Hank bought a bus
And he is not afraid to drive it.
Thai Health Promotion Foundation
Because they are awesome.
Rick Ells
Because he is awesome.
And I have been watching too many episodes of How I Met Your Mother.
Dude.
The Albenian Language
Because it is fascinating.
Personal Information Security
Remember that baby monitor that got hacked? Well, apparently I'm not the only one who observes that more people need to think about their own information security.
This week's educational video about kids and bullying:
2013-08-30
2013-08-28
Internetted baby monitor: An analysis
Last week, I promised an analysis of the baby monitor system that was hacked, to the detriment of a family in Texas. This analysis is based on the little information I have about the system and follows several standards for information security analysis.
The analysis occurs in three basic domains: Confidentiality, Integrity and Availability. Each of these three are then seen in three aspects: Storage, Transit and Processing. Each of these nine domain aspects pose risks. Each risk have a degree of probability and consequence.
Confidentiality
Storage: From the promotional video at Foscam, storage is on the device itself. Hence storage is as safe as the location itself. From this, one can assume that a potential intruder will take the camera and therefore render it useless as an instrument of surveillance.
Transit: I do not have information of whether transit is encrypted or not. However, in order to access the camera from the Internet, you go to Foscam's web site in order to access an outgoing tunnel from the camera. Security from that point on is based on username/password, which we know is subject to social engineering.
Processing: Access to the camera means access to anything you might be doing to the camera. So not is your surveillance accessible, but your use of it is also available, and setting you do might be altered by, say, turning off alarms.
Integrity
Storage: Assuming the system has been breached, all integrity of camera storage is also compromised. The major issue is mode of access.
Transit: Centralized access means easy man-in-the-middle attack. This would also reveal username/password.
Processing: Man-in-the-middle attack could potentially give you recorded images.
Availability
Storage: Loss of Internet connectivity will not affect storage. Au contraire, my friend. :)
Transit: Loss of Internet connection reduces global availability. Can the camera be accessed diretly from you LAN, or do you have to go via the web site?
Processing: Loss of Internet connection reduces global availability. A breach allows hacker to change password and lock you out of your own camera.
Main risks
The main risks of the device is the camera's availability through the Internet. Even secure connections are subject to man-in-the-middle attacks, and hacking the company's server will also allow a hacker full access to all cameras.
A firmware update for the camera has arrived to force users to change the default admin password because, as we know, this is where the first fail occurs. It is now also possible to change the admin user name. This will certainly eliminate the easiest brute force attack (select camera, enter default admin password and you're set), but it is still only a delay.
It would be more secure if the camera only accepted access by devices with a specific encryption certificate, installable on the accessing device only when connected to your LAN. Though this approach heightens the threshold to use its Internet connection, that might be a threshold parents should be required to step up to, so that they truly understand the risks they are about to subject their children to. But it won't stop access from the NSA.
However, it is typical for these cameras to also be available directly on your LAN without going through the Internet. And using it as a baby monitor, that is all you really should need. So block the camera's Internet connection, and it's safe to use. If you need surveillance when you're not at home, you'd want a device that
stores your recordings somewhere else.
The analysis occurs in three basic domains: Confidentiality, Integrity and Availability. Each of these three are then seen in three aspects: Storage, Transit and Processing. Each of these nine domain aspects pose risks. Each risk have a degree of probability and consequence.
Confidentiality
Storage: From the promotional video at Foscam, storage is on the device itself. Hence storage is as safe as the location itself. From this, one can assume that a potential intruder will take the camera and therefore render it useless as an instrument of surveillance.
Transit: I do not have information of whether transit is encrypted or not. However, in order to access the camera from the Internet, you go to Foscam's web site in order to access an outgoing tunnel from the camera. Security from that point on is based on username/password, which we know is subject to social engineering.
Processing: Access to the camera means access to anything you might be doing to the camera. So not is your surveillance accessible, but your use of it is also available, and setting you do might be altered by, say, turning off alarms.
Integrity
Storage: Assuming the system has been breached, all integrity of camera storage is also compromised. The major issue is mode of access.
Transit: Centralized access means easy man-in-the-middle attack. This would also reveal username/password.
Processing: Man-in-the-middle attack could potentially give you recorded images.
Availability
Storage: Loss of Internet connectivity will not affect storage. Au contraire, my friend. :)
Transit: Loss of Internet connection reduces global availability. Can the camera be accessed diretly from you LAN, or do you have to go via the web site?
Processing: Loss of Internet connection reduces global availability. A breach allows hacker to change password and lock you out of your own camera.
Main risks
The main risks of the device is the camera's availability through the Internet. Even secure connections are subject to man-in-the-middle attacks, and hacking the company's server will also allow a hacker full access to all cameras.
A firmware update for the camera has arrived to force users to change the default admin password because, as we know, this is where the first fail occurs. It is now also possible to change the admin user name. This will certainly eliminate the easiest brute force attack (select camera, enter default admin password and you're set), but it is still only a delay.
It would be more secure if the camera only accepted access by devices with a specific encryption certificate, installable on the accessing device only when connected to your LAN. Though this approach heightens the threshold to use its Internet connection, that might be a threshold parents should be required to step up to, so that they truly understand the risks they are about to subject their children to. But it won't stop access from the NSA.
However, it is typical for these cameras to also be available directly on your LAN without going through the Internet. And using it as a baby monitor, that is all you really should need. So block the camera's Internet connection, and it's safe to use. If you need surveillance when you're not at home, you'd want a device that
stores your recordings somewhere else.
2013-08-26
I was bullied (repost)
(Published in Vestlandsnytt 10.2.2009 - English translation on Gardistan blog 2.3.2009)
I was the victim of bullying.
Bullying takes many forms, and are therefore difficult to manage without seeing the full picture. The schools have received a special responsibility when it comes to bullying among children because that's exactly where they spend large amounts of the day. But the school is not the only place bullying happens. It is a phenomena that runs through all layers of society, age groups and bureaucratic systems. But, as I mentioned, it takes different forms.
It is exactly because of this shapelessness of the phenomena that it is difficult to put your finger on a specific definition (not to mention being able to "prove" that bullying is occurring). And without a good definition, it is easy to focus on specific forms and unique occurrences. Let me give a quick introduction to the simplest forms in the life cycle of bullying - from the age before cell phones and the Internet.
In elementary school, physical bullying dominates. It usually occurs out of sight, but easy to recognize when the bruises begin to show up on the body. In middle school, it slowly changes to a more verbal form. Verbal bullying is a lot harder to prove. Then, at high school level, the social exclusion and backstabbing begins. But this is not the end of it. The experiences from all this bullying activity is also used in work life, when one wishes to "remove unwanted elements".
The fact that the youngest are the most immature is reflected in the choice of bullying form. And that's exactly why one must also be aware of the fact that the victim not necessarily knows that it is being bullied. It could, in fact, take decades before one realizes the full impact of what happened.
The youngest also don't necessarily realize that there ARE methods of interventions that may stop bullying. Many victims fear that interference from adults will make the situation worse. After all, both bullying and retaliation against "snitches" occur out of sight. And the older you get, the more refined the bullying, the more difficult to prove and impossible to prosecute.
When Eimar Hagen (Vestlandsnutt 6.2.09) writes that the number of victims are increasing, it doesn't necessarily mean that more are being bullied. Rather, it might as well reflect that people have become more aware of the bullying. More comes to see the light of day, which one should consider as a positive trend.
Paul Sundnes (Vestlandsnytt 6.2.09) refers to the fact that the school has to discover (or be told about) the bullying to be able to react. But victims of bullying develop a skill in keeping their mask. When I went to high school myself, my teacher would tell my parents that I was always happy and smiling. This came as a real surprise to me, because I knew that in many ways, I was experiencing the most difficult time in my life, and I was alarmingly close to taking my own life. It was moving away and living years in voluntary exile that not only saved me, but allowed me to slowly realize and understand what had actually happened.
Moving the victim away has become the most used "solution" to the problem. Many victims (and their families) often complain that it is the bullies that should have been exiled, not the victim. But particularly when dealing with children, we must remember that the bullies are just as immature as the victims. They might be missing - probably - empathy? This, a self declared bully will have to answer, if they remember. My own experience is that a child can be best buddies in private, but bullies in group situations. Exile is also not a "solution" for something I see as a general problem of society at large.
"Removing" a bully or a victim from the local community is no solution. Both are bonded to the social network, tearing them out affects a lot of people. Such a distancing of people is a polarization that plays a role in breaking down society. Instead, one must find a way for the parties to cooperate.
Jane Elliot was "a pickup-length ahead"*) when she pioneered a role play experiment in 1968 to help fight racism in the USA. In the experiment, she announced to her school class that people with blue eyes lacked pigments in their eyes. Without these pigments, nothing protected the brain from solar radiation, and they were therefore more stupid than brown eyed people. She then taught the "brown eyes" to systematically bully the "blue eyes". After a couple of days, she reversed the experiment, so that all the brown eyes could experience the same discrimination. All the students developed empathy from the experiment and became more aware to prejudice and discriminating behaviour.
The experiment stigmatised both her and her family, which only increased her conviction that her work was necessary. Today, she lives from doing the experiment on adults. Those who have experienced it know that it isn't just about racism, but about all human interaction. http://www.janeelliott.com/
In the end, bullying in childhood is an experiment in strategic abuse of power. The victims are those who are strategically easiest to bully, and has nothing to do with what they "officially" are being bullied for. As an example, the victim could be bullied for being "fat", while the bully is actually fatter.
With adults, the techniques develop into operational abuse of power to secure their own position in the work place or society. The more insecure they feel, the more they step on others. Particularly, they step on co-workers that potentially could endanger their job situation and therefore need to know who "the boss" is. Again, this takes many forms. The organization Stopp JobbMobben (http://www.stoppjobbmobben.no/) has documented a double digit number of forms that bullying occurs at work. I have experienced some of them myself.
Children learn from adults. When adults back stab and speak prejudice against other people, they legitimise their own experimental discrimination of other children. This applies not only to parents, but also comments we do in media and what we call "politics".
Media lives off sensationalism, and it is therefore in their interest to polarise all stories. This way, media is a great proponent of a general attitude of "us" and "them" as opposites. It has become so ordinary that we often don't notice. Obviously, polarisation is part of what children copy in their experimental play with bullying.
Yes, play. I wish to emphasize that bullying during childhood is "play" for the bully, because he/she experiments with this role. It is obvious for the experienced adult that it is a catastrophe for the victim, but we can not assume our own maturity in the child. The child's play is a reflection of what the child observes in society at large.
Bullying and discrimination in all its forms break down society. Progress is only achieved through cooperation. If there is anything we can do to fight bullying, it has to start by encouraging empathy and cooperation before polarisation and competition.
Thanks the "Manifest against bullying", there is great focus on bullying in school. I think this will have only a limited effect if we are not able to see bulling other places. I therefore challenge everyone to come up with possible tangible actions we can take to prevent bullying in its entirety and share their suggestions and experiences with everyone.
Gard Abrahamsen Tuur-Eggesbø
2013-08-23
Links and news for week 2013.34
NGO: Save Life
I was accidentally made aware of this NGO in Moldova. In a situation where lives can be saved through proper treatment, but there is no economy to support these treatments, NGO Save Life has a specific purpose: funnel donated money to the procedures that save lives, and with specific focus on children. While one might argue this kind of economic aid undermines the possibility of political change for proper funding of public services, who am I to say that children should die in the process of producing political change? Especially when the children even have names.
Electric cars may loose benefits
In an effort to make personal transportation more environmentally friendly, electric cars have received numerous benefits in Norway, such as being allowed to drive in the mass transit lane on highways, free parking and using toll roads and ferry toll free. This has been a successful policy. In 2012, 927 electric cars were sold in Norway, and so far in 2013, a whopping 2700 electric cars have been sold. The problem now, is that the bus can't get through because the mass transit lane is full of electric cars. While this means that it is time to loose this specific benefit, the contracts made by the government insures that the mass transit lane may be full of electric cars at leat until 2017.
The dynamics of tipping
Is tipping good or bad for business? Someone has found the answer.
And whoever thought out THIS experiment deserves a humongous hug:
I was accidentally made aware of this NGO in Moldova. In a situation where lives can be saved through proper treatment, but there is no economy to support these treatments, NGO Save Life has a specific purpose: funnel donated money to the procedures that save lives, and with specific focus on children. While one might argue this kind of economic aid undermines the possibility of political change for proper funding of public services, who am I to say that children should die in the process of producing political change? Especially when the children even have names.
Electric cars may loose benefits
In an effort to make personal transportation more environmentally friendly, electric cars have received numerous benefits in Norway, such as being allowed to drive in the mass transit lane on highways, free parking and using toll roads and ferry toll free. This has been a successful policy. In 2012, 927 electric cars were sold in Norway, and so far in 2013, a whopping 2700 electric cars have been sold. The problem now, is that the bus can't get through because the mass transit lane is full of electric cars. While this means that it is time to loose this specific benefit, the contracts made by the government insures that the mass transit lane may be full of electric cars at leat until 2017.
The dynamics of tipping
Is tipping good or bad for business? Someone has found the answer.
And whoever thought out THIS experiment deserves a humongous hug:
2013-08-22
11 new ways to define a country: Developing the non-western third world
Are you getting tired of seeing the same old news stories about "non-western" people and "developing" countries when you know it's not that simple a world? Let's look at how we should be looking at things instead, things that have an impact on the human psyche.
- CHEAP/RICH and EXPENSIVE/POOR countries: Cost of living vs. average income.
An "expensive" country is one where the average income is low compared to the cost of living, which translates to the population being "poor", while a "cheap" country is one where the average income is high, translating the population to being "rich". A formula for the expenses is hard to normalize, even within each country. For example, some places require that you have an automobile, while you can live your entire life walking in other places. Either way, statistics might come as a surprise to some.
"He came from an expensive country" - MILITARY and PEACE countries
What's the military expense per capita? How much of the taxes goes to the military? How many military conflicts does the country have with other countries over the last decade?
"He came from a military country" - INDUSTRIAL, ECOLOGICAL and DEPENDENT countries
How is food made? There are three basic productions, the third being dependant on importing from others. Which food resource is dominant?
"He came from a dependent country" - TECHNOLOGICAL SCALE
It's too easy to say "developing country" or "developed" - no country is ever fully developed. If that was the case, we would not longer be developing anything new. So the question is rather - how far in the technological development has a country arrived at? To claim that a country has reach a level, at least 90% of relevant implementations of said technology should be in place, such as:
INDUSTRIAL: 90% of manual labour has been taken over by industrial machinery
DIGITAL: 90% of population has access to digital equipment
INTERCONNECTED: 90% of population has access to the Internet
"He came from a digital country" - MENTALLY STABLE and UNSTABLE countries
Or, as politicians like to call them, "crazy" or "reasonable" countries. A country can be seen as "Mentally unstable" if more than 20% of the population have severe psychological problems. "He came from a mentally unstable country." - VIOLENT and SAFE countries
How many violent crimes per capita? "He came from a violent country" - HAPPY and UNHAPPY countries
Nations should check the happiness of their population on a regular basis and from this determine f they are a happy or unhappy nation. "He came from an unhappy country." "We don't know if he has happy or unhappy roots, his country refuses to release that data." - ILLITERATE, PRIMARY, SECONDARY and EDUCATED countries
How much education does 90% of the population have? "He came from a secondary school country." - GRAVELLED, RAILED, SAILING and PAVED countries. WALKING, BICYCLING, RIDING, DRIVING and BOATING countries.
There are these main methods of infrastructure for goods and passengers. Which type of infrastructure is dominant in terms of road conditions and vehicles? "He came from a gravelled boating country." - HEALTHY, SICK or DEAD country
What's the predominant health condition of people age 60-80? "He came from a sick country."
It could also be presented in sickness age (at what age does 90% of the population have perpetual illness?) and average age of death. "He came from a sick 60 dead 75 country."
It could also be expressed with the predominant illness. "He came from a flu country." - MORTALITY TYPE
What's the predominant type of death in a country? "He came from a heart attack country."
So with this fresh in mind, it is time for someone to sit down and define the world all over again. Good luck!
2013-08-21
Baby monitor hacked: Personal information security
A video baby monitor in Texas was hacked via the Internet and abused by a very bad man:
If I connected security cameras at work to the Internet, authorities would come at me with full force. Surveillance is sensitive information and must be treated as such. One of the problems, then, is that most people are not trained to think of information security in their daily lives.
As a trained professional, I would look at the package saying "over the Internet", shake my head in disgust and put it back on the shelf - unless I was looking for a public web camera for Runde. Blinded by the convenience, however, a lot of people will cheer with joy for this invention, not realizing that they are opening themselves wide open to a malicious hacker ready to subvert their children.
The formula is fairly simple: Identify what is sensitive information (or sensitive access to your loud speaker as well, as in this case), identify who needs the information and the shortest route there, make sure you do everything you can to protect that channel in all nine aspects: Confidentiality, Integrity and Availability of Storage, Transit and Processing.
I will leave it for the reader as an exercise, before I reveal my own analysis of this system.
2013-08-19
Make a wish
"Dad, if you drink ONE yellow and ONE stinking sock, you can make a wish."
He didn't say if that wish would come true or not. :)
He didn't say if that wish would come true or not. :)
Subscribe to:
Posts (Atom)