My RSS Feed

We’re not Joking. Good EGGs are the SANE Approach

2025-03-31T21:12:08-04:00

I interrupt your normally scheduled program for breaking news.

As, promised: We are releasing exciting new research to the community featuring EGGs (Emergent Generative Generators) combined with SANE.

Be safe. Talk soon.

The Good, the Bad and the Ugly

2025-02-03T13:46:49-05:00

Hey sports fans, here comes the next installment of AI Matters Unfiltered. I’m still working through the AI Vendor landscape, looking for ways to develop system confidence without control (Trust Enhanced Risk Management anyone?). This prompted me to ping Dr Cofta and re-review his most excellent paper on becoming “Plumbers of Trust”. I love the concept and it’s never been more relevant or needed. More to come soon, but for now do your homework and click the legacy links above.

Speaking of plumbers of trust, I wanted to share some work I have been doing with two of our newest neighbors Hannah Feltz and Vinnie Aragona, who I have the distinct pleasure of working with at WWT. The Artificial Intelligence Security & Compliance Ops Unit Technical Services (AI SCOUTS), as our team is known, has the coolest remit in the world. We focus on holistic Trustworthy and Responsible AI systems through their entire life-cycle.

So, as a very special February valentine to the community, I present “Exploitable Insight” from WWT’s AI SCOUTS. It's about ready to get all real up in here, if you know what I mean, because…AI Matters!

#AIMATTERS

Day-Con XVIII and Beyond...

2024-12-31T17:39:38-05:00

I interrupt your normally scheduled program for breaking news. Day-Con XVIII crowned the Best Year Ever! It's an inside joke for Day-Con alumni. -Basically once you reach a certain maturity level, every year you are still breathing is the Best Year Ever!

I can honestly say, this was the best year ever. My Bliss Index is high, my stress level is low and I am rediscovering my passion for hacking. What a stellar way to head into 2025.

Speaking of 2025, here is a sneak peak:

1. We will be posting presentations and summit notes from Day-Con XVIII in the coming weeks.
2. The Deep Fake Justice League will be coming to a conference near you. There will be games, because "something wicked this ways comes"
3. Supply Chain Smoking, The "Glitch Index" and "The Good, the Bad, and the Ugly" blogs are in the queue.
4. Save the date for Day-Con XIX - September 13th, 2025 - Learn, Work and Play Harder in Dayton!
5. We will be releasing exciting new research to the community featuring EGGs (Emergent Generative Generators) combined with SANE.

Be safe. Talk soon.

The Dirty Dozen vs The Magnificent Seven

2024-11-03T19:19:06-05:00

Trustworthy & Responsible Generative AI (Gen AI) is tough - Full Stop. Agreeing on what it is, or more importantly what it isn’t, is also not easy. Perhaps, that is the root of all the confusion. Without discussing the merits of any one stakeholder’s position, perhaps we can pick one definition and then compare that against real world mission statements and Service Level Agreements (SLA’s), Warranties and Guarantees.

I have become fond of calling the 12 risk categories associated with Generative AI as described in NIST AI 600-1, as “The Dirty Dozen”. Distilled down to its essence, the document describes in detail how human beneficiaries could be harmed if a generative AI system fails. It has become my lens of choice when assessing Gen AI systems.

The 12 listed out:
1.     CBRN Information
2.     Confabulation
3.     Dangerous or Violent Recommendations
4.     Data Privacy
5.     Environmental
6.     Human-AI Configuration
7.     Information Integrity
8.     Information Security
9.     Intellectual Property
10. Obscene, Degrading, and/or Abusive Content
11. Harmful Bias or Homogenization
12. Value Chain and Component Integration

Humans love stories. Armed with the Dirty Dozen I can have impactful and productive conversations with various stakeholders when discussing curated threat catalogs and control affinities. This approach has proven to be very effective when communicating complex concepts like “AI Hallucinations” (i.e. Confabulation) to the people responsible for securing these systems. Further, it allows me to be very prescriptive when discussing reasonable ways to address residual risk with compensating controls.

A curated threat catalog is simply a list of bad things that have or could happen to an organization that would cause harm to their stakeholders. Historically, organizations focus more on risk management than threat catalogs. However, from a story telling perspective people seem to gravitate to the threats regardless of the likelihood that bad thing could happen. A proper threat catalog distills the world of threats into “stories” (aka. threat scenarios) of the most relevant threat items to your organization and stakeholders. What’s in your threat catalog?

System confidence is a combination of trust and control. In the absence of trust, control is all you have. By assessing specific threat catalog items against the harm they could cause, we can develop “structured choice” by suppling lists or groups of controls that have a high degree of affinity for addressing the harm that could be caused by said threat item.

Once an organization decides to address its threat catalog items, they must actually choose the controls they will use to address residual risk. [Residual risk is the difference between the organization’s current risk profile and the risk profile the organization wants.] Then the organization can leverage its understanding of control affinities to choose the best controls to mitigate the possibility or impact of bad outcome for their organization. Compensating controls allow organizations to “treat” residual risk.

When we put it all together, these are the types of informed conversations I can now have.

Client: “We want to use Generative AI to do something cool. But we want to make sure our system doesn’t tell people to hurt themselves or others (bad things). We want to make sure that our system does not discriminate, exclude or insulant its users (our stakeholders). We want to make sure we are good stewards of the world’s limited resources (see hammer and nails). We also want it to be cost effective, safe, secure and easy to operate.” [No tall order here ;)]

Me: “It sounds like you want to implement a new productivity tool and have a holistic view on Trustworthy and Responsible AI. Assuming you already have a mature governance foundation in place, you should start by validating your business case, agreeing to a list of bad things you want to protect against and putting controls in place that will provide a high degree of certainty in how it is operated.”

Client: “Yeah, that sounds about right.”

We now have a reasonable starting point and can move on to control selection. It’s beyond the scope of this blog to talk about all the types of controls available to organizations. Suffice to say, one size does not fit all and there are many controls that can be used to provide the required system confidence. Much like threat catalogs, organizations should consider building their own curated control catalogs. These catalogs contain lists of controls that currently exist in the organization and some insight to their cost and maturity.

One set of controls that are NOT often discussed, but should be considered, are Service Level Agreements (SLA’s), Warranties and Guarantees. There are controls that attempt to boost system confidence via commercial remediates and assertions. This is where it gets interesting.

Besides being a most excellent western, The Magnificent Seven is also what Bank of America analyst Michael Hartnett calls the market dominating tech companies. I wondered what the leaders in technological change, dominance and influence, consider Trustworthy and Responsible? More importantly, do they put their shareholder's money where their mouth is? So, I decided to collect and review their words:

1.     Alphabet
2.     Amazon
3.     Apple
4.     Meta
5.     Microsoft
6.     NVIDIA
7.     TESLA

My initial read is that there is an overabundance of platitudes and “good words” and little on commercial remedy or legal recourse should the vendor fail to deliver on their obligations in these vendor assurances. This exercise reminded of another awesome movie, “The Good, the Bad and the Ugly”. Please make sure to check out my deep dive review of The Good the Bad and the Ugly in my next blog coming to a small screen near you because…AI Matters!

AI Matters: Hammers & Nails

2024-07-23T09:04:38-04:00

Ever heard the old adage, “When all you have is a hammer, every problem looks like a nail.”? It pops into my head every time I have a conversation about using AI (the hammer) to solve “Wicked” problems (the nails) in Cyber Operations. Don’t get me wrong, I am stoked by the potential of (Generative) AI. The buzz is contagious. In some ways it feels like we are living in a modern Renaissance. A fountainhead of creativity, experimentation and insight, if you will. However, I am also a weathered practitioner and aspiring curmudgeon, who knows there is no such thing as a silver bullet. Responsible AI is not easy or cheap. Full Stop!

Shouts out to Chris Roberts, as this post was inspired by a conversation we had and this line from his recent LinkedIn post positing: “Do we need A.I. to solve our problem? If so, why?”

To that end, I’ve compiled a short list of observations and possible approaches you should consider when determining if using AI will actually solve a problem a create new problems to solve.

1. Inertia and status quo - In my experience, most organizations struggle with the fundamentals. Once they find a path that “works”, they resist change because its “good enough” #statusquo. This is sad because it means people lose their ability to imagine the world of possibilities, by building a perceptual blind spot for seeing alternatives. Improving the fundamentals is always a good thing. Incremental changes are often more valuable than “big bang” projects or transformations that take months or years to complete. Optimizing existing workflows as a normal practice can yield more benefit/value at higher frequencies. However, you must proceed with caution, as the way to fail at scale is to automate a broken business process. Please don’t make that mistake.

2. It Takes a Village – The key to creating a pipeline of cyber operations optimization candidates [aka Innovations] is to understand the “Wicked Problem” you are trying to solve. I mean really understand it. You should be able to explain it to a 12-year-old or an executive in a suit ;) If you need to role play that conversation this would be a good time to confer with your favorite chat bot. [Insert Phun Prompt Here: “Explain to me as if I am a 12-year-old, why passwords are important but not executive friendly?”]. Next, you will need to identify your core stakeholder community. 3-5 stakeholders will typically give you the perspectives needed to find critical mass and more importantly governance & resourcing support. Finally, you need to understand what motivates your key stakeholders, what they value and how they are graded. Ensure your Innovation candidate selection criteria and KPI’s resonate with your stakeholders and your stories are tailored to them. Make it real to them when describing the possibilities of a new approach. Be disciplined and ruthless, once selection criteria are agreed. Move quickly with purpose. Don’t get distracted with “bright shiny things” that do NOT align with your selection criteria. Each use case should tell a story that appeals to at least 75% of your stakeholder community. Less than that and inertia will make it too hard to realize value in a timely manner. Move on from candidates that do not make the cut, without regret as there should be a continuous pipeline of other opportunities to be reviewed.

3. Latent Capabilities – Take the easy wins first! – Once you have a vetted pipeline of innovation candidates, it’s time to determine if you can extract incremental value using the AI features or embedded capabilities already in place. This is most easily accomplished by reading the tin and looking for key words like BIG DATA, Behavioral Analysis, Machine Learning, Neural Network, LLM or (Generative) AI. It’s very likely you have been using AI-enabled tools already. If so, how are they performing? If they are available but you aren’t using them, why not? Of course, if capabilities were available and you weren’t aware of them or there are commercial considerations, then we need to quickly determine what level of effort is needed to implement. If it doesn’t pass the sniff test move on to the next candidate. Leverage your suppliers to educate but temper their claims with real world testing and assessment.

What next? Look for opportunities to integrate, optimize and automate at scale for operational improvement, which could include AI force multipliers such as Security Co-Pilots, organizationally aware GPT agents or automated Hackbots. We will look at these use cases in future blogs.

So, do we need an AI to solve our “wicked” problem? The simple answer is probably not. However, there are “Wicked” problems that AI can address and you should be looking for those opportunities too. Because AI Matters. Stay tuned.

Day-Con XVII: Summit Notes

2024-01-21T13:50:01-05:00

Once again, neighbors came together to discuss wicked problems and how the community could & should address them. The 17th annual event's tag line is "Chlorine for your soul!". Check out the summit notes HERE to learn more.

Future Shock: The Future of Fraud Today

2023-11-11T09:40:00-05:00

Below is the abstract and link to the referenced material, including the presentation, from the Taste of IT on Nov 8, 2023. This is the first release in the Future Shock series. [FYI: Mo was unable to attend so I presented his slides]. Enjoy!

"The presenters will discuss the evolution of Organizational Identity Fraud and the abuse of organizational identity assets from the beginning of the World Wide Web to its current incarnation. They will assess the state of organizational identity asset protection programs and answer the question “Are organizations prepared for the world of software defined everything, nation state threat actors and coexisting with the Internet of Dangerous Things?”

The presentation will update the definition of Corporate Identity Assets and introduce relevant, novel, and forward-thinking threat catalog items associated with Organizational Identity Fraud. The presenters will articulate control affinities and practical life-cycle management practices for consideration, positing how transformational trends in mobility, computing and social media conspire to make organizations more vulnerable, while demonstrating how marketing, security and operations can join forces to turn the tables on their adversaries by becoming “hard targets”.

Building on prior work published in 2006 (https://www.sans.org/reading-room/whitepapers/engineering/corporate-identity-fraud-life-cycle-management-corporate-identity-assets-1650 ) and 2021 https://www.sans.org/white-papers/corporate-identity-fraud-ii-future-fraud-today/ ) the presenters will share new research & insight that demonstrate multi-domain mayhem caused by abusing organizational identity assets and exploiting (hidden) dependencies! Further, they will share their methodology, findings, and novel & emerging threat catalog items (aka relevant use cases).

Presentation Link HERE

Innovation Matters: Invisibility Cloak

2023-10-05T13:10:23-04:00

“Wicked” Business Problem:
The simple act of connecting a device to a network (wired or wireless) exposes (high-value) it to more risk.
Innovative Approach:
Provide dynamic connectivity protection and resource sharing, in hostile environments, with no externally visible attack surface.

Vetted Solution:
BYOS’ human friendly approach uses a physical dongle to effectively “Cloak” personal computing devices, rendering them invisible and allowing them to connect with confidence.

Call To Action:
If you are interested in learning more dm me on LinkedIn or check them out @ BYOS [ Tell them Bryan sent you ;) ]

Innovation Matters: Ransomware "Kill Switch"

2023-09-15T13:13:19-04:00

“Wicked” Business Problem:
Organizations running flat networks are especially vulnerable to high-impact attacks that rely on lateral movement like ransomware.

Innovative Approach:
The ability to move from a flat network to a layer-3 isolated (micro-segmentation) network (IT/OT) in a matter of hours with NO downtime or 3rd party agent software.

Vetted Solution:
Airgap’s elegant approach is truly innovative and worthy of consideration. Using DHCP to build a layer-3 overlay network, they can transform a legacy network into a virtual Purdue compliant environment. Prebuilt logic provides the ability to prevent ransomware propagation and introduces a “kill switch”, which can be activated in the case of a ransomware outbreak.

Call To Action:
Educate yourself on Airgap's innovative approach to layer-3 isolation and segmentation.

Facilitated Innovation & Structured Choice

2023-09-15T12:44:16-04:00

What is it?
·       A field-proven methodology that identifies self-funding business cases and drives transformational change. I have used this method successfully in my practice for many years now.

How does it work?
·       Facilitates a dialog with key stakeholders who can affect organizational change.
·       Aligns the organization’s mission with stakeholder capabilities (known & latent).
·       Determines what MUST be true in order for the organization to achieve its mission objectives.
·       Optimizes value across diverse stakeholder communities.
·       Leverages rapid prototyping to Fail/Succeed Fast as measured against key proof points.
·       Delivers in 30-90 Day Proof of Value (PoV) sprints.
·       Produces a pipeline of Innovation Candidates to support a transformation plan of record.
·       Populates an organization specific Curated Service Catalog that is fit for purpose and provides choice
·       Institutionalizes a bespoke service selection methodology that ensures the Optimal Choice is made to capture Maximum Value as defined by the relevant stakeholders.

Here is an example of a Curated Service Catalog for the manufacturing sector:

So what?
By distilling the world of possibilities down to business-friendly options, organizations can realize more value faster and at scale. I plan on sharing some of the most interesting, timely and relevant candidates via a new blog series called Innovation Matters.

Point of Origin Hacking (POOH)

2023-09-05T07:59:43-04:00

Historically, infosec risk managers have stressed only focusing on the most likely and impactful threats. However, this practice often misses “obvious” vulnerabilities that lead to catastrophic failure. When realized, these threats are often branded as “black swan” events, which some believe could never be predicted. This lack of imagination is no longer acceptable, given advances in modeling and simulation capabilities.

Rather, novel, forward thinking and expanded threat catalogs need to be developed and adopted. This is the fundamental tenant behind POOH (Point of Origin Hacking). The concept goes like this; If you have a properly motivated adversary, they will (eventually) develop or obtain a (theoretical) capability that they will use against you. So, build systems that take into account theoretical vulnerabilities, as they will likely become practical in the fullness of time.

Example: In a post quantum world, many encryption algorithms will be worthless as a protection mechanism. Knowing this, organizations should choose algorithms that are post quantum secure.

So the next time someone tells you that an alien invasion, zombie apocalypse and giant meteors are out of scope for your threat catalog, just remind them that those items look a lot like volcanoes, pandemics, unprovoked war, trucker strikes, train derailments, global warming...Plan accordingly, because you never see the one that gets you.

Would you be embarrassed by your password…or worse?

2023-07-11T11:16:03-04:00

That was the nagging question in my head after hosting last month’s security summit. It was seeded by a conversation with Britton White, a security practitioner, who is trying to raise awareness of the very real threat posed by infostealers like Raccoon, Vidar and RedLine. Britton shared details of several incidents (use cases) leading to exposure of extremely sensitive information, including diagnostic medical records, like exam pictures. We also discussed the disappearing lines between work, home and “play” in a post Covid world. What I found most interesting about these incidents, were the reactions of the victims. They ranged from shocked disbelief to denial and everything in between.

Infostealers are a type of malware sold on underground forums and criminal marketplaces. Infostealers are part of a fascinating and growing ecosystem. Victims can be infected via phishing, compromised websites and interaction with infected files. Once infected, the victim’s data is exfiltrated, packaged and sold. While the data stolen can vary, of special interest are authentication credentials like user names and passwords. An excellent primer on infostealers can be found here.

A common theme in many of the use cases, involve organization’s system credentials being compromised by infostealers installed on personal computing devices. Since many organizations, allow users to access organizational systems from unmanaged devices, those systems can become collateral damage from an infostealer attack. Key personnel with privileged system access pose a special risk to organizations. Those users have a responsibility to alert their organizations of a breach, however, they are typically the last to learn they have been compromised!

In a recent incident, I observed an interesting variant of the above scenario. Corporate security personnel were made aware of an infostealer incident involving one of their employees. It appeared the victim had been accessing corporate systems from an impacted personal computer. The corporate systems were protected via multi-factor authentication, but the victim’s personal accounts were not. While the employee had an obligation to report the breach, that obligation did not necessarily apply to their employer. In fact, the corporate security team did not have a clear policy or procedure in place to deal with this incident. Therefore, they had to engage with HR, legal and compliance before finding a way forward.

Of course, the right thing to do is to help the victim, however, the specific intelligence and how it is acquired matters. Does it contain stolen or doxed data? Does it fall under PII protections? Should corporations monitor their employee’s activity while not working? Are there any liability pitfalls? This type of intelligence will most assuredly contain compromised passwords associated with the victim. Those “secrets” can NEVER be unseen. Let that sink in. Best case, the victim is shown to use strong passwords but was still compromised. Perhaps they use simple easily guessed passwords that frame them as lazy or ignorant. Or worse, what if the victim’s password is a racial slur, sexually suggestive or otherwise prohibited by company policy? Malware, the gift that keeps on giving.

What does a reasonable response to the growing threat of infostealers look like? Consider these four simple practices that could limit the negative impact of an infostealer attack:
1.     Don’t do company business on personal systems
2.     Don’t use password vaults
3.     Don’t save credentials in your browsers
4.     Don’t use embarrassing passwords

Unfortunately, convenience is the antithesis of security, safety and privacy. Please be thoughtful when finding your balance.

State Of The (Snake Oil) Business: A Manifesto For Change

2023-04-24T10:09:30-04:00

Ahead of this year’s RSA Conference I have spent some cycles thinking about how far our industry has come, or more precisely, how little we have accomplished. The world is not a safer place, our systems are more complex than ever and threat actors continue to win while defenders burn out.

The modern cyber security industry arguable started in the early nineties with the advent of the WWW. As organizations and individuals rushed to get “online”, little regard was given to basic security principles like Confidentiality, Integrity and Availability. Very few people understood how the underlying technology worked or more importantly how it could fail or be corrupted. The quest for subscribers and fear of missing out fueled exponential growth. “Houston, we have a problem.”, but that realization was too late, the proverbial genie was out of the bottle. Never fear, we will use technology to “fix” technology. Passwords, AV, Firewalls, A/V and IDS to the rescue…

I was one of the many who believed technology could save us from ourselves. In 1998 I started socializing a methodology I developed called AFIRM (Active Forensic Intelligent Response Method). The following year I published a reference architecture & platform called SANE (Security Adaptive Network Environment), which was originally designed for the Air Force SBIR program. Not withstanding my cringe-worthy obsession with acronyms, lack of an accepted taxonomy and a strong conviction that Y2K civil litigation would be a compelling event, it occurs to me that SANE is still relevant.

25 years later, the market has caught up with the vision. A SANE platform is achievable. We could argue some of the nuances, but it effectively represents the capabilities organizations need to actively achieve a business reasonable security posture today. However, between the FUD, Silver Bullets and the “Illusion of Choice” our industry is not driving positive change but expanding the status quo. How can we break this cycle? More swag bags, back-to-back meetings to justify airfare, copious badge scanning to feed next quarter’s cold calls or dueling parties where the vendors outnumber the clients…I think not.

Rather, consider adopting these simple principles when considering the how you spend your limited resources:

Know what matters most. Understand your organization’s mission, stakeholders and risk register. Effective governance is more important than technology. #CultureCounts
Don’t be in a rush to buy more technology. If your tech is not “optionally transparent” it can easily become a liability. Leverage the latent capabilities present in your current estate. Consider removing two technologies for every new technology brought into your environment. #OptimizeValue
Humans matter. Make it easy to do the right thing and hard to do the wrong thing. #HumanFirewall
Automate whenever possible. Humans only need to be involved when discretion is required. Automate everything else. However, beware of automating a broken business process. That is a sure-fire way to fail at scale. #FailAtScale
Adopt meaningful metrics and score your decisions accordingly. Learn from your mistakes as they are often very expensive. Treat them as an investment not as an embarrassment. #MeaningfulMetrics

This is my call to action and request to our industry leaders as they meet this week in San Francisco. Let’s build SANE systems and protect what matters most!

Zero Trust Doesn't Have a Part Number!

2023-04-12T11:24:44-04:00

There is no part number or SKU for Zero Trust (ZT), regardless what some vendors might want us to believe. Every organization's ZT journey will be different. However, there are some fundamental themes and key characteristics that most successful ZT travelers consider and adopt.
-They assume they are operating in a hostile environment – plan accordingly #securebydesign
-They don’t rush to spend money on point products – pursue “latent capabilities” first #optimizevalue
-They make it easy to do the right thing and hard to do the wrong thing – leverage the human firewall #humansmatter

High-level architectural principles can act as your North Star:
-Dynamic vs static
-Granular vs wholesale
-Automated vs manual
-Segmented vs flat
-Minimized Attack Surface Vs Porous Perimeter

Also consider the reality of how stakeholders use technology. “The Perimeter is Dead. Long Live The New Perimeter. Identity!”, which is my cheeky response to pesky stakeholders who want to access any application, on any device anywhere. Digital identity for people and things play an important part in creating a friction-less user experience without sacrificing system confidence. Practically speaking, “Digital Identity” MUST be considered as part of any ZT journey.

So even though ZT doesn't have a part number, it doesn't mean your organization can't benefit from taking a ZT journey. Which path will you take?

Bliss Index: A Reasonable Response?

2023-04-05T18:03:16-04:00

This morning I was honored and excited to be included on a Technology First cybersecurity panel. I was especially stoked to be on the panel with my old friend Brian Clayton and fellow researcher Jeff Hughes. The panel's ambitious objective was to share practical advice on dealing with job burnout and ways to drive positive change that is "Human Friendly". We discussed practical ways to make it easy to do the right thing and hard to do the wrong thing with regard to all things cyber. The session was aptly named "Cybersecurity – Team Burnout and Breaking the Cycle".

The session was very interactive with attendees sharing challenges, real-world experiences and the obligatory references to AI and Killer Robots. The group kept coming back to the human factors side of burnout, churn and operator effectiveness. Security metrics, SLA's, OLA's, role objectives and business outcomes are important to measure, but often tough to define, align and maintain. While it's beyond the scope of this post to catalog all the valuable insights shared, the one that hit home with me was the challenge of measuring "good".

After I left the session, I kept thinking about measuring “good”. “Good” is too subjective, personal and doesn't scale. #FAIL On the flip side, tough problems are often worth solving. How good could it get if we could crack that nut? Perhaps the approach I am taking myself could be applicable. I have a very simple life journey navigation system, which I’ve recently adopted. Simply put, I try to maximize my "Bliss Index"(BI) by working on projects that give me joy, with people that value my time and for the benefit of humanity. It's early days but I find it is decisive, intuitive and removes much of the stress associated with being a cyber security professional. How good could it get if everyone had visibility to their own BI factors? Or visibility to their stakeholder’s BI factors? Or if organizations aligned themselves to harmonize and amplify their BI versus creating BI conflict?

So, I did the obvious thing and asked an AI (chatGPT) how to express BI - "The "Bliss Index" could be expressed as a measure of the level of happiness or contentment that an individual experiences in their life. It could be calculated based on various factors such as overall life satisfaction, emotional well-being, fulfillment of personal goals and aspirations, and positive experiences or moments of joy. The Bliss Index could be used as a tool to gauge the level of happiness in a population or to track an individual's happiness over time. Additionally, it could be used as a benchmark for policymakers to measure the effectiveness of programs or policies aimed at improving people's well-being and happiness."

...out of the mouths of babes.

FoFT: Virtual Kidnapping

2023-04-03T07:12:59-04:00

File under #FoFT (Future of Fraud Today) - Scammers are still out there committing Virtual Kidnapping (& extortion) by duping victims into thinking their loved ones have been kidnapped and threatening to kill them if they don't pay the ransom. This type of crime is not new (1880 hits on FBI.gov).

However, as criminals create more plausible "Deep Fake" scams and automate they can scale up and become more effective. This in turn motives more criminals to adopt the TTP's for profit. Here is a pretty good primer on how this scam works. If you dissect the components it looks like a lot of other scams; unsolicited (in bound communication), exploiting fears & creating urgency as they abuse some trust credential (caller ID). Many of our current practices to avoid such scams should be effective. However, if our humans are not aware and properly trained they could easily become victims.

Let's spend some cycles coming up with ways to make it easy to do the right thing and hard to do the wrong thing (like paying scammers). Until then, protect yourself and the people you care about by making them aware.

Hello Again

2023-03-29T12:09:44-04:00

Hello World!