Tag: I do this because I love you

It’s the Most Wonderful Time of the Year, Part I

BobbieLeave a comment

As we sit in meetings and hear “yeah, so let’s circle back to that in the new year”, as we receive out of office emails, as we get quite literally bombarded with solicitations (to go buy things or donate money), we find ourselves yet again at the end of a calendar year, heading into “the holidays”.

It is “the holidays” because it incorporates a selection of them with a variety of observances and customs, and I can get behind any seasonality that involves getting together with the ones you love and eating things. Oh, and pretty lights.

This is also the time of year where you may be dragged into being tech support for a friend or family member and remember that it is an honor and a privilege: You Are the Techie Person. You get to say stuff like “it works on my machine” and “have you tried turning it off and turning it on again”. Practice holding your coffee mug in your non-dominant hand while gesturing at screens, it will help.

If, however, you do not want to spend all of your time at a gathering doing tech support, and you’ve allotted a specific amount of time to do the Good Work, here’s some suggestions. For all of these you should explain to the recipient what you are doing and why, so they understand when things change. It also means that they can’t wander off and leave you by yourself to play tech support (unless you, and they, want it that way).

15 Minutes

With 15 minutes, grab the phone(s) of the intended persons (WITH THEIR PERMISSION) and:

  • Ensure they are updated with the latest patches – this will help guard them against security issues and could help performance.
  • Adjust the text sizing/accessibility features as needed – sometimes these are hard or confusing to get to.
  • If the phone is a sea of apps, make sure they know how to search for apps and/or reconfigure their first page of apps to the ones they use the most.
  • Establish a family code word for human MFA – AI has gotten savvy and so if Grandma gets a call from her “Grandson” explaining he’s in jail / trapped in a town someplace else / needs money, Grandma can ask for the passphrase. The kid will know it, AI will not. (You may need to show Grandma some examples of AI real-time deepfakes, so she understands the abilities of the bad guys).
  • Depending on the state of the person and what kind of support you do, you may want to enable location sharing to you. If you do that explain why.

3o-45 Minutes

With this additional time,

  • Make sure they are storing passwords someplace safe. IF THAT IS A PIECE OF PAPER, make sure they understand that that piece of paper needs to be hidden and not just hanging out and visible to anyone who visits the house. Pitch solidly for a password manager — the one Apple has built in is fine; Bitwarden is good too.
  • Make sure they understand to NOT STORE THEIR CREDIT CARD INFORMATION IN THEIR BROWSER. If they are doing that, walk them through why it needs to be removed, and teach them how to use Apple Pay or Pay Pal. Yes, this may take more than 15 minutes.
  • Walk them through how MFA works (if they don’t already know it) and ensure it’s set up for any/every instrument tied to money (bank accounts, shop/store accounts, subscriptions, etc.)

An Hour or More

  • Check to see if the router ADMIN password is unique and not the one the router shipped with. If it is, change it, make sure they add it to whatever they’re using to manage their passwords, and explain to them why (I find it useful to use the “Garage Door Opener” example: there was a thing a few decades back where folks discovered that if you bought a garage door opener and drove through neighborhoods eventually you’d find one you could open).
  • Make sure their Wi-Fi is not open for all – it should be password gated and that password should be stored accordingly.
  • If you have crazy amounts of time and inclination – let’s say you’re visiting from out of town and staying at the house a few days? –
    • Consider setting up a guest Wi-Fi and/or IoT Wi-Fi network. Separate things-that-touch-money from “smart” things (e.g., smart fridge, smart thermostat, etc.), and also separate “visitors”.
    • Go through browser hygiene on all machines – how cookies work, what you do and don’t get for them (explain that this is how Facebook knows you were shopping for boots).
    • Make sure machines are on auto-update for patches.
    • Consider getting a separate authenticator, and walking them through how and why to use that.
    • Explain passkeys.

Stocking Stuffers

  • Don’t plug your phone in to charge at any rando USB port. Instead, use a USB Condom. And with this, let the recipient know that they should never have to download an app just to charge their devices.
  • You can also get them a portable charger, especially if they travel a lot.
  • Bitwarden has a free tier but also for $1/mo or $3.33/mo you can get extras.
  • Ghostery is free but does accept donations.
  • Signal is free but does accept donations.
  • Credit Monitoring – even though we all get it “free” every time one of our accounts is compromised, it’s a good idea.
  • Authenticator Apps – Wirecutter and PC Mag have covered these.

Next post: why the Credit Monitoring is a good idea, and how to deal with the never-ending Data Breach issues.

Supply Chain Attack: an Explainer

BobbieLeave a comment

I have told you to Do Your Updates, twice. A good example of why is the recent news about supply chain attacks in popular npm packages, which may mean nothing to you, and I figured I’d break it down.

Firstly, most folks understand that a supply chain is… a chain… of supplies. Tautology aside, it specifically means the chain of manufacturers, people, places, and companies through which various stuff flows through to an endpoint. Let’s take my fake coffee shop, Bobbucks, as an example. Bobbucks sells fancy coffee and (of course) pastries. Bobbucks does not want to have to have individual bakeries in every city/county/country that it owns, because Bobbucks’ primary focus offering is *coffee*, not pastries. Therefore, Bobbucks contracts with local corporate bakeries across the world.

Those bakeries make pastries according to Bobbucks standards, but key ingredients are fairly universal: for example, flour. All of those bakeries need to get flour, and they probably don’t all get it from the same place across the world, but there’s a good bet they get it from the same place in a geographic region. We’ll take that part of the chain. Now we have Bobbucks, which contracts with Starbakers for pastries, which in turn contracts with Queen Guenevere Flour company. Queen Guenevere Flour company in turn gets the wheat from Alan’s Wheat Farm.

Those products don’t magically flow, though, so for this supply chain we need trucks, and trucking companies. The trucking companies that are used in each part of the chain are contracted between the two links, e.g., Bobbucks and Starbakers have one trucking company (probably more, but we’ll say one to make it easy) between the two of them; Starbakers and Queen Guenevere Flour may have a different one.

If someone wanted to attack this supply chain, they could do it at different spots, with different results. For example: if someone were to put some laxatives in the pastries at Starbakers, then Bobbucks is unknowingly buying laxative danishes and selling them to people, who will then get sick. Bobbucks will need to do some investigating to figure out where it’s coming from, would probably quickly find the culprit in the danishes, and push back to Starbakers. Now Starbakers has to figure out if it’s one of their staff, or one of their ingredients.

Maybe it *wasn’t* some gremlin at Starbakers, maybe it was a gremlin at Queen Guenevere Flour company putting laxatives in the flour. Or maybe one of the trucking companies. Each company has to spend time and money to figure out where it happened, to rectify it. In the meantime, people need to be notified to get their pastries elsewhere and to take Imodium.

Specious examples aside, you also see this not so much in supply chain *attacks* but general “oopsie” like when a farm has questionable fertilization practice and ships a bunch of lettuce with ecoli– which then gets washed and chopped up in a processing plant (but maybe not washed enough) — which then gets packaged up with authentic Pirate Frank’s packaging for all the Pirate Frank stores — which then ends up in your cart. How many food recalls have you seen lately?

“But Bobbie”, you say. “Bobbie, that is concrete hard things that move from place to place. How do you attack a software supply chain?”

By poisoning a package. Or several.

As we’ve discussed previously, it is not efficient for you, the developer, to create a formula every time you want to say, convert Celcius to Fahrenheit. Someone else has done it and they’ve put it available for others to use, up in a registry. If you, a developer, need to create a shiny new website for your Ancient History Studies college courses, you would go searching for a package that already exists on the registry that, say, converts Julian dates to Gregorian dates (or vice-versa). You wouldn’t hand-code it yourself because you value your time and also your sanity.

That registry is visible and more importantly, open source. That means that if Person A has built that Julian to Gregorian date converter, and Person B has a Mayan Calendar conversion they want to add, they can publicly add to that package to make it more useful for them and others. That add is visible, and can be checked both by the registry and subsequent editors/adders/changers. There are all kinds of places and ways the content can get scrutinized.

For each fine cat, a fine rat. A particularly fine set of rats have gone to the very most popular packages – packages that handle string pattern matching, or prettifying things, or cleaning up things, or converting things – and put some poison in them. Sometimes the poison is to capture credentials (e.g., your logins or suchlike). Sometimes the poison is to silently watch what you do on your machine for ages to see if you go to any crypto sites (so it can grab your wallet) or banking or whatever. The little code injection captures what it needs and sends it faithfully off to the architect of this chaos, and sometimes you find out right away and sometimes you don’t.

The thing about supply chain attacks is that it isn’t just you, or a handful of yous. Much like with our flour analogy, those packages get used by Company A to build a thing which Company B buys, and uses in their thing that they in turn sell to Company C. Each of those companies have customers who use their products and it’s possible a customer is a customer of all 3 and so tracing back to “where did this come from and what is it doing” can take an appalling amount of time. Also, it’s not just one package. They use more than just one package. They may use dozens, or even hundreds, throughout a large product offering. And sometimes it’s a combinate poison: part 1 of the poison is in package Foo, but part 2 of the poison is in package Bar, and engineers tend to use both Foo and Bar packages.

Once the real origin is figured out though, time is still of the essence. Companies and developers have to update to the last known good or the newest known good version of those packages, push those updates out to *their* customers, and *also* have to sanitize all their stuff, change their passwords, their 2FA/multi FA, etc. It’s not enough to take Imodium, you’ll also want a probiotic and lots of Gatorade. And you may stop getting pastries from Bobbucks.

So do your updates.

PS – “how were attackers able to poison the packages in the first place?” – Phishing. They sent official looking (down to the return address) scary mails to package owners telling them they had to update their 2FA credentials and used that data to gain access to multiple packages and locations. They sent the same kind of official mail, with lots of urgency in it, to lots of package owners, and lots of package owners fell for it.

DO NOT click links in official sounding scary emails. All of those that purport to come from your bank, or important places like this, have actual websites you can actually go to directly without clicking on specious links. Same thing goes for phone calls from “the bank”, “social security”, “the IRS”, etc. Thank them for calling, tell them you will hang up and call them back. Then call back on the phone number from the *website*, not the number they called you from. (The IRS doesn’t call – they don’t have anywhere near the human capacity for that).

The Great Protein Shake-Off

Bobbie2 Comments

After discovering my favorite protein shake was accounting for 20-30% of my cholesterol intake for the day*, I did what anyone else would do these days: I publicly whined about it on Facebook and Twitter. This promptly got me two pieces of information:one, that my initial feelings that I should get off of Facebook because I wasn’t sure it was useful were incorrect, and two, a ton of my friends have a favorite protein shake.

The Great Protein Shake-Off is simple: all of the protein shakes must have LESS cholesterol per serving than my current (reviewed below). They must be vanilla flavored (chocolates vary too easily and anyone on the receiving end of a caroby chocolate smoothie knows the gall bitter disappointment of said variance). They will be mixed with my usual ingredients: mixed berries (frozen, available at Trader Joes), Psyllium husks (a fiber additive, let’s not get into it), and unsweetened/unflavored soy milk.

Before we get into it: NO, I can’t use your favorite Almond milk or nut-based proteins. I’m allergic to tree nuts in a very go-to-the-Hospital, stop-breathing kind of way. Hence soy milk.

IMG_0135The Current: Designer Whey

With that, let’s look at the point of comparison, my protein shake for the last 3 months: Designer Whey in Vanilla. I can get this at my local Trader Joes for $11.99/container and each container has 12 servings so call it $1/serving.  It has a pretty basic vanilla-y flavor, not too rich and not too sweet; no aftertaste (which I like). It doesn’t tend to clump in the blender (which some do). I know we said we wouldn’t talk chocolate but if you don’t have to worry about your cholesterol they do have a good chocolate flavor.

 

IMG_0136Nutrition-wise, we are looking at 18 grams of protein per serving, 2 grams of fat, 6 grams of carbs, and a whopping 60mg of cholesterol (*it says this is 20% of my diet. AHA recommended cholesterol intake for someone with cardiovascular issues is 200mg/day. So no, this is more like 30% of my daily allowance).

I was thinking I’d just go back to Labrada — they have Labrada vanilla shakes at my gym — only to discover Labrada has MORE cholesterol, not less, so I will be gifting my recent Labrada purchase to David the Awesome Trainer who makes me bring my crying towel to the gym.

Maybe he will let me get away with less than 100 push ups.

The Contenders

Here are the contenders, as recommended from Facebook and by direct message. (HEY – if you’re reading this and you have a favorite and it’s not here, please dm me — I’ll try it. I even ordered some stuff from the UK). I will review each one for texture, flavor, cost, aftertaste, and anything else that occurs to me is potentially useful for someone considering these.

  1. Vega Protein Smoothie in Viva Vanilla flavor: I’m about to go on a trip and this will be my protein shake for the duration. Review to come in roughly a week. Recommended by friend from high school (it’s a measure of my trust in her that I am not taking a back up). Purchased from Amazon.
  2. Gold Standard Whey in Vanilla Ice Cream. Recommended from friend at work who thinks 10 mile runs are nbd. Reminds me a little of you, Tolga. Purchased from Amazon.
  3. Nutiva Hemp Protein in vanilla. Also recommended from friend from high school (different friend).  (Remember, I reached out on Facebook).  Purchased from Amazon.
  4. Premier Protein Vanilla shakes. Recommended from best friend’s hubs (also very good friend), purchasable from Amazon and Costco. Couldn’t find powder so going with premixed.
  5. Decibel Nutrition Madagascan Vanilla. Recommended from David the Trainer. Purchased from Decibel directly (not available via Amazon) and shipping currently from the UK.

Next post in roughly a week: Vega Protein Smoothie. DM any recommendations to me via Facebook or on Twitter (handle: bobbie.conti).