Thursday, January 19, 2023

Online safety seminar

"Now arrogant men, God, are attacking me, a brutal gang hounding me to death: people to whom you mean nothing."         Psalm 86:14

"Rescue me, Lord, from evildoers; protect me from the violent, who devise evil plans in their hearts and stir up war every day."         Psalm 140:1,2

"Keep me out of traps that are set for me, from the bait laid for me by evil men."         Psalm 141:9

"The net is always spread in vain if the bird is watching."         Proverbs 1:17

"Whoever listens to me may live secure, he will have quiet, fearing no mischance."         Proverbs 1:33


I have prepared and will be presenting a workshop on spam, scams, frauds, online security and safety, and possibly other topics.  It will be presented at:

So, I am willing to offer it (at the same rate that I'm charging the Sunshine Club and the churches--nothing) to any venues that want it.  I can bring a laptop (or a USB stick), but I would need a projector since there are slides to show.


This is a seminar on a very basic level of protection or warnings about "online" (phone, text, and email) frauds, scams, and spam.  This would cover topics like:

 - the difference between spammers and scammers

 - the grandparent scam (in detail)

 - robot "press 1 now" calls ("Your Visa/Amazon/Norton is being charged/will be renewed at a cost of ..." or "CRA will throw you in jail if you don't pay")

 - advance fee/lottery/419/Nigerian/Spanish Prisoner scams

 - discord attacks

 - spotting spam

 - and, of course, grief scams

 (- and then there's oddities like iPhone vs MMS ...)

There will also be extended time for questions about other dangers attendees may have heard about and want more information about.


If there was any interest, I was also thinking of a subsequent three part series:

Online Security level 1, "Things Your Grandkids Wish You Knew"

Online Security level 2, "Things You Can Discuss With Your Grandkids"

Online Security level 3, "Things You Can *Teach* Your Grandkids"  :-)

I was thinking that level 1 would be pretty basic, and would be of interest to pretty much any of the members, but that, if people were interested in going beyond that, the level 2 and 3 would provide that opportunity once we had started with level 1.  (There could also be variations on this.)


Some of the level 2, and level 3, topics, listed and described below, are also online at https://www.youtube.com/playlist?list=PLUuvftvRsRv4bMs_scU3TyBZzuvW7kpZi


Just to be clear, I am not looking at doing this as a business, and would not expect to charge for the workshops.  This is just part of my volunteer work.  (Although I am still an active security maven, so I *do* know what I'm talking about  :-)


I *do* have experience in presentations.  I have taught information security on six continents.  You can check out some of what I've done at

  https://www.youtube.com/playlist?list=PLUuvftvRsRv4bMs_scU3TyBZzuvW7kpZi


In addition, for any of the churches, there are further presentations that I have, prepared and ready to go.  Some of the topics are:

 - Level 2 - Artificial Intelligence

With the release of the Large Language Models (LLMs) such as ChatGPT and DALL-E, there is a great deal of interest in artificial intelligence.  However, there are risks, and there is much confusion, particularly since a lot of people talking about "AI" are actually talking about different things.  Artificial intelligence is not a single thing, or even a single field.  This presentation looks at the various components of AI, and what they can (and can't) do.

 - Level 2 - Digital privacy

 - Level 3 - Business Continuity Planning (2 hr)

 -  Level 3 - Security Lessons from CoVID-19

Lessons, or reminders, of important information security operations concepts which have been pointed out by the CoVID-19 pandemic crisis. Using the SARS- CoV-2/CoVID-19 pandemic as a giant case study, and structured by the domains of information security, this looks at security aspects of the crisis, pointing out specific security fundamentals where social, medical, or business response to the crisis failed, or needed to make specific use of those concepts. For the most part, these lessons are simply reminders of factors that get neglected during times of non-crisis, and particularly point out the importance of advance planning and resilience in systems and business.

So, first I started explaining CoVID to my colleagues using security concepts they'd understand. Then I did a presentation, but it got too big and became a half a dozen presentations. Then I wrote "Cybersecurity Lessons from CoVID-19" at about the same time that I was putting together a full CISSP seminar (which is also being done, experimentally, online). So then I thought that a "one day" CISSP seminar would be a good thing, and I could use the pandemic as a giant case study to demonstrate the various security concepts and fundamentals. So, this *can* be broken into a variety of short presentations, or it can be a half-day workshop just on the CoVID security lessons, or it can be a full-day, one-day CISSP seminar using CoVID examples

 - Information Security Ethics

 - Crimeware

For twenty years, malware was a steadily growing threat.  It was not seen as a major problem since it was untargetted: the work of amateurs who released their programs as random nuisances.  That has now changed.  Organized groups use viruses to create spambotnets, and then use those networks not only for spamming but for advanced fee (419) fraud and phishing.  Similar networks of RAT controlled machines are used to threaten companies with DDoS extortion.  Botherders use sophisticated fast-flux DNS and IP address rotation in order to avoid both detection and shutdown.  Groups are now specialized in nature, using credit card numbers obtained from phishing attacks to order goods from online sales and auction sites, laundering their money and increasing their profits--at your expense.  Malware has become the largest single class of computer crime: crimeware.  And yet most general security literature still explains malware using thirty year-old virus models.  This presentation gives analysis of malware trends and the changes in levels and types of risks.

 -  Level 3 - Incident Response Planning (2 hr)

a two-hour seminar on incident response planning.  This session was aimed at planning for any kind of incident, although, at the time, most examples were taken from "cyber" incidents, involving computers, malware or communications.  A response planning tool handout is part of the presentation, and hands-on exercises during the seminar.

 - Level 2 - Decentralized Finance (Bitcoins and Blockchains and Digital Cash, Oh my!)

Bitcoin, NFTs, cryptocurrencies, and many things that might be called "decentralized finance" have become enormously popular, recently, but are also wildly speculative.  This seminar will give you some background, starting with the principles of, and research into, digital cash, valuation, fungibility, technologies, infrastructures, and the basic principles underlying this field.  In addition, we will note the speculative nature of much of this "wealth."  What is a cryptocurrency?  We'll also look at the shortcuts that cryptocurrencies have taken, and why that is a problem.  We build an outline for the requirements for digital cash, why cryptocurrencies have only partly fulfilled those requirements, and why NFTs are even worse.  Currently, "investment" in cryptocurrencies is highly speculative, and seems to be roughly equivalent to putting anticipated winnings at a casino into your stock portfolio.  And, by the way, BLOCKCHAIN IS NOT THE ANSWER!!!


 - Level 3 - Security Implications of Quantum Computing

Quantum computing has been seen, in trade, research, and even science fiction literature, as a way to crack encryption keys with ease. With the advent of the first practical (and now commercial!) quantum computing devices, it is possible to see that such a "universal decryption" application is likely a long ways off. On the other hand, there are some very interesting applications that are much closer, with implications, both positive and negative, for information security. This presentation will provide a brief outline of the realities and limitations of quantum computing, and then look at a wide variety of applications and implications in all domains of security. Even trying to understand the concepts of quantum computing can make your head hurt, but true quantum computing (and some quantum operations that are not true quantum computing, such as analogue quantum co-processors) can have implications for functions and operations that are terrifically helpful (and sometimes very dangerous) for security. Using least path, simulation, and pattern matching as the most likely and helpful models, we can see advances (and attacks) in the areas of security management, security architecture, access control, cryptography (quite aside from quantum cryptography), physical security, BCP/DRP, applications security, security operations, telecommunications, and law and investigation. There are also some quantum considerations that will make traditional computers faster and more power efficient. (If time can be extended for the presentation, we can even model the BB84 protocol for quantum cryptography [which is not really cryptography].)

 - Security Awareness Lessons from Dr. Bonnie

Dr. Bonnie Henry, as BC's Chief Medical Health Officer, has demonstrably saved over 5,000 lives in just a few months. With the regular CoVID press briefings, she has also provided a MasterClass in effective communication of complex technical subjects. This reference provides real-world examples of the most significant points in designing and implementing an effective security awareness program. It also conclusively proves, with mathematical certainty, the importance of a security awareness training.

 - Security Frameworks

Find out the BS behind BS 7799. We give you the ITILlating facts to help you pull up your SOX and get the jump on the quidelines from "Audit" to "Zachman." As has been famously said, the nice thing about security standards is that there are so many of them. Which security framework is most appropriate for you? What can they help you to achieve? And where do Treadway and Turnbull come into it? Come with questions, get answers, and share experiences about the all-too-often mysterious checklists that govern our professional lives.


 - Level 2 - Social Media

Oversharing, curating, "ego searches," the ways social media sites aggregate data from you and all your friends, and also subtly encourage you to share more than you meant to.  Remember that their business model is to get you to tell them all about yourself, and then to sell that information to others.  Does "deleted" *really* mean deleted?  Does "private" mean what you think it means?


 - Level 2 - Disinformation and Discord


The "I" in the "CIA" triad stands for "integrity" of information, and, in our "post-truth" world, that has become more important, not less.  We are faced not merely with errors and misinformation, but active and increasingly directed efforts to deceive and mislead.  We need to be aware of the types of efforts involved in disinformation, as well as the ways we can fool ourselves, and rely too much on novel ideas such as artificial intelligence.  In addition, we need to look at social factors that can make us (and our technologies and enterprises) more susceptible to misinformation and disinformation.


 - Level 2 - Social Engineering and Social Media

Businesses are attempting to make use of social media, such as Facebook and Twitter, for corporate (primarily marketing) purposes. It is best to become informed about the concerns and security dangers related to such use. This presentation examines a number of risks (and benefits) using the CIA triad as a structure.

 - Level 2 - A 35 Year History of Malware

 - Level 2 - Security Dangers of the "Internet of Things" (IoT)

Although the "Hello Barbie" toy seems to have disappeared from the market, it's very existence provides a framework for examining issues in the Internet of Things (IoT).  This presentation is a thought experiment to examine questions of security common to many such devices.  The "Hello Barbie" toy is an excellent example for pointing out what we *don't* know about many "Internet of Things" devices and applications. What is done (and stored) locally, and what remotely? When remotely, what privacy regulations prevail? How much bigger can "big data" make aggregation attacks?

Rob requests those attending to bring their nominees for "world's stupidest Internet connected device.  Current front runners: net-connected vibrators, net-connected sniper rifle scope, iCon Smart Condom (tracking a man's "thrust velocity," calories expended "per session," skin temperature, as well as tests for chlamydia and syphilis)

 - Level 2 - Psychological Factors of the Metaverse


And then there are some more advanced seminars ...

 - Level 3 - Digital Fingerprints of Advanced Fee Frauds

 - Level 3 - Botnets

 - Level 2 - Presenting Technical Forensic Evidence in Court

This presentation will cover a number of areas, including the fact that lawyers don't just have a different job than we do¬they are a different species, different types of legal systems, types of evidence, rules of evidence, the chain of custody, the difference between witnesses of fact and expert witnesses, rules for expert testimony (opinion), and factors involved in presenting technical material to a non-technical audience.  We'll touch on liability, negligence, due diligence, and due care. This presentation is based on decades of working with lawyers in preparing for primarily civil lawsuits, but is applicable to investigative management of criminal cases as well. And remember: they don't have to prove you are wrong, they just have to make you look bad.

 - "One-Day" CISSP seminar

So, first I started explaining CoVID to my colleagues using security concepts they'd understand. Then I did a presentation, but it got too big and became a half a dozen presentations. Then I wrote "Cybersecurity Lessons from CoVID-19" at about the same time that I was putting together a full CISSP seminar. So then I thought that a "one day" CISSP seminar would be a good thing, and I could use the pandemic as a giant case study to demonstrate the various security concepts and fundamentals. So, this *can* be broken into a variety of short presentations, or it can be a half-day workshop just on the CoVID security lessons, or it can be a full-day, one-day CISSP seminar using CoVID examples

 - Level 3 - Differential Privacy

Differential privacy is a relatively recent topic, although it is an amalgam of well- known, and long utilized, concepts. Oddly, outside of academic circles, it was almost unknown until Apple made a big deal of it in an announcement in 2016. Differential privacy is, however, the "quantitative risk analysis" of privacy, which is why it has such important points to make to the field of privacy, and why almost nobody is using it. (Including, mostly, Apple.) It's hard to know where to put differential privacy into the security domains. Law? But it's not that kind of privacy. Cryptography? There are lots of similar concepts. Security management? We have to deal with measures, metrics, budgets, and risk management. My vote tends to be for applications security, because we are primarily dealing with database management and database queries. We have to deal with the old problem of data aggregation attacks, but we also are using aggregation as a form of defence. It's not a perfect or binary system, because data cannot be fully anonymized and yet remain useful. So we have to balance total records, records of a given individual, the number and type of queries allowed, local or global privacy, probability, and noise, to get *enough* privacy: privacy as if an individual wasn't in the database. Differential privacy is the "quantitative risk analysis" of privacy, and therefore may be shunned by many. (Or used improperly.)

 - Level 3 - Homomorphic Encryption

How do you encrypt something, and still use it? Recently security operations has become very excited about homomorphic encryption. It seems to be the latest "magic" security technology that will solve all our problems, but I don't think we've really provided a good outline of what it is, and, particularly, what it can't do. This presentation will outline the basic concepts, note some specific forms and applications, and point out the various factors for use or consideration. Homomorphic encryption is not just a weak form of encryption (although you have to be careful, when creating or assessing a homomorphic encryption algorithm, that it isn't *too* weak). It actually isn't that new: we've been using it, in some ways, for decades. One issue in regard to homomorphic encryption is that it isn't universal: you have to choose the function that you want to use in order to determine your encryption algorithm. Various algorithms are being created and explored for the functions of addition, multiplication, comparison, and others, and you can download code for these and play with them yourself.  The best current example is probably the Rivest Three Ballot voting system, which opens a whole range of possibilities for voting security that we never had before.  Still, you have to be careful with what you think homomorphic encryption will do for you, and what it will actually do.


Not on security, but also available:

"Men's" Grief: Intuitive and Instrumental Grieving

After Gloria died, I started researching grief.  (I'm a systems analyst: if I am going to grieve, I am going to study the heck out of it.)  Terry Martin and Kenneth Doka had researched what they initially thought was a gender difference in grieving.  What they found were two different styles of grieving: not a dichotomy, but with definite gender "preferences."

Intuitive grieving; talking, about your emotions, based in the past; is the style that almost all bereavement counselling is based upon.  It is so universally perceived as "grief" that most grief literature states, outright, that failure to express emotion demonstrates a failure to do "grief work."  However, Martin and Doka also identified instrumental grieving; cognitively based, thinking and learning, planning for the future, and engaging in activities and projects.

Martin and Doka's research noted that there is not a dichotomy in styles: almost everyone grieves in both styles ("blended"), but with a tendency to one end or the other of the intuitive/instrumental continuum.  Most women tend to the intuitive end; most men tend to the instrumental end.  Since almost all grief counselling is based on the intuitive model, men tend to be underserved in regard to grief.

With the support of the Alberni Valley Hospice Society, I have been experimentally developing group grief group peer support incorporating the instrumental (as well as intuitive) concepts.  This presentation reports on the overall ideas, an attempt to structure a program and materials, and the initial results of some experimental groups.

Resources:

https://fibrecookery.blogspot.com/2023/02/review-of-men-dont-cry-women-do-by.html

https://fibrecookery.blogspot.com/2022/07/review-of-grieving-brain-by-mary.html

https://fibrecookery.blogspot.com/2022/03/grief-guys.html

https://fibrecookery.blogspot.com/2023/01/grief-guys-materials-and-resources.html

https://fibrecookery.blogspot.com/2022/12/grief-bibliography.html

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)