Training

Using Password Managers

Here is the continuation of password security. So you have a password manager, which has some serious advantages:

You have secure passwords that are 12 to 20 characters long,
made up of upper and lower case letters, numbers, and symbols
are random(ish) by not containing dictionary words or their variants (like p@$$woRd)
You can have a different password for every online account, stored away in an easy to use and retrieve format

You can also store answers to challenge questions in your wallet. When the bank challenges you to name your third grade teacher, you can respond with “Mrs. Smith” or you can answer the challenge with a random string of characters stored in your password wallet. Look at the “notes” field (not from my real account or wallet).

This picture is from the Internet. It isn’t my account.

Down there in the “notes” section, I will put the challenge question and its answer. I always use the “generate random password” feature to generate a random password and use that as the answer to the challenge question. Good luck guessing that, hacker bitches.

All of your passwords are secure in your encrypted password wallet. Or are they?

LastPass was recently hacked, and a black hat used the credentials of an employee that was compromised in a phishing attack to gain access to and download their entire database of encrypted user files. I’m not blaming LastPass for that one- it could have happened to any company, and to their credit, at least they came clean and let everyone know.

This created two problems for LastPass users. Now that the black hats had the files, there are two ways that they can access them:

They can try to brute force the master password for the file. This is where a strong master passphrase works to your advantage. If you are smart, as soon as you learn of the breach, you change the most important of your passwords (master password, followed by bank and email accounts, then others) before they get a chance to guess the master passphrase. By the time they have your passwords, you have already changed them and it won’t matter.
Since LastPass encrypted file doesn’t encrypt the websites, only the login, password, and notes, the weakness here is that the black hat can do a targeted fishing attack similar to what was done to this Australian woman or this woman who was targeted by a man claiming to be a Chase fraud investigator. These attacks can be quite convincing.

To guard against someone compromising some or all of your passwords, you can use Multifactor Authentication (MFA). All MFA is, is a second way of ensuring that the person who is accessing an account is the authorized user. The most common of those is sending a code by SMS. You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?

The problem is that SMS isn’t a secure way to perform MFA.

This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.

It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly-switched telephone networks (PSTN), and they are the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong authentication now – the authenticator app provides an immediate and evolving option.
Alex Weinert of Microsoft

Don’t rely on just a password. Don’t rely on one password. There are tons of scammers out there who want access to your stuff. Keep it as secure as you can make it.

The authenticator app still relies on you being in possession of your cell phone, and in my opinion creates a single point of failure- the loss of your phone, that places both the password wallet and the means of MFA in someone’s possession.

I don’t worry about the three letter agencies getting my stuff. If they want it, they are going to get it. They don’t need to steal my passwords, they aren’t going to spoof my phone, and they aren’t going to use my IOT devices to spy on me. You know what they are going to do? Present a national security letter to my bank, my employer, Google, my ISP, and anyone else they feel like, and the companies involved are going to tell them anything they want to know.

The purpose of the security I am writing about is protection from scammers who aren’t the government.

Still, there will be a future post on MFA, since this one is getting a bit long. On a side note, this series of posts represents my ongoing research into ways for securing my information. I tend to research and look into things that I am adopting. I figure that you can benefit from my research efforts.

By Divemedic, 3 yearsJanuary 10, 2023 ago

Account and INFO Security

How To Store and Use Passwords

To continue my examination of passwords, we have already seen how to generate them. Now that we have spent all of that time coming up with a password that is hard for someone to guess, we need to be able to use it while keeping secure. How do we make them user friendly and accessible while at the same time ensuring that they are secure from prying eyes?

Once you have generated your password, you need to remember it. Anyone can remember a few secure passwords, but remembering a bunch of them becomes problematic, especially when they are secure and change every few months, as they should.

The use of password memory devices like license plate numbers, or children’s birthdates, or whatever other memory devices you may use has two different drawbacks- the number of passwords that you can remember like that will be limited, and will also be difficult to keep straight across a large number of accounts. I tried that method, and it fails when you begin getting a large number of them.

My password wallet has over 300 unique passwords stored in it. Some of them, like for bank and email accounts, are 20 characters long and change twice a year. Others, like for commenting on Disqus, are 12 characters long and may change every two or three years. That’s a lot of remembering. I simply can’t do it.

So how do we store our passwords? I used to use one common password for bank accounts, another for email accounts, yet another for blogs, etc. What this means is that you are running the risk of a data breach at one company exposing your passwords for others. Not ideal.

You can keep them off of all computers and just do what my mother in law does. She keeps a notebook with all of her passwords written down in it. Then what? Do you carry it around with you? What if you lose it? How do you constantly update it? Not convenient, not secure.

How about letting the browser on your computer store it? Then it isn’t portable across platforms. Many browsers store passwords in an unsecure format that is there for some hacker to steal. Not secure. That’s because desktop web browsers do a lousy job of safeguarding your information.

One big security hole for passwords is your spellchecker. Your spellchecker has a list of words that are spelled correctly, and compares that list to the words that you are typing. If there is not a match, it marks a ward as misspelled and may even suggest the correct spelling. Some systems will even automatically insert the word that is a likely match. Users add new words to the spellcheck dictionary by telling the system that the word is correctly spelled, then the software adds the new word to the dictionary.

What if that new word isn’t a word at all, but is instead the password to your bank account? Spellcheck dictionaries aren’t secure at all. The spellchecker simply marks the passwords as being correctly spelled by saving them to the dictionary. The two Internet browsers that are most notorious for this are the “enhanced spell check” feature found in Chrome’s settings or the browser extension “Spelling & Grammar Checker” for Microsoft Edge. Huge security problem there.

You can let Google store them for you, but that isn’t a great idea. Do I really need to explain why?

So we are left with password storage companies. If we want our passwords to work across multiple platforms- at home, on our cell phones, at work, and everywhere else where we use it, there are only a couple of ways to do that. We can transfer it from platform to platform manually, or we can allow the password wallet to be stored on another person’s system.

These systems have advantages- we can store a large number of complex passwords in a format that makes them readily available. The password list is more secure than writing them down, and since the password storage company stores the password file in an encrypted format with the decryption key being your master password, you now only have to remember the master password. For those of you who have a trick for memorizing a password, here is where you shine. You can use the license plate numbers of your last three cars, your kids’ birthdates, and other mnemonics to come up with a secure passphrase that is easy for you to remember, but hard for a black hat to guess, and use that to secure your password wallet.

The risk here was displayed by LastPass recently. A password companies files can be compromised, and the black hats are now in possession of your encrypted passwords. They can now brute force your master passphrase at their leisure and get your passwords.

This post is already long, so we can discuss this in a later post.

By Divemedic, 3 yearsJanuary 8, 2023 ago

Account and INFO Security

More On Password Authentication

COMSEC is a type of INFOSEC. Your information needs to be secure from disclosure, and I have been doing quite a bit of research on that over the past few days.

A few days ago, I posted about INFOSEC and using a password wallet. Some interesting ideas were shared, good questions asked, and so I thought I would share some thoughts on the concept of passwords and password managers.

The basic theory behind passwords is simple: a password is two people attempting to ensure that one of them is the person that is authorized to access the files or other electronic resources that the second person is the custodian of. The process is called authentication, and the use of a user name/password combination is the first, simplest, and most common method of user authentication. It’s also one of the most insecure, for reasons we will explore.

The things that make username/password authentication insecure are rooted in a couple of things, one of them being the users themselves. All of them. A user can be phished, hacked, or otherwise compromised. There are ways to mitigate most of the risks. What are the risks?

The simple brute force attack is the most basic of all brute force attacks. The bad actor tries to guess the user’s password without the employment of software tools. The attacker relies on trying out commonly used, weak passwords such as 123456, qwerty, password, and password123. Unfortunately, the simple brute force attack can be pretty effective, because many people continue to use weak and otherwise poor passwords to secure their online accounts.

Computer programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. If your password is random, it will take an average of 8,000 years to guess a 12 character password with even the fastest computers. One type of computerized brute force attack relies on words found in the dictionary. This sort of brute force attack is called a dictionary attack and uses a vast number of common words and their variations. To do that, hackers use software that can make thousands of guesses every second using dictionary databases.

Then there is a hybrid attack. A hybrid attack combines a dictionary attack with a simple brute force attack for a better chance of success. Often a hybrid attack is utilized once the attacker already knows the username of its victim. You see this one when a data breach has released user names and email addresses of a company.

Choose a complex password. It should be made of upper and lower case letters, numbers, and symbols. Doing that means you start with a base of 52 letters, 10 numbers, and up to 33 symbols, for a total base of 95.
Choose a password of at least 12 characters. Doing it this way means you are raising the base (95) to the power of the number of characters. So a 12 character password means that there are 540,360,090,000,000,000,000,000 possible combinations of passwords- that’s 540 sextillion possible combinations (5.4×10^23).
You should avoid the use of common words and common passwords. This will mitigate the risk of dictionary, hybrid, and simple brute force attacks.

The suggestion was made of using a 6 word password generated using diceware. The thing that I laughed at from the diceware website was “Do not use a computer program or electronic dice generator. There is no easy way to be sure they are random enough.” That one statement was enough to tell me that the website’s author doesn’t know what they are talking about. They are worried that a random number generator isn’t random enough, while at the same time ignoring the fact that their word list is public and uses words from the dictionary. This means it will not be as secure as using random characters, no matter how random your word selection is, the use of dictionary words compromises the randomness of the password. If they know you made your password from this word list, you are screwed. If they don’t, then the randomness with which you picked the words from the list doesn’t matter.

The last type of attack is called a rainbow table attack. Websites or apps don’t store passwords in plaintext. What they do is encrypt user passwords with hashes. Once the password is used for logging in, it is immediately converted to a hash. The next time the user logs in using their passwords, the server checks whether the password matches the previously created hash. If the two hashes match, the user is then authenticated. The tables used to store password hashes are known as rainbow tables.

In most instances, the hacker launching a rainbow table attack would need to have the rainbow table at their disposal. Often these can be bought on the dark web or stolen in a data breach. During the attack, bad actors use the table to decrypt the password hashes and so gain access to a plaintext password. The big risk here is not only the access to that account, but the other accounts of those who reuse passwords from one site to another are now at risk.

The security of the password is restricted to the security of the custodian of the information that the password is securing. If you have an account with Home Depot, then they get hacked because they have shitty security, the bad guys now have your credentials. Having a secure password means nothing if the company you are doing business with doesn’t take security seriously.

Choosing a good password is just the first step in securing your online data. Now you have to store that password in a format that makes it easy to retrieve your password, while simultaneously making it secure from disclosure to unauthorized parties. That will be a future post.

By Divemedic, 3 yearsJanuary 3, 2023 ago

Food

Can I Eat Him?

If a deer attacks you on your own front porch, and it’s outside of hunting season, I would assume that it’s still lawful to shoot his ass. I’m sure a couple of handgun bullets to the cranium would take him down, no problem. (mute the audio. The woman screaming is annoying.)

My question here is: Would you then be permitted to add his meat to the freezer? Some venison steaks would be delicious!

By Divemedic, 3 yearsDecember 31, 2022 ago

INFOSEC

INFOSEC, and its subset COMSEC, takes many forms. Included in that is the security of your persona, your online identity- bank accounts, email accounts, even access to your blog and social media accounts. I am having to tighten my information security yet again.

In 2000, I bought a car from a used car lot. The finance guy used my personal information to steal my identity. It was a financial mess. I increased security by locking my credit reports. Now you need a password to unlock and access them.

Back in 2014, my ex-gf used my passwords to steal my emails, access my social media, and stalk me. She used the information that she obtained to try and get back at me after we broke up. It created all sorts of problems. She also stole the MICR data from the bottom of my checks and used that to go on an online shopping spree.

I massively tightened my information security. The problem is that passwords are a weak spot. If you have a password that is easy to remember, it is also easy to guess. Especially if the person attempting to guess your passwords is using computer assistance. Humans being who they are, they tend to fall into patterns and people tend to be lazy with passwords. More than 80% of people use the same password on more than one account, and people also tend to fall into predictable patterns when choosing passwords. For example, here are the 20 most common passwords of 2022:

password and its variations, like password1, p@ssw0rd, etc.
123456
123456789
guest
qwerty
12345678
111111
12345
col123456
123123
1234567
1234
1234567890
000000
555555
666666
123321
654321
7777777
123

Not wanting to get pwned like that, I tried using a passphrase, something like “4_$core&seVenYearsL8Tr” but it is hard to create and memorize a different passphrase for each account. As a result, I used a complicated phrase for one level of account (financial), a slightly less complicated one for email accounts, and an easier, less secure one for general things like online shopping. That didn’t work for long, because data breaches at different companies meant that one breach compromised multiple accounts. Also, that phrase is still weak. A strong passphrase needs to be random, need not be easy to memorize or type, needs to have a mix of character types, and should be at least 12, but preferably 15 or more characters long.

It was then that I began using LastPass. That software is great. It uses one passphrase to secure and encrypt your password file (called a wallet), and saves the wallet in that encrypted format. That wallet is saved on the LastPass server and is encrypted with 256 bit encryption. Not even LastPass has access to it. This allows me to have long, random, complicated passwords like Gyhu#wyr4o3fuX6$dD83 that are 12 to 20 characters long and are nearly impossible to guess, even for a computer. It’s served me well for about 8 years now. (There are others, 1password.com, for example)

The obvious weak spot is the master passphrase. Since that master passphrase needs to be somewhat easy to memorize, it by definition won’t be random. That is the weak spot. If the encrypted wallet were to fall into nefarious hands, a brute force attack could be used to crack the password wallet’s encryption and the bad guy now has your passwords.

Due to a phishing attack at LastPass, black hats managed to gain access to the servers and downloaded customer password files, including the customer’s unencrypted email address and their password wallets. This is a major breach, because the email address can be used to gain a lot of information about the owner of the wallet, making a brute force attack on the wallet’s master passphrase an easier prospect.

I saw this and was worried about my files being compromised, so I spent several days changing all of the passwords in my and my wife’s password wallets, thus making the compromised passwords outdated and useless. We also changed the master passphrases for our wallets. It appears as though we have come through the breach unscathed and our accounts remained secure. The weakness of this system was a single point of failure that was even discussed when I last posted about password wallets, but I considered it to be a low risk at the time.

Now that the black hats are doing things like this, I am worried about a similar event in the future, so we will be upgrading security again. It’s a major problem. In fact, 31% of people in the US have reported being the victims of a data breach within the last 18 months. Nearly two thirds of breaches are due to stolen or weak passwords, and 85% of cyber breaches due to a human element, such as phishing or reused passwords, so it is important to find a more secure way to INFOSEC. Currently, the most secure way to lock your information is to use multifactor authentication(MFA). The idea behind MFA is to have more than one way to authenticate yourself as the proper user of an account.

The first level of authentication in accessing any electronic account is user name and password. As we have been discussing, this is not a very good way of securing high value stuff. Sure, it may be fine for securing access to your CVS frequent shopper card, it won’t be enough for an account with saved credit card numbers or access to your online banking account. So we use a second, independent method of ensuring that whoever is attempting to access your account is actually you, and not some person intent on stealing your information.

The lowest level of MFA is to have the company you are logging into send you an email containing a link that you must click on to confirm your identity, with the next lowest level being an SMS message containing a 4-6 digit number whenever you log in from an unrecognized device. This sort of message is easier to beat than most other methods, as many phishing attempts center around gaining access to these. The texts/emails are unencrypted, and if intercepted can allow a black hat to have access to your account.

There are also Authenticator applications. This is a separate program that must be periodically used as a second means to verify who you are. You try to log into your bank account, for example, and the login process includes using this app to verify that it is actually you. Google authenticator, for example.

A third, more secure way is to use something else like biometrics. Your fingerprint, voiceprint, or face, for example. Even though it is more secure than an SMS message or email, biometrics have one key flaw- they can’t be changed if they are ever compromised. Your biometric data is stored in a digital format, and that means sooner or later, someone will figure out how to compromise them. This makes them predictable and this is the weakness.

Currently, the most secure way is to use a hardware key. A hardware key is a physical key, like a USB or NFC device that stores and generates a complex, unique code each time it is used. This becomes the second authenticator in the MFA chain. This is how banks, information companies, and other high security infomatics systems are authenticating users.

The two work together- you can’t access an account unless you have BOTH the username/password combo AND the physical hardware key. It becomes MUCH harder for someone to gain access to both means of authentication and provides a high level of security.

After quite a bit of research, I have decided to go with hardware keys. The one I have selected is Yubikey. I selected it because it works well with all of the browsers I use, it works with LastPass, and all of my banks and stockbroker accounts support it. The keys themselves come in a variety of forms: USB-A, USB-C, NFC, and others. Some of them even support biometrics, but I did not select that option.

I ordered two of the Yubikey 5 Series keys, and you can read more about them here. (pdf from Yubikey’s website) I will set my accounts up for both of them- one key I can carry, and a second, backup key that will stay in the safe to allow account access in the event my primary key is lost or damaged.

My keys will be here within the next two weeks, and I will review how easy they were to setup and use shortly thereafter.

As usual, the disclaimer: I don’t advertise, and receive no compensation whatsoever in exchange for my reviews or articles. I have no relationship with any products, companies, or vendors that I review here, other than being a customer. I pay what you would pay. I only post these things because I think that my readers would be interested.

By Divemedic, 3 yearsDecember 30, 2022 ago

Firearms

Dry Firing

One of the people who comments here made the comment that no shooter should ever dry fire a firearm. I would say that if you are not making dry fire a part of your training regimen, you are missing out on an important training tool that will make your trigger control much better.

It isn’t just me who says that. The shooting instructors at the Sig Sauer academy recommend it:

“The key to shooting is manipulating that trigger to the rear without adding movement to that front sight,” says SIG SAUER Academy instructor Allison Glassick. “That’s the secret to shooting.”
For beginners, the blast and recoil of a live round often causes a natural human reaction to flinch or anticipate the shot which can disrupt their grip and trigger manipulation. But taking away those live fire distractions and working through some drills with an empty handgun can pay dividends when it’s time to head to the range.
“The bang inevitably will disrupt my senses and my ability to focus in on what’s important—that slow, deliberate process of pulling the trigger from front to rear while managing that sight alignment,” says SIG SAUER Academy instructor Justin Christopher. “The best possible way to train your body how to do this is without any bullets in the gun.”

Even the people at the US Concealed Carry Association recommend it, as long as it is done in a safe manner. When I dry fire, I make sure that there is no live ammunition in the same room. That way, you are less likely to have an ND (I learned that one the hard way- I once shot my dresser when dry firing) because you aren’t tempted to load and then pull a trigger on a loaded firearm. From the USCCA, dry fire safety rules:

1 No interruptions! Turn the ringer off the phone and make sure the front door is locked. If you are interrupted, start again from the beginning rather than picking up where you think you left off.
2 Unload your gun.
3 Check that the gun is unloaded. Use both your eyes and your fingertips. Lock the action open and then run your pinky into the empty chamber to be sure it’s really empty. If you have a revolver, run your finger across each hole in the cylinder. Count the empty holes to be sure you touched them all.
4 Remove all ammunition. Get it out of the room and out of sight. I even go so far as to lock the door to the room where the ammunition is kept so that it takes several deliberate steps to get the ammunition back together with the gun.
5 Choose a safe backstop. A backstop is anything that will reliably stop a bullet from the most powerful load that your gun is capable of firing. Never dry-fire without a solid backstop.
6 Place a target in front of your backstop. To avoid a “just one more” mishap, do not dry-fire directly at anything that will remain in the room. Use a target that will be taken down when you are done.
7 Double-check that the gun is still unloaded.
8 Mental shift to practice. Say to yourself, “This is practice. I have checked and double-checked the gun. Ammunition is not present. This is only practice.” Say it out loud, and if you find yourself wondering if it’s really true, go back and check again.
9 Dry fire. Ten to 15 minutes is as much dry-fire practice as most people can safely handle. If your mind begins to wander, stop immediately. That’s a sign that you are not paying attention to what you are doing — an important red flag.
10 Take the target down immediately — before leaving the room and before reloading the gun. Never leave the target up after you are done practicing. As you take the target down, say aloud, “Practice is over. No more dry fire. Practice is over.” This helps you make the important mental shift back to the real world and prevents the infamous “just one more” mishap.
11 Put your gun in the safe or if you are unwilling to lock your defense gun away for an hour or two, at least get yourself out of the practice room. Stay out of that area until your conditioning to pull the trigger there has been replaced by conscious thought.
12 Reload out loud. When do you reload the gun, say aloud, “This gun is loaded. It will fire if I pull the trigger. This gun is loaded.” Say it three times and say it out loud. This allows you to think, speak and hear that the gun is no longer in dry-fire condition.

If you want to do it on the cheap, balance a coin on your front sight. Pull the trigger without losing the coin. It’s a good way to learn to pull the trigger without moving your point of aim. Once you see the improvement, you can try a training system like MantisX.

Once you are proficient with dry fire from a prepared stance, you can advance to trying it while drawing.

In summary, dry fire is an important part of my firearms training. Maybe you should make it a part of yours.

By Divemedic, 3 yearsDecember 7, 2022 ago

Cops

It Gets Worse

On the Brevard county deputy ND homicide. He pointed the gun at the other deputy and pulled the trigger. When it didn’t go bang, he racked the slide and did it again. The second time he pulled the trigger, the pistol functioned as designed.

One thing that makes it worse is what the Sheriff got from the entire event:

he still believed the firearm was unloaded but should have known the magazine containing ammunition was possibly in the firearm by the weight of the gun,

Just like the Baldwin shooting, the shooter in this case deserves to be prosecuted to the fullest extent of the law. I would also suggest that the entire Sheriff’s department be forced to undergo a 4 hour firearm safety refresher course. This incident is a sure sign that training is lacking and attention to firearm safety is not being taken seriously.

By Divemedic, 3 yearsDecember 5, 2022 ago

Humor

Yes! This is What I’ve Been Saying

JKB over at GunFreeZone warns that many bad guys are wearing body armor. That’s what I have been saying. So do it like this:

LOL. “You shot me in the dick! I think the bullet came out my asshole!”

By Divemedic, 3 yearsNovember 21, 2022 ago

Firearms

Carbines

Yesterday was shotguns. Continuing the series on defensive firearms, we explore carbines. I’m going to use this definition for carbines as opposed to rifles: A carbine is a a compact, short-barreled rifle that has a barrel length of less than 20 inches.

Most self defense shootings happen at a range of less than 7 yards. For that reason, it’s my opinion that rifles are not effective as self defense weapons, because they are too long to be wielded in close quarters. However, if you were to tell me that I could only pick one firearm to own for all purposes for the remainder of my life, I would go with a carbine. They are the Swiss Army knives of firearms.

Carbines have rifle-level muzzle energy, good accuracy out to a hundred meters or more, and can be effectively used inside of a building or from inside of a vehicle. The most popular of all of these in the US today (by a fair margin) is the AR patterned carbine- the M4gery. Parts and accessories are widely available. You can still even roll your own with an 80 percent lower, and they are relatively easy to repair and maintain. Lightweight, low recoil versions in .223 or 5.56mm are handled well by both women and children. Ammunition is light enough that a large amount can be carried.

I build my ARs with a 1:8 twist rate. That way, the rifling is optimized for bullet weights of 55, 62, or 77 grains, giving me a fair amount of latitude on ammunition selection. If I am planning on using the AR mostly in close quarters, I mount a holographic sight on it, like an EOTech. Those are good sights out to 100 yards or so and are fast to use. If I am anticipating medium to long range work, then there are other options like an LPVO or ACOGs.

Another mention is what I referred to as my “skirmish rifle.” Using the definition of carbine from above, the rifle that I built to this spec is a carbine. It’s on an AR10 receiver and chambered for .308 with an 18 inch barrel. Weighing in at only 7.65 pounds without a scope, it is lighter than many of my AR15’s. It shoots like a dream with a LPVO scope on it, I am getting 3 inch groups at 100 yards. Not bad from an 18 inch barrel. The bonus is that, being .308, it will defeat most body armor, especially at close range.

I once owned an M-1 carbine. I am sorry I got rid of it, because it was fun to shoot.

I am going to also include my Scorpion EVO in this category, even though the ATF says it’s a pistol. Mostly because it shares with carbines the disadvantage of being too large to conceal. Pistol caliber carbines, even though they are less powerful than their rifle caliber brethren, share many of the attributes of other carbines. I regularly mount a suppressor on mine, and when firing it with subsonic ammunition like 147grain hollowpoints, it’s report is about as loud as dropping a large book on the floor. Sure, there is less power at those muzzle velocities, but I have the 32 round magazines for it, so I plan on making up for that with fast, accurate follow on hits. Three or four headshots with 147grain 9mm hollowpoints will do a number on a home invader.

Of course, the disadvantage to any long gun in a self defense situation is that it cannot be concealed and is difficult to carry everywhere. Still, if I had to be in a gunfight, I would not feel undergunned with a carbine and a couple of magazines.

These posts are not intended to be a complete discussion of all of the merits, but are intended to be food for thought. There aren’t enough pixels on the Internet to completely discuss every facet of every type of defensive firearm.

By Divemedic, 3 yearsNovember 14, 2022 ago

Firearms

Shotguns

This began as a single post, but quickly became too long for one post. So let’s make it a series.

Yesterday’s post talked about stopping power and how it is a myth. Today I want to tackle the topic of what you should be using for self defense. Remember that a bullet is simply a means of transferring energy from gunpowder to target.

Lets start with shotguns.

Shotguns are a great self defense weapon for short to medium range, say 10 to 50 feet. They aren’t the cone of doom that many people think they are-the rule for shotgun patterning is that you usually get about 1 inch of spread for every yard from the target. So at 50 feet, you get a 16 inch pattern. In the distances involved inside of an average house, say 21 feet, you are looking at a pattern that is only about 7 inches.

In shotguns, the most effective self defense loads are not birdshot, as many people claim. The problem with lighter shot is that it frequently doesn’t penetrate. To me, the lightest shot that is suitable for self defense work is number four shot. So let’s take a look:

Number 4 buck has 20 grain pellets that are 0.24″ in diameter travelling at ~1300 feet per second.
#0 shot has 49 grain pellets that are 0.32″ in diameter and travelling at ~1200 feet per second.
#00 shot has 70 grain pellets that are 0.36″ in diameter and travelling at ~1100 feet per second.

My opinion, #0 buck is the best for home defense, especially when being fired from a 12ga with a 3″ chamber. Why?

Remember that our goal is to cause one of three things: a hit to the CNS, massive and rapid blood loss, or disabling shots. #0 buck offers enough penetration to reach vital organs, and 15 of them means having a high enough pellet count to punch lots of holes in the vascular system.

If you are going to consider slugs, I think that a rifle or a pistol caliber carbine is a better choice. We will talk about this in a later post.

The main disadvantages to shotguns are that they are long and difficult to work in tight spaces, and are not precise in the event that you need to shoot at targets that are located in close proximity to non-threats unless you are using slugs.

I prefer pump actions, but I can easily imagine the pure shock and awe of firing a semi-auto magazine fed 12 gauge. I will admit that I don’t own a mag fed semi-auto shotgun, but I have thought about it from time to time. Still, for home defense, a shotgun is a great choice for home defense, but I would not use a break open in that role. I would go with either a pump action or a semi-auto.

By Divemedic, 3 yearsNovember 13, 2022 ago