32″ in diameter and travelling at ~1200 feet per second.
  • #00 shot has 70 grain pellets that are 0.36″ in diameter and travelling at ~1100 feet per second.

My opinion, #0 buck is the best for home defense, especially when being fired from a 12ga with a 3″ chamber. Why?

Remember that our goal is to cause one of three things: a hit to the CNS, massive and rapid blood loss, or disabling shots. #0 buck offers enough penetration to reach vital organs, and 15 of them means having a high enough pellet count to punch lots of holes in the vascular system.

If you are going to consider slugs, I think that a rifle or a pistol caliber carbine is a better choice. We will talk about this in a later post.

The main disadvantages to shotguns are that they are long and difficult to work in tight spaces, and are not precise in the event that you need to shoot at targets that are located in close proximity to non-threats unless you are using slugs.

I prefer pump actions, but I can easily imagine the pure shock and awe of firing a semi-auto magazine fed 12 gauge. I will admit that I don’t own a mag fed semi-auto shotgun, but I have thought about it from time to time. Still, for home defense, a shotgun is a great choice for home defense, but I would not use a break open in that role. I would go with either a pump action or a semi-auto.

By Divemedic, ago

Where I tackle a sacred cow

Stopping power is a myth. There, I said it. Every time there is a shooting, some yahoo comes forward to talk about how this gun or that one would be better because stopping power…

It’s bullshit. There are only four ways to stop a determined attacker:

  • A catastrophic hit to the brain or spinal cord (CNS)
  • Lower his blood pressure to the point where his brain is incapable of operating
  • A ‘mission kill’ where his body is so damaged that it can’t continue the attack (for example: damage his pelvic girdle so an attacker armed with a melee weapon can’t close the distance)
  • Convince him that he is out of the fight

Hitting the brain or spinal cord will usually end an attack. A hit to the head that misses the brain will not work. I can think of seeing at least three shootings from my years as a street medic where a bullet hit a person in the head, but didn’t penetrate into the brain. One of them was a suicide attempt. A good example of a head hit NOT taking someone out of the fight is Navy SEAL Matt Axelson. He took a bullet to the head that left his brain matter exposed, yet continued the fight.

Punch enough holes in someone’s vasculature, and they will lose blood pressure to the point where the brain is no longer being supplied with oxygen, and the person is rendered unconscious. Even a lucky shot with a small caliber like a .32 is capable of doing this- say if it hits the aortic arch and causes a transection. Sometimes it takes several hits. I have seen people take multiple hits to the torso from a .223 and stay in the fight.

A mission kill is where you damage a person’s body severely enough that they physically can’t continue the fight. Say, a hit to the pelvic girdle preventing someone from chasing you down. An excellent example of this was Kyle Rittenhouse shooting Gaige Grosskreutz in the arm. The hit not only rendered that arm as incapable of firing shots, but also made it impossible for that arm to release the handgun it was holding.

Then there is simply convincing someone that they are done. This is a well documented phenomenon where a person will be shot, and the wound is far from incapacitating, but the person simply lies down and is out of the fight.

There are people out there, however that still insist in the magical properties of this caliber or that bullet. Bullets are simple tools. They are a tool that delivers the chemical energy stored in the gunpowder to the target in the form of kinetic energy. The force with which a bullet hits the target is equal to the force that’s directed back into the shooter. It’s one of Newton’s laws- every action has an equal and opposite reaction. Any bullet that has enough power to “knock down” the target will do the same to the shooter. It is at this point that many will point to Marshall and Sanow’s work, and I will admit that I was a follower and believer in this study when it first came out.

The Marshall and Sanow “study” was fatally and egregiously flawed. The most basic flaw was “selection bias” in that the study excluded any shooting where it took more than one shot to halt the attack. So if I have a situation where I shoot someone and he doesn’t go down, so I shoot him three more times before he does, that shooting would be excluded from the study, even though that shooting demonstrated a complete failure to stop the attack.

What a bullet does is simple: the chemical energy in the gunpowder is converted to kinetic energy that is transferred to the bullet. That energy is then transferred to whatever that bullet strikes. If the object struck is a person, then physiology takes over from physics there. The damage done is dictated by how much energy was transferred to the targeted person, and what body parts of that person where targeted.

So there are a couple of things that are important in stopping an attack: the amount of energy transferred, and what part of the body that it is transferred to. Suffice it to say, you want a bullet to have enough energy to damage the body system that it strikes, and that means you want it to penetrate far enough to transfer that energy into something physiologically important. You don’t want a bullet bouncing off of the grizzly’s skull or getting stuck in a denim jacket. It does not do any good if that happens. You also don’t want that bullet to over penetrate. What ever energy that bullet has left after passing through the target is useless in stopping the target from doing things that you don’t want them doing.

You also want to work on shot placement. Hitting a right handed shooter in the left arm isn’t going to do you a bit of good.

Buy yourself a gun that you can shoot well, then spend time practicing. Load it with some high quality defensive ammunition, make sure the firearm functions well with that ammo, then practice.

Why? Because you want to keep shooting until the attack is over. That means if you have to shoot him to slide lock to stop the attack, then shoot him to slide lock. Make sure that you can hit a person-sized target 100% of the time at 10 yards, rapid fire WHILE UNDER STRESS. Make sure that you can hit a person sized target 80 percent of the time at 20 yards while under stress. Sounds easy, but studies show that shooting to this level is rare while experiencing the stress of an actual gunfight.

If you do carry a handgun, use a .38/9mm or larger if you can. If you can’t carry something that large, carrying any firearm is better than not carrying one at all.

Put good quality defensive ammo in it. Don’t worry about finding the perfect latest and greatest ammo, but do get something that is modern as well as being accurate and reliable with your chosen firearm.

Practice. A lot. At least 100 rounds per quarter at a minimum. Shooting is a perishable skill. The more you do it, the better you get at it.

To all of you 10mm or .45ACP fans: If you really believe in stopping power, then provide the physics or physiological basis for stopping power. How does it work, what causes it, why do you think your caliber is different from all of the others?

By Divemedic, ago

Killers Planning and Training

The Parkland shooter admitted to a psychiatrist that he had planned a school massacre for over 5 years. He looked at previous shootings and studied what previous shooters had done. He learned to pie corners, he learned police response times, he learned to not let people get close.

He knew that he would have 20 minutes to carry out his plan without police interference.

Think about that while carrying in your day to day life. The shooter has a plan, he has the initiative, and you will be playing catchup.

By Divemedic, ago

Remember

The person urging you to do illegal shit is probably an FBI agent. You can’t trust anyone, not even family. Even if you ARE among those you can trust, letting someone new into the group is a huge threat. That person may be, or may become, an informant.

Trust no one, or you may wind up like this guy.

The guy who keeps telling you he isn’t a cop? He is a cop. This guy was an undercover informant twice- for a total of over 10 years. How many people are in jail because this guy gave them a little nudge? Made a couple of suggestions? Keep in mind that informants only get their deal or get paid if they continue to serve up the goods. That means they will frame or entrap you, if that is what it takes for them to get whatever it is that the cops have promised them: clemency, leniency, or simply money.

It is nearly certain that some of the commenters on the blogs you read, perhaps even some of the bloggers themselves, are informants or even cops who would love to see you behind bars. The more tyrannical the government becomes, the more informants there will be.

Comport yourselves accordingly.

By Divemedic, ago

Airplane Medical Kit

Because of the comments to the post about the doctor on the airplane, I wanted to do a follow up. So let’s first talk about what is in the medical kit on a commercial aircraft. The FAA requires an AED, and a medical kit that contains the following items:

The most common inflight medical events are:

  • Gastrointestinal/Nausea (31%)
  • Neurological, such as fainting or seizures (26%)
  • Respiratory (7%)
  • Cardiovascular (5%)
  • Dermatological (5%)

My wife was on an aircraft flying from JFK to Heathrow where there was a death in flight. The flight attendants cleared out the back row of the plane and put the body on the seats, covering him with a blanket. That is where he stayed for the remainder of the flight.

I myself have been on two flights were there were medical issues. In both cases, the flight crew called for medical personnel. I wasn’t going to volunteer, but no one else did, so I raised my hand. The FA brought me a radio headset that was connected to the airline’s on call doctor, who consulted with me and we agreed upon a course of action.

The first was a moderate allergic reaction (urticaria, wheezes, pruritus) on a flight from Orlando to Boston. The passenger got himself 50mg of IV diphenhydramine and some inhaled albuterol. He was fine and slept the rest of the flight.

The second was on a flight from Las Vegas to Orlando. It was a guy who was having himself an anxiety attack. He was hyperventilating and complaining of shortness of breath, chest pain, along with numbness and tingling to his fingers and lips.

The reason for it was hilarious. He had gotten married to his fiancé (a white woman) while in Vegas. He was Puerto Rican, and was dreading his mother’s reaction when he told her that he had married a woman (who wasn’t Puerto Rican) that his mother hadn’t even met yet. If you know anything about Puerto Rican mothers, you would know that they are much like Italian mothers. He had every right to be afraid.

Anyway, I told the doctor that his vitals looked good and I felt like it was an anxiety attack. The doctor agreed. I traded seats with his wife for about half an hour and talked him down. Once he felt better, I went back to my seat. An hour later, his wife came and got me a second time. During that second visit, his wife told mine that I was a very patient and nice man.

That’s it for my aircraft stories.

By Divemedic, ago