BobCunningham

@[email protected]
0 Followers
63 Following
40 Posts
Old retired IT guy. Used to do computer/software programming/development; then system & net admin/engineering/integration/support. Infosec was always part of the job, and frankly the only part I still care about. Retired from doing other IT work after realizing that nearly everything I learned over the years was becoming obsolete faster than I could learn new stuff.
Show threadBobCunningham5d ago

@jerry You might say how important it is for the cyber security folks and management to have a common picture of:

1. What is at risk? Usually it’s an organization’s assets, but can also involve costly side effects of a breach or exploit such as reputation risk, compromise of something classified or proprietary that the organization can be fined or sued over.

2. Why at risk? I.e., what threats are there, and how the value of a breach or exploit would be different for an attacker than for the organization.

3. How could whatever at risk be attacked? Consider the “attack surface” to extend out to include suppliers and customers, as well the infrastructure hosting your cloud systems.

Based on those three, then consider and discuss the value of both types of mitigation:

Prevention: preventing the breach, exploit, etc.

Remediation: having resources & practiced procedures for after the breach, exploit, etc.

Show threadBobCunningham5d ago

@allanfriedman As a former volunteer CERT instructor, I feel duty bound to provide a link where it says what CERT is about: https://www.fema.gov/emergency-managers/individuals-communities/preparedness-activities-webinars/community-emergency-response-team

Tl;dr: Imagine a scenario like: your neighborhood is in an area struck by some kind of disaster. [Imagine what you like: fire, flooding, earthquake, hurricane, tornado or whatever.] There’s no power, no phone service (landline or cell), and little if any water pressure. The street is blocked [debris, flood waters, fallen telephone poles or whatever]. It looks like smoke may be coming from a house down the street, and there’s no sign of any first responders.

Congratulations, you and your neighbors are your own first responders. Hopefully someone has takenCERT class.

A scenario like that can sound like pure fantasy — until you’ve had to face something like that it for real. Happened twice to me before I heard about CERT.

Not part of the CERT curriculum as such, but in situations like any of those scenarious, it’s is useful to organize a neighborhood “pot luck” dinner using food before it spoils. And at least one neighbor’s off-grid means of cooking.

BobCunninghamFeb 5
Hacker News RobotFeb 5
I made 20 GDPR deletion requests. 12 were ignored https://nikolak.com/gdpr-failure/
GDPR Enforcement Is Broken - And Nobody Cares

20 GDPR deletion requests, 12 ignored. Companies lie about compliance, spam filters eat requests with no consequences, and data protection offices don't act. A first-hand account of how GDPR enforcement fails individuals.

Nikola's Blog
Show threadBobCunninghamJan 19
@jerry If you ever have the urge to get a stand for computer + large monitor, — larger than what a simple music stand can provide — “classroom TV stands” are cheap ($42-$99 around here at stores where teachers buy their classroom equipment). Even just a cheap 24”-32” monitor is a huge improvement over what a laptop provides for those of us with older eyes.
BobCunninghamOct 30
Interesting IEEE Spectrum article: “Real-time Audio Deepfakes Have Arrived” https://spectrum.ieee.org/real-time-audio-deepfake-vishing
Real-Time Audio Deepfake Tech Is Here

Real-time audio deepfakes are here, making voice phishing more convincing than ever.

IEEE Spectrum
Show threadBobCunninghamAug 29, 2025
@dangoodin Mashable reports that Cybersecurity firm ESET said that it discovered the first-ever AI-powered ransomware, which it has dubbed PromptLock, Ai-driven malware which creates and executes LUA scripts on the fly. Yet Another AI malware tool being used ,,,
Show threadBobCunninghamAug 22, 2025
@jerry thanks
BobCunninghamAug 10, 2025
hannoAug 10, 2025
The latest "Tetra crypto is broken" is a reminder that, apparently, secure cryptography is counterintuitive to many, and this goes up to gov officials, police, military, etc. - the prevalent and completely wrong idea that "we need something extra special for extremely high security". While the exact opposite is true. The best you can do is to use the most standard crypto available. Because that's the one that will have seen most scrunity.
Show threadBobCunninghamJul 7, 2025

@dangoodin GDPR compliance is one thing to look for,as an indicator of privacy. Another thing to look for: which clouds do they use, and where are those data centers located. And of course: who owns & controls them.

All of those things are important in considering any app, software or service. Do any of those have ties to people or organiztions or even countries that you do not trust or simply do not want to deal with? Or is indormation about any of those things opaque or not available?

Show threadBobCunninghamMay 26, 2025

@jerry Had that happen, as well as something similar and almost as annoying: when your email address gets on so many spammer/scammer lists that you keep getting lots of those messages — from ever-changing From addresses.

I generally recommend habitually going in and blocking every From address of every unwanted message, then trashing themessage. Yes, tiresome, but at least you shouldn’t see more from those addresses.

Eventually, you may want to trash the affected email address and start using a new one instead.

That’s harder than you might want to believe if you haven’t done it before (which you may have it you came to depend upon using employer-provided email — until you changed jobs). It is really difficult to notify EVERY person and account (that you use the email address as a reference or identifier for) that you need to!

Planning for that ahead of time can help:
1. Get a domain (that you can manage the DNS for).
2. Get a business or family account at your favorite email provider (that you can create users for), and associate the domain to it.
3. Make the first email user of that account the email account manager (and go back and make it the domain manager as well). Use it for nothing else. Fix up the DNS with SPF, DKIM, and DMARC records referencing the sending SMTP servers of your email provider so that you (and only you) can actually send email from your domain.
4. Create at least one more user account and use it for everything else (as your public emal address(es), for accounts and apps, etc., etc.) Keep track of every place you use it — so you can trash it in the future if you have to. Optionally: create aliases and give those out instead of the real usernames — being sure to keep track of where and when you use those. A password manager will be useful keeping pairwise track of email addresses/aliases and passwords.
5. If you ever need to ditch that email username, creating a new username on the same service with the same domain is less painful than changing services. Alternatively, you can swap the domain with a new one (being sure to also change the SPF, DKIM and DMARC records to match). Also, if you ever want to change email provider, that’s real easy: just move the domain over to your new email provder — where you’ve duplicated the domain names (tho you’ll still have SPF, DKIM, and DMARC records to change).

[Moving accumulated stored mail is left as an exercise!-]