A few years ago, I attended a lecture by Jeremy Duffy, The Geek Professor. The specific seminar I attended discussed the sheer volume of information that one can find online, and then went into some of the specifics of how one goes about searching for that data. Most interesting to me was some of the guidance on targeted searching that Duffy replicates in his guide on How To Hunt Someone Like A Dog On the Internet. It's definitely worth a read, and it's fairly brief. So, why am I posting this? Several reasons:
1) Jeremy Duffy does a great seminar, and I'm pleased to advertise for him.*
2) This guide gives some fantastic tips for how to use Google and other search engines more efficiently. The quoted search and site search techniques, particularly when combined, have made my searching much more effective since I began using them after attending Duffy's lecture.
3) The guide shows how much of your own personal information (or, if you're in the security industry, other information about your facility or operation) is available online; and it shows just how easy it is to find.
This should concern you; but, even more than that, it should give you the information necessary to empower you. Duffy has another online guide entitled CTRL-Z – How to Reclaim Your Privacy From the Internet, available either as a seminar, or from a few additional guides that are linked on the page. Go have a look.
* Special thanks to my friend and associate, Sam-Wise, who helped to jog my memory about Duffy's website. I still have my notes from that lecture - somewhere - but it's not available, so Sam-Wise's help was excellent.
Monday, October 28, 2013
Thursday, October 24, 2013
Thoughts on Middle Eastern Borders
Last month, I took a lot of interest in an article entitled "Stop Blaming Colonial Borders for the Middle East's Problems". I loved this article.
People frequently try to blame the Middle East's problems on the West, usually based on historical ignorance. The best example is probably the debate over Israel and Palestine. A historically accurate (though extremely partisan) discussion of the history of the topic can be found here. Those unfamiliar with the history of the conflict frequently claim that Israel was created by Western states out of guilt for what happened in the Holocaust; in actuality, Jewish migration into the region began much earlier, and land was (by and large) purchased outright while the disputed areas of Israel, Gaza, and the West Bank (in addition to present-day Jordan) were still a component of the Ottoman Empire.
Another region whose history is often misrepresented is the Persian Gulf region. Folk who are unfamiliar with the region's history criticize Western nations for their presence in the Gulf. Writing about the Dhofar Rebellion, South African author S. Monick notes:
Even now, as America is attempting to "pivot to the Asia-Pacific region", the United Kingdom is considering a "return to East of Suez" to address critical strategic needs. Meanwhile, the Gulf States have repeatedly invited their external allies to work with them in order to advance mutual strategic goals. (One example of this is the allegation, unsubstantiated though it may be, that the Qatari Emir offered to "pay in full" for America's military presence in Qatar. That's just one example. And the Gulf States are far from being puppets of Western influence: Saudi Arabia and Qatar have provided funding and weapons to unsavory elements in the Syrian civil war, Bahrain's has been extremely robust in its suppression of political protest, and Oman continually refuses to take a hard line against Iran. Without taking a side on any of these ongoing and contentious issues, the point is that many such accusations are made in ignorance. These accusations tend to rely upon ignorance and oversimplification; in the case of the claims about arbitrary borders noted in the article I noted above, they ignore other prevailing factors in favor of a simple glance at the map.
So, what does this have to do with risk management? It's actually pretty simple: foreign policy is risk management on a global scale. Western involvement in the Middle East has tended to occur at the invitation of the sitting governments (noteworthy examples being Jebel Akhdar War, and Operations Vantage, Storm, Earnest Will, Prime Chance, Nimble Archer, Praying Mantis, Desert Shield and Desert Storm, among others, and with honorable mention to the Arab Revolt and Operation El Dorado Canyon). Major world powers share strategic interests with Middle Eastern powers, in addition to other interests. They manage those risks through both political, military, and economic means, using whatever resources and leverage they can bring to bear. It's easy to blame seemingly arbitrary borders for all of this; in reality, there are a variety of far more complex factors that come into play, and both Western and Middle Eastern nations accept additional risks at their own peril, as evidenced by recent and current events.
Oversimplification is easy, and Western audiences are accustomed to neat, tidy, coherent stories. Reality is nearly always far more complex, and far less climactic than we expect. And just like our own history, the history of the Middle East continues to unfold - frequently irrespective of any Western influence.
People frequently try to blame the Middle East's problems on the West, usually based on historical ignorance. The best example is probably the debate over Israel and Palestine. A historically accurate (though extremely partisan) discussion of the history of the topic can be found here. Those unfamiliar with the history of the conflict frequently claim that Israel was created by Western states out of guilt for what happened in the Holocaust; in actuality, Jewish migration into the region began much earlier, and land was (by and large) purchased outright while the disputed areas of Israel, Gaza, and the West Bank (in addition to present-day Jordan) were still a component of the Ottoman Empire.
Another region whose history is often misrepresented is the Persian Gulf region. Folk who are unfamiliar with the region's history criticize Western nations for their presence in the Gulf. Writing about the Dhofar Rebellion, South African author S. Monick notes:
In this second Omani war Britain had relinquished all power in the Middle East. Its surrender to Marxist insurgent forces in Aden in 1967, and consequent evacuation from South Arabia in the same year, had finally signalled Britain's' total abdication of power in the Arabian Peninsula; a decision confirmed by its departure from Bahrain in 1971, thus completing her total withdrawal from east of Suez. This abdication of power was further manifested in the cessation of Britain's treaty obligations with the Trucial Oman States, and the replacement of this political entity with the United Arab Emirates (formed in 1971). Hence, in this second campaign Great Britain was an intruder, so to speak, in the affairs of the Persian Gulf to an extent not apparent in the war of 1957-1959, when her intervention could be justified in terms of her military and political presence in neighbouring South Arabia (i.e. in terms of her interest in maintaining stability within a region in which she had a powerful vested interest).
Even now, as America is attempting to "pivot to the Asia-Pacific region", the United Kingdom is considering a "return to East of Suez" to address critical strategic needs. Meanwhile, the Gulf States have repeatedly invited their external allies to work with them in order to advance mutual strategic goals. (One example of this is the allegation, unsubstantiated though it may be, that the Qatari Emir offered to "pay in full" for America's military presence in Qatar. That's just one example. And the Gulf States are far from being puppets of Western influence: Saudi Arabia and Qatar have provided funding and weapons to unsavory elements in the Syrian civil war, Bahrain's has been extremely robust in its suppression of political protest, and Oman continually refuses to take a hard line against Iran. Without taking a side on any of these ongoing and contentious issues, the point is that many such accusations are made in ignorance. These accusations tend to rely upon ignorance and oversimplification; in the case of the claims about arbitrary borders noted in the article I noted above, they ignore other prevailing factors in favor of a simple glance at the map.
So, what does this have to do with risk management? It's actually pretty simple: foreign policy is risk management on a global scale. Western involvement in the Middle East has tended to occur at the invitation of the sitting governments (noteworthy examples being Jebel Akhdar War, and Operations Vantage, Storm, Earnest Will, Prime Chance, Nimble Archer, Praying Mantis, Desert Shield and Desert Storm, among others, and with honorable mention to the Arab Revolt and Operation El Dorado Canyon). Major world powers share strategic interests with Middle Eastern powers, in addition to other interests. They manage those risks through both political, military, and economic means, using whatever resources and leverage they can bring to bear. It's easy to blame seemingly arbitrary borders for all of this; in reality, there are a variety of far more complex factors that come into play, and both Western and Middle Eastern nations accept additional risks at their own peril, as evidenced by recent and current events.
Oversimplification is easy, and Western audiences are accustomed to neat, tidy, coherent stories. Reality is nearly always far more complex, and far less climactic than we expect. And just like our own history, the history of the Middle East continues to unfold - frequently irrespective of any Western influence.
Friday, October 11, 2013
Working on Honesty Traces
A few years ago, I saw an article about honesty traces. These use the basic utilities on your average PC, along with a GPS capable of downloading its data via USB to find potential ambush points. I've wanted to figure out how to make honesty traces for a few years now, and I've never taken the time to do it. As I'm killing time prior to graduation, I've been able work on some security-related projects, and figuring out honesty traces is one of them.
I've had to be somewhat field expedient, though. For example, the instructions call for the use of Garmin's MapSource software. At the time I started playing around with my Garmin eTrex Vista H, I could not for the life of me find the MapSource software, so I defaulted to an open source program called EasyGPS. The slide deck also calls for the user to utilize FalconView, which is software that was developed in partnership with the Georgia Tech Research Institute and the Department of Defense; however, there are two versions of the software, and the slide deck demonstrates the restricted DoD version that's not available to the public. So, I'll eventually attempt to learn how to do honesty traces that are nearly the same as those demonstrated in that slide deck; but using EasyGPS and Wikimapia, and with a bit of my own HTML/XML editing for the .gpx files created from the GPS data, I'm also trying to figure out an alternate method.
Using six tracks that I took in Kirkwall over the course of the last week, I made a preliminary honesty trace. You can see a number of "choke points" (or else, points where my path crossed multiple times), which is the entire point of the exercise. It still needs some work to get it all figured out; as you can see, there's a massive red line that runs straight through St. Magnus Cathedral that's quite obviously not part of my route, and that's something that I need to figure out how to reconcile (I'm already close). The end goal is to not only teach myself how to do it, but to create a work instruction so that others can follow my lead in a manner that's more "open source" and, hopefully, a bit simpler than the original instructions from the Marines.
I've had to be somewhat field expedient, though. For example, the instructions call for the use of Garmin's MapSource software. At the time I started playing around with my Garmin eTrex Vista H, I could not for the life of me find the MapSource software, so I defaulted to an open source program called EasyGPS. The slide deck also calls for the user to utilize FalconView, which is software that was developed in partnership with the Georgia Tech Research Institute and the Department of Defense; however, there are two versions of the software, and the slide deck demonstrates the restricted DoD version that's not available to the public. So, I'll eventually attempt to learn how to do honesty traces that are nearly the same as those demonstrated in that slide deck; but using EasyGPS and Wikimapia, and with a bit of my own HTML/XML editing for the .gpx files created from the GPS data, I'm also trying to figure out an alternate method.
Using six tracks that I took in Kirkwall over the course of the last week, I made a preliminary honesty trace. You can see a number of "choke points" (or else, points where my path crossed multiple times), which is the entire point of the exercise. It still needs some work to get it all figured out; as you can see, there's a massive red line that runs straight through St. Magnus Cathedral that's quite obviously not part of my route, and that's something that I need to figure out how to reconcile (I'm already close). The end goal is to not only teach myself how to do it, but to create a work instruction so that others can follow my lead in a manner that's more "open source" and, hopefully, a bit simpler than the original instructions from the Marines.
Monday, October 7, 2013
Brief Thoughts About LinkedIn
I started an account on LinkedIn a few months ago. I saw this article a few weeks ago, and found it quite interesting. My network continues to grow, and I think there's great value to reestablishing contact with other professionals with whom I've worked in the past. At the same time, it feels rather insular. If I end up finding a job through LinkedIn within the next few months, I may change my tune, but a lot of the things the article notes still hit close to home.
Wednesday, October 2, 2013
Improving Security in Public Places
Despite having been mostly engrossed in my recent close protection course, I couldn't help but hear about the Westgate mall attack in Kenya. As Kenyan and international authorities attempt to ascertain what went wrong, and how members of al Shabab were able to take over the mall, the RAND Corporation has two items which are worth your attention: an article that they first published in July of this year about the possibility of a Mumbai-style attack in the United States, and a 2006 technical report about the risk of terrorism at America's shopping centers. Both are worth your attention.
The challenge with security at malls and other public places with respect to terrorism is one of managing risks and balancing costs and benefits. In the case of the Westgate mall in Nairobi, or the 2012 Aurora theater shooting, or the Newtown school shooting, or the Washington Navy Yard shooting, the question isn't so much "Can we provide adequate security to ensure that this won't happen?" Rather, the issue raises several questions:
I worked for a now-defunct organizations that was, for all intents and purposes, a think tank. As such, information security was a big concern for that organization's risk management folks. At the same time, the staff needed to be able to share information with one another, and with partner organizations, so the type of aggressive security measures that might eliminate those risks weren't really an option - even if they were implemented, the risk management folks might run the risk of the staff finding ways to circumvent security measures that were preventing them from accomplishing organizational requirements. That became a constant balancing act for the folks involved in managing the risks of unauthorized disclosure of one sort of information or another.
Later, I worked for a now-defunct organization that performed vehicle maintenance. This organization didn't suffer from such overwhelming information security risks, but there was a much higher danger from terrorist attacks. Had the facility been completely locked down, it would have prevented the workforce from doing their jobs; as such, the risk management folks had to balance security needs with operational needs. Security measures that undermine operational performance are likely to lose risk management professionals the support of both the organizational leadership, and the workforce. As such, risk management is similar to counterinsurgency, in that it requires the tacit approval and cooperation of the "populace" in order to succeed.
In the case of public areas like malls, or parks, or shopping centers, one must question whether the areas in question are resourced to provide overwhelming security; but they must also ask whether that overwhelming security is commensurate with the actual threats in question, and the risks of those threats taking place. Despite occasional horrific events in public places in America and elsewhere, these events are so rare that potential dramatic upgrades in security often fail that cost/benefit analysis I mentioned earlier, both with respect to expenditure and opportunity/operational costs.
Of course, there are plenty of ways to improve security at individual facilities or venues, and many of these will be common across multiple locations. Experienced security practitioners can help organizational leaders to evaluate their threats, evaluate their risks, and put appropriate measures in place to mitigate those risks within appropriate costing boundaries.
The challenge with security at malls and other public places with respect to terrorism is one of managing risks and balancing costs and benefits. In the case of the Westgate mall in Nairobi, or the 2012 Aurora theater shooting, or the Newtown school shooting, or the Washington Navy Yard shooting, the question isn't so much "Can we provide adequate security to ensure that this won't happen?" Rather, the issue raises several questions:
1) What would adequate security cost?People like to look at the financial costs of these measures, because that's easy to quantify. What's more difficult to quantify, and often overlooked, are some of what I'll call the "opportunity costs", or perhaps "operational costs". As with a number of other factors, security requirements must always be balanced with an organization's ability to perform its purpose. Here are a couple of examples.
2) Is that cost commensurate with the likelihood of the threat?
3) If not, how much risk are we willing to assume?
4) Based upon that level of risk, what measures are we willing to put in place?
I worked for a now-defunct organizations that was, for all intents and purposes, a think tank. As such, information security was a big concern for that organization's risk management folks. At the same time, the staff needed to be able to share information with one another, and with partner organizations, so the type of aggressive security measures that might eliminate those risks weren't really an option - even if they were implemented, the risk management folks might run the risk of the staff finding ways to circumvent security measures that were preventing them from accomplishing organizational requirements. That became a constant balancing act for the folks involved in managing the risks of unauthorized disclosure of one sort of information or another.
Later, I worked for a now-defunct organization that performed vehicle maintenance. This organization didn't suffer from such overwhelming information security risks, but there was a much higher danger from terrorist attacks. Had the facility been completely locked down, it would have prevented the workforce from doing their jobs; as such, the risk management folks had to balance security needs with operational needs. Security measures that undermine operational performance are likely to lose risk management professionals the support of both the organizational leadership, and the workforce. As such, risk management is similar to counterinsurgency, in that it requires the tacit approval and cooperation of the "populace" in order to succeed.
In the case of public areas like malls, or parks, or shopping centers, one must question whether the areas in question are resourced to provide overwhelming security; but they must also ask whether that overwhelming security is commensurate with the actual threats in question, and the risks of those threats taking place. Despite occasional horrific events in public places in America and elsewhere, these events are so rare that potential dramatic upgrades in security often fail that cost/benefit analysis I mentioned earlier, both with respect to expenditure and opportunity/operational costs.
Of course, there are plenty of ways to improve security at individual facilities or venues, and many of these will be common across multiple locations. Experienced security practitioners can help organizational leaders to evaluate their threats, evaluate their risks, and put appropriate measures in place to mitigate those risks within appropriate costing boundaries.
Subscribe to:
Posts (Atom)