Skip to content

Uncategorized

dumb hurricane ideas

Quote

“Hurricanes are fake news” guy Rush Limbaugh deservedly took a lot of heat for his comments on Hurricane Irma last week when he essentially accused the media of hyping up the storm as “fake news.” That’s not to say the conservative talk host was entirely wrong. He was correct that it is in the media’s interest to sell hurricanes as huge, whopping threats (be honest, do you watch The Weather Channel at any other time than during a tropical cyclone landfall?). But “the media” doesn’t do this because of some global warming conspiracy theory, Rush; they do it for ratings and clicks.

But what else would you expect from this mindless fat blowhard?

Ten-day forecast” guy Among the most frustrating things during the lead-up to Hurricane Irma’s landfall were the newfound “experts” who seized upon the widespread anxiety to promote the next big threat. During this time, Hurricane Jose represented such a threat. I can’t count how many times I saw someone on social media share a 10-day model forecast for Jose that looped around the Atlantic Ocean before striking the US East Coast. I’m going to pick on Justin Miller below because the national editor of The Daily Beast ought to know better. It is true that the operational run of the European model on Saturday (12z) did show a looping Jose returning to near the East Coast around September 20. And yet… this was a single-track forecast at 10 days, when the average error can often be measured in thousands of kilometers. Moreover, there was little support for a US landfall in the ensemble forecast of the same run (this is the 50 or so additional runs of a model, with slightly different initial conditions, at a lower resolution than the operational model).

This is important because, whereas forecasters use the operational model for five-day forecasts, ensembles become more useful after that time due to increasing uncertainty. In the image below, you can see almost no ensemble members bringing Jose to shore. The operational model, therefore, was a huge outlier to be discounted. The problem with “10-day forecast” guy is that he or she doesn’t have any real interest in being correct. The primary motivation is “look at me.” Having lived through Harvey and writing for shellshocked people in Houston, I can tell you that their greatest fear is that another storm is coming soon, when they are most vulnerable. Constantly, I got questions about Irma—what if it doesn’t turn and comes to Texas? This kind of irresponsible social sharing plays on those fears. Jose may ultimately come to the United States, but there is no truth to be found from “10-day forecast” guy.

So why did Irma miss Miami? About 48 hours before Irma made landfall along the southwestern Florida coast near Marco Island, hurricane forecasts began closing in on that track. At that time frame before landfall, the official forecast from the National Hurricane Center has an average error of about 70 miles.

As a sailor, I follow models closely. Anything over 3 days has such a huge margin of error that I notate it, but discount these when route planning. Of course, I am not motivated by advertising revenue, just my own and my crew’s safety.

“It wasn’t that bad” guy.. Oh, Ann Coulter. Why must you be so horrible? Coulter, who lives in Palm Beach, Florida, tweeted on Sunday morning at about the time that Irma was covering the Florida Keys in water and bearing down on the southwestern coast of Florida.

Ann Coulter @AnnCoulter HURRICANE UPDATE FROM MIAMI: LIGHT RAIN; RESIDENTS AT RISK OF DYING FROM BOREDOM…I wish cables would mention the hurricane. There is a decidedly heavier-than-average morning dew in Miami; Palm Beach bordering on breezy.

First of all, conditions were pretty grim in Miami on Sunday. Secondly, by Friday evening, it was clear that Irma was going to move further west than expected and, instead of hitting southeastern Florida—including the Miami area—it was going to strike the southwestern part of the state. But instead of being inwardly grateful about being spared by Irma or having some empathy for her fellow Floridians, Coulter went full Coulter.

Rush clone Ann – you are a disgrace to your Cornell and University of Michigan Alma Maters.

What Really Broke Dyn this week? IOT

Quote

Today a vast army of hijacked internet-connected devices – from security cameras and video recorders to home routers – turned on their owners and broke a big chunk of the web.

Compromised machines, following orders from as-yet unknown masterminds, threw massive amounts of junk traffic at servers operated by US-based Dyn, which provides DNS services for websites large and small.

The result: big names including GitHub, Twitter, Reddit, Netflix, AirBnb and so on, were among hundreds of websites rendered inaccessible to millions of people around the world for several hours today.

We’re told gadgets behind tens of millions of IP addresses were press-ganged into shattering the internet – a lot of them running the Mirai malware, the source code to which is now public so anyone can wield it against targets.

  • Dyn’s chief strategy officer Kyle York told The Register by phone that devices behind tens of millions of IP addresses were attacking his company’s data centers. 
  • A lot of this traffic – but not all – is coming from Internet-of-Things devices compromised by the Mirai botnet malware. This software nasty was used to blast the website of cyber-crime blogger Brian Krebs offline in September, and its source code and blueprints have leaked online. That means anyone can set up their own Mirai botnet and pummel systems with an army of hijacked boxes that flood networks with junk packets, drowning out legit traffic. 
  • One online tracker of Mirai suggests there at least 1.2m Mirai-infected devices on the internet, with at least 173,000 active in the past 24 hours. 
  • Mirai spreads across the web, growing its ranks of obeying zombies, by logging into devices using their default, factory-set passwords via Telnet and SSH. Because no one changes their passwords on their gizmos, Mirai can waltz in and take over routers, CCTV cameras, digital video recorders, and so on. 
  • York said the waves of attacks were separate and distinct – there are multiple bot armies out there now smashing systems offline. “We’re expecting more,” he added.

It is well known the Internet of Things (IOT) has very poor security. It could be improved if people would simply change the default password and manufactures write a mandatory change on a time basis. Not a cure all, but an improvement. But El Reg can saids it better

El Reg [ed. The Register] has been banging about IoT security for ages: Mirai is now targeting cellular gateways. Not enough is being done to patch insecure gadgets. Do gizmos need some sort of security-warning labels? The blame here is not with Dyn. It is not even with the owners of the hijacked devices.

It lies with the botnet operators – and, perhaps more crucially, the dimwit IoT manufacturers who crank out criminally insecure hardware that can be compromised en masse. Particularly China-based XiongMai Technologies, which produces vulnerable software and hardware used in easily hijacked IP cameras, digital video recorders and network-attached video recorders. These crappy devices were at the core of today’s attacks, according to Flashpoint.

Until there is a standards crackdown, and vulnerable devices are pulled offline, this will continue on and on until there is no internet left.

Cracking the Code

I was recently asked for the first 4 digits of my SSN on an insurance application. I refused. I was told the usual answer “no ever has had a problem with this before.” well that does not surprise me. The security IQ of the average business in my estimation barely registers. This is especially true for small and medium businesses, although as seen, even their larger brethren are pretty bad. Anyway I digress. It is not just this hapless insurance company. Doctors offices continue to be notoriously bad. 1 month ago I tried to make an appointment with a doctor and they asked for my full SSN. Of course I refused. I made it all the way to the CEO of the practice and this fool simply repeated over and over it was their policy as their software used it as a unique identifier. Idiots.

How easy is it to guess SSN’s?

Quote

Researchers have found that it is possible to guess many — if not all — of the nine digits in an individual’s Social Security number using publicly available information, a finding they say compromises the security of one of the most widely used consumer identifiers in the United States.

Many numbers could be guessed at by simply knowing a person’s birth data, the researchers from Carnegie Mellon University said. ….read more

My advice – refuse to give your SSN to anyone. And guard your birth-date also, especially online. Use a fake birth-date for any site requesting it.

Avon Calling?

Quote

Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes.

The Ring allows punters to answer people knocking on your door from your mobile phone, even when you’re not at home. The kit acts as a CCTV camera, automatically activating if people approach your door, letting homeowners talk to visitors, delivery couriers and so on.

There’s an optional feature that allows the kit to hook up to some smart door locks, so users can let guests into their home even when they aren’t in. …The device is secured outside a house using two commonly available Torx T4 screws, leaving it vulnerable to theft. Ring offer a free replacement if the kit is stolen, so homeowners are covered in that scenario (at least).

However that’s not the end of the problems with the device. An easy attack makes it all too simple to steal a homeowner’s Wi-Fi key. To do this, hackers would need to take the kit off the door mounting, flip it over and press the orange “set up” button.

“Pressing the setup button [puts] the doorbell’s wireless module (a Gainspan wireless unit) into a setup mode, in which it acts as a Wi-Fi access point, Pen Test Partners consultant David Lodge explains in a blog post. “By connecting to a web server running on the Gainspan unit, the wireless configuration is returned including the configured SSID and PSK in cleartext,”

A colleague of calls the Internet of Things, the Internet of Targets — how true.

iKettle Leaks! (…WiFi Passwords)

iKettle_Breach

Quote

A security man has mapped and hacked insecure connected kettles across London, proving they can leak WiFi passwords.

The iKettle is designed to save users precious seconds spent waiting for water to boil by allowing the kitchen staple to be turned on using a smartphone app.

Pen Test Partners bod Ken Munro says hackers can make more than a cuppa, however: armed with some social engineering data, a directional antenna, and some networking gear they can “easily” cause the iKettle to spew WiFi passwords.

….

Munro says the state of internet of things security is “utterly bananas” and akin to the quality of infosec in the year 2000.