Thanks for Misusing My Personal Data!
15 months ago, I bought a house.
During the course of that transaction, I had to disclose personal information to:
- The finance company (two, since we dropped the first one)
- The insurance company
- The title company
I was required by Federal law to disclose information, including my:
- Birthday and date
- Social Security Number
- Full Name
You know, everything you might need to, you know, KNOW in order to steal my identity.
The business purpose for this was ostensibly to:
- Obtain credit information
- Review my financial records and assets
- Report a financial transaction to the IRS
And, it was ostensibly to be used ONLY in the course of doing business.
A year passes…
I get a “Happy Birthday” e-mail from:
- BOTH finance companies, even though I dropped one of them
- The insurance company
In addition, I got an actual birthday card in the mail from the finance company that we ended up using.
Two decades ago, I would have thought “how quaint!” and moved on.
However, in the days of identity theft, YOUR BIRTHDAY is a significant piece of non-public personal data that should be closely guarded.
If I had gotten a birthday card at the beginning of the month with a note that says “Hey, happy birthday this month!” We know it’s your birthday, but we respect your privacy, so we’ve stored a generic representation of your personal data rather than your actual birthday.
The reason storing my ACTUAL BIRTHDAY is NOT ACCEPTABLE, is twofold:
- YOU HAVE NO REASON TO STORE IT. Once you’ve pulled my credit, sold me a house, and reported all of this to the government, there is no legitimate ongoing business need to continue to retain that information.
If your company stores data for which there is no valid, ongoing business purpose, you’re inviting a data breach.
- YOU PROBABLY AREN’T STORING IT SECURELY. Is my birthday in a spreadsheet, stored on your laptop that you take to your house every night, which someone could steal from your house, or even worse, steal from the back seat of your car when you stop to pick up dinner on the way home?
Don’t laugh – I worked for a company where this exact situation happened – a spreadsheet containing personnel records, including social security numbers, was stored un-encrypted on the hard drive of a company-issued laptop that was stolen out of the back of someone’s car while parked in a restaurant parking lot.
So hopefully not on a laptop, but, pursuant to GLBA or FCRA or HIPAA or a number of other laws, we should hope that my birthday is stored on a server that’s encrypted, logically-secured, physically-secured, logged, monitored, audited, sitting behind a firewall, etc. More realistically, it’s stored “in the cloud” in your company’s sales system.
In addition to appearing completely unprofessional, the situation gives rise to the following, UNCOMFORTABLE QUESTIONS:
- What else are you storing without my knowledge and consent?
- Who do you share it with?
- Is it all stored by social security number? I hope not, but that’s how businesses were run 30 years ago.
If WE NEVER DID BUSINESS AT ALL because MY WIFE FIRED YOU, then you have NO LEGITIMATE PURPOSE for storing my data, and ZERO REASONS to send me a birthday e-mail.
You know who you are…
Most data breaches result when companies store data that they don’t need, or store improperly, or both.
- Identify and catalog all systems that store Personally-Identifiable Information (PII) / Non-Public Personal Information (NPPI) / Protected Health Information (PHI) and other sensitive, personal data.
- Make sure these systems are secured properly – the Federal government provides guidance on securing financial and healthcare data.
- Audit the data regularly to make sure you are only storing what is needed for legitimate business purposes. This includes purging old data, as well as ensuring that you are not unnecessarily, permanently storing personal data fields.
- In most cases, a business is only required to retain business records for 3 to 7 years, depending on the type of business. If you have data older than that, you need to delete it!
- If you have data fields that are necessary, say, to perform a credit check, you need to store them temporarily, and then delete them when no longer needed. Those data fields should live only as long as the transaction, and no longer. 3 months to a year would be more than sufficient.
- If you want to store demographic information, or, you know, send birthday cards in a quaint attempt to appear personable, then at least use legitimate techniques to anonymize the data.
- Don’t store the birth year at all (if not needed for demographics)
- If you DO need demographic information, Round the birth year to a multiple of 5
- if y’=y then y’=y’+5
- In your CRM system, set everyone’s birthday to the first of the month. If my birthday is April 22, store 4/1.
Send me a birthday card at the first of the month, and let me know that because you respect my privacy, you DO NOT STORE MY ACTUAL BIRTHDAY.
Stores are out of bread (and tortillas).
Tortillas are easy to make, and they last about a week if stored in an air-tight zip-top bag.
- Combine 2 cups of flour, a pinch of salt, 3/4 cup of water, and about 3 tablespoons of fat (butter, lard, vegetable oil, olive oil)
- Roll in to 1″ balls, and then flatten each ball in to a small disc
- Use a floured tortilla press or a rolling pin on a floured surface to roll out each ball to 10″.
- In a lightly-greased skillet on medium heat, cook each one on both sides for about 1 minute per side.
Makes 8-10 tortillas.
Here are things you can do with tortillas:
- Sprinkle some meat and other toppings on half of a tortilla
- Sprinkle some cheese on it.
- Fold in half
- Grill or fry for 2-3 minutes per side, until the cheese melts and the tortilla is golden-brown on both sides
- Fajitas / Street tacos
- Cut your meat in to strips.
- Grill or fry over high heat with onions and peppers
- Steam some tortillas to warm them, or use a microwave tortilla warmer
- Serve family-style with cheese, sour cream, pico, and other toppings
- Tear tortillas in to strips
- Bake until crispy
- Cover with chili, cheese and other toppings
- Bake until cheese melts
- Roll / wrap – makes an excellent substitute for a sandwich. Lay out a tortilla, then stack on lunch meat, cheese, and other sandwich toppings, and simply roll it up.
- Thin-crust pizza
- Stack 2 tortillas, with some cheese sprinkled between them
- on the top tortilla, spread some pizza sauce, spaghetti sauce, or whatever you have laying around
- Sprinkle some cheese
- Add toppings
- Sprinkle some more cheese (do it, or you’re a communist)
- Bake for 10 minutes until the bottom tortilla is crispy and the cheese is melted
- Enchiladas. I’m not quite sure how that works, but my wife does. I’m sure you can google for a recipe.
- Lay out a tortilla
- Fill with beans, rice, meat, cheese and other toppings
- Fold carefully
- Take that burrito, and deep fry it
Toilet paper isn’t scarce. The raw material for toilet paper literally grows on trees. To MAKE it scarce takes layers of stupidity, each with its own nuances.
Not sure who all needs this, but here it is:
In the event that you run out of toilet paper…
Go to your local hardware store, and buy one of these:
This is a 1 gallon “garden lawn sprayer” that you can buy online for about $12, or it should be in your local big-box hardware store for about $16.
Note the angled wand…
After you buy a new one (DO NOT use the one from your garage), wash it out thoroughly.
When you go to the bathroom:
- Fill with warm water from the sink
- Close the lid, air-tight
- Pressurize by pumping the handle a few times
- Instant, portable bidet
This is cheaper than modifying your plumbing, and warmer than buying a bidet kit that connects to your toilet’s water supply.
That One Time I Expensed a Gun Case
Setting the Scene…
Back in the early-2000’s, WiFi was far from ubiquitous.
- Most laptops and other mobile devices didn’t even support WiFi unless you added a PC Card.
- WiFi really sucked back then. Typical distances were maybe 50 feet through walls, or even up to 100 feet with a clear line of sight. If the signal was blocked by anything brick or metal, simply forget it.
- Back then, an access point and a “router” (firewall) were two different devices, making WiFi a little bit more difficult to configure, and much harder to secure.
At the time, the company I worked for sold software and consulting services for financial institutions, and it was normal for our company to have a booth at one of several technical or trade shows throughout the year.
One of the guys who worked some of those trade shows came to us and said “Normally, we get a single ethernet connection for internet access, and if we bring a router [firewall], we can at least share a single connection, but all these cables make it prohibitive to do anything productive. Can you guys think of a way that we could plug something in that would allow us to all use WiFi instead?”
One of my guys came up with the idea to get a router, an access point, some cables, a power strip, and some WiFi PC Cards, put all of it in a box, and pre-configure everything so that all you needed was power and ethernet.
We even had an extra-long uplink cable so that the box could be located almost anywhere, allowing you to be able to optimize the position of the AP to get the greatest coverage.
The only thing left was to figure out how to ship this thing across the country, repeatedly, without having to package it each time.
At the time, you could get a padded, hard-sided camera case for about $200, which was not going to fly, since IT was paying for it, and we had virtually no budget.
So we went to Wal-Mart to see if we could improvise.
After looking through almost the entire store with no luck, we happened to be in the sporting goods section, and what do you know? There’s a hard-sided, padded pistol case, with briefcase-style combination locks for about $20.
And that’s how I came to expense a gun case.
Of course, the poor fellow in Accounting who processed my expense report saw the receipt, which clearly stated “gun case” and was rather alarmed.
After a quick explanation, we showed him a picture of the case with the equipment inside, and everything was fine.
He did say that this was one of the most unusual expense reports he’s ever processed, but not THE most unusual, and you really have to wonder about that.
Because it looked like something that might contain nuclear launch codes, we called it the “Wireless Football“.
After a few faithful years of service, all the cables and PC Cards were looted by another department. By that time, it was kind of unnecessary, because most venues were starting to offer free WiFi and most devices had built-in WiFi cards.
We ended up re-purposing the router and AP to build a home VPN lab. The case sat around for quite some time, and I think we even used it a couple of times to ship equipment. Eventually it disappeared – either “appropriated” by another department, or thrown away during one of the many equipment purges.
Thanks to Aaron for the pictures!
In 1984, the battle for the future was fought in the present. Which of course is now in the past. In the movie, “The Terminator”, we saw the T-800 model 101 take round after round, and survive fire, crashes, and explosions as it carried out its mission to kill Sarah Connor.
In “Terminator 2: Judgement Day”, Sarah tells John that “these things are really hard to kill”, having narrowly been able to kill one at the end of “The Terminator”.
So that begs the question: If a Terminator (T-800) came after you… right now… in the NOW present… how would you kill it first?
It’s Sad When You Have to Show MacGyver How to Disarm a Bomb
Unfortunately, where the original show was clever and somewhat educational, the new show simply condenses most of the “MacGyverisms” in to MacGuffinisms, omitting the science, process, and sometimes, even the basic concepts involved.
I’ve been meaning to write an analysis of how poorly the show depicts science and technology, especially computers and computing, and about how half of the crap he builds, simply wouldn’t work.
However, when I watched S3:E9 “Specimen 234 + PAPR + Outbreak”, I saw something so egregious that I couldn’t let it pass without comment.
Having written about bomb myths and cliches, it was difficult to see past the flaws in the opening scene of this episode.
Setup: Mac and Jack are in a steel cage, locked with a lever padlock, to which THIS abomination was affixed (no pun intended):
Mac makes the statement that it would be too difficult to pick the lock without triggering the bomb.
Let’s Take a Closer Look
- First impression: Except for the fake “logic board”, which really appears to be some sort of analog IO controller, the bomb appears to be extremely low-tech. There are no (visible) motion triggers, no collapsing circuits, and no false leads. You could probably remove the “logic board” and simply direct-wire all of the other components. You might need a relay if the trigger circuit is normally-closed, and you might need a capacitor to boost the detonating current. With no visible antenna wire, and knowing that the steel cage probably interferes with a radio signal, there is probably no remote trigger.
- The MacGuffin board is obviously fake. Aside from the fact that there are data connectors in the lower-left and upper-right edges, the traces on the board itself are too small and fragile to carry a current that would be capable of detonating the blasting cap. Instead, the traces on the board would simply vaporize when triggered. Further, there appear to be two logic chips, one of which appears to be an ASIC. I mean… is this a PROGRAMMABLE BOMB??? Does it run “BOMB Operating System”, and at some point, you plan to upgrade to “BOMBOS 2.0”?
- The so-called trigger is a lever padlock. Ostensibly, if you attempt to manipulate the internal locking system, you either interrupt a circuit, or close one, triggering the bomb.
However, lever padlocks are all-metal, and to be clear, the lever-locking mechanism is also metal. So maybe the circuit is normally-open, and perhaps there is a small bit of plastic that will fall out if you fiddle with the lock, allowing a circuit to complete. This is unlikely, as the placement would be tricky, and most likely, the trigger wire would ground out against the lock’s metal body or lever regardless. Moreover, if the circuit is normally-open, you could simply delete the trigger by cutting one of the trigger wires.
Maybe the circuit is normally-closed, and fiddling with the lock will cause the trigger wire to disconnect from the lock’s body, triggering the explosion. Again, this would be tough to do without blowing yourself up by just setting the trigger in place.
In either case, how is their captor supposed to unlock the cage?? Perhaps he disables the bomb, removes the trigger wires, and THEN unlocks the padlock. All of this is too unnecessarily complicated and unreliable. A better approach would be to use a motion trigger, and perhaps a simple, normally-closed loop of wire around the door and frame of the cage, that acts as a secondary trigger if broken while attempting to open the cage door.
- The detonator appears to be a blasting cap, embedded in what appears to be a block of soap. Although the blasting cap appears to be real enough, the “explosive” looks strangely translucent-green. My wife says it looks like gel soap wrapped in cellophane, and she’s probably right. Although they obviously can’t and shouldn’t use real explosive, a little effort to make it look realistic would have been appreciated.
- The power source appears to be a “AA” battery. If so, it would have insufficient voltage to drive the “logic board”, and insufficient power (current) to detonate the blasting cap.
Maybe the battery is supposed to be a lithium battery, like the type used in photography flash bulbs, or a rechargeable such as the 18650. Both of these can deliver higher voltages and / or higher current over a short duration, which would definitely be sufficient to detonate the blasting cap, but would probably fry the logic board.
Since MacGyver can’t seem to figure this out, I’ll give him some help.
Here are several ways that he could disarm this device (in order of difficulty):
- Pull out the blasting cap. Because it’s coiled, there is a nice, long lead wire, which would allow you to position the cap far enough from the explosive, that it wouldn’t respond to the cap detonating.
Better yet, put the cap inside the keyhole of the lock, along with a small blob of explosive, and yank the trigger wire in order to blow the lock apart.
- Cut the blasting cap’s wires. One at a time. Cutting both simultaneously might allow one of the leads to short to ground, which could detonate the cap.
- Cut the leads from the power source. Cut the negative first, then the positive. This prevents the battery from creating a current surge across the negative terminal, if the positive lead is cut first. Although most devices are switched from the positive lead, if the positive lead is cut first, it leaves the negative lead and the circuit ground in contact with each other.
- Short the trigger wires across the terminals. This assumes that the circuit is normally-closed, and that there is some voltage flowing through the trigger wire at all times.
Conversely, if the trigger is normally-open, simply cut the trigger wires (one at a time, of course).
Not that he couldn’t easily pick a lever lock in short-order using found tools, but…
Once the bomb is disarmed, the blasting cap could be used to blow up the lock.
Or, they could burn some of the explosive to melt the chain in order to get free, and then rig the rest of the bomb with a tripwire, set to actuate when their captor returns.