Frederick Giasson

What to do?
A story about sexual aggression

Last night I was in a bar and saw one of my old thaiboxe student. She was really excited and wanted to talk to me.

There is the conversation:

“Heee Fred! How are you? I need to tell you a thing that I’m really pride of!”

“Fine thanks! Explain me this thing then.”

“Some weeks ago I was in a bar with some girl friends. We enjoyed our evening until a guy come talk to me. He was really mannerless and impolite. I said to him to leave me alone all the evening but he didn’t ear anything. He always come back to talk to me.”

“Yeah, a persevering lad you got there”

“Yeah too to my taste. At the end of the nigh he finally grabbed me by the arm and get me out of the bar.”

“Hummm, after?”

“I was beginning to fear the guy. On the spot I didn’t know what to do.”

“Yeah, it’s sure that it always surprising for the first time”

“When we arrive on the street he finally grabbed my breast and tried to bring down my pants. The thing is that he never had the time to do it. During this short space of time, I saw three of his friends bring closer to us. I saw that I was in troubles. Then I instinctively reminded what you learnt me in your courses; I bent my legs; I brought my body closer to his, then I unbent my legs and stoke under his nose with my palm. Automatically he release me, got his nose with his two hands and his eyes was filled with tears. Then I ran for my life.”

“Yeah girl! I’m really proud of you! You done everything well, it’s exactly what you had to do!”

“Yeah I’m really proud of me too! Some days after I feared to be in public but I rapidly go through it.”

“Imagine if you let him rape you? You would probably have many more aftermaths.”

… Etc…

I was effectively proud of her. It’s exactly what she had to do. First, there was a lad that caused problems. He was persistent. She was aware of him. She knows that he can cause some troubles.

At the end of the night he grabbed her, she known that she was in trouble but was first stupefied by the action of the lad. Eventually she insight that she was been raped. Then she reacted to the situation. The only valuable action that she can do to try to overtake the flow of events was to strike, and strike hard, his rapist. It’s exactly what she done. After, she hadn’t to continue to strike him. She had to strike and run. She hadn’t to strike him again and again, otherwise there were possibilities to fallback in troubles. The only purpose to attack the rapist is to have a chance to run and get help. She done it by the book and handled perfectly the situation. She struck him hard, and run to get help.

It was essential that she try to get out of this situation by any means and not let her be raped by fear to be hurt. It’s a question of psychology. If she does everything that she can to get her out of this type of situation, she’ll know it and be pride of his reaction toward the events. If she does everything in his power, she’ll be able to go through the aftermath more easily.

There I’ll talk to girls. Please, if you lived this type of situation, do exactly what she done. Try, by all your powers, to get out of situation. You need to seem aware, rude and ready to fight. Rapists like many other stalkers don’t search combative preys; they search for docile and weak ones. If you don’t fit the pattern, they search at another place. If this doesn’t work and he continues then, strike and strike really hard. The goal of striking isn’t to kill him, it’s just to take him down for some second, the time to run for your life. You need to strike to destabilise him. What she do was excellent because by striking the nose his eyes will automatically be filled with tears, it’s a natural reaction of the body. He’ll lose visibility and be out for a moment, and then you have the time to run. Other interesting place to strike is in the testicle. Depending of your situation it can be with one of your knee or by squeezing them with your hands, etc. You can also poke his eyes; strike the Adam apple on his throat with your forearm, etc. If you are in a bar, you can always use a bear bottle to strike, it’s always effective and it will bring the attention to you. Finally, do what you can in the situation you are, but please, do a thing!

If you are interesting in the subject and wish to learn more about self-defence, psychology of criminals, awareness tricks and mindset, there is a huge literature on the subject. I point you out some interesting introduction works that are not expensive and easy to read: Dead or Alive by Geoff Thompson, Defensive Living by Edd Lovette and Gift of Fear by Gavin de Becker.

Take care.

For paranoiac
Fractionate your information stream

Everybody will tell you that it’s good practice to change your password periodically. It’s definitely true. Any computer user must do it. Here I’ll say a thing that must be done by paranoiac.

Take a stream of information that you create over year. Take note that the stream isn’t continuous but partitioned like a stream of email messages sent over time. If you encrypt the stream with a public-key encryption algorithm; you’ll be able to aggregate many message from different sources. The thing is that if you don’t change you public/private keys, anybody who discovers your private key will be able to access your entire stream over time if he logged it. This is a real problem if such a thing append. It’s why the concept of information partitioning is important. You only need to change you keys each n day and if your attacker find your current private key he’ll not have access to the whole stream of information. It’s a way to add security within the security provided by the cryptosystem.

As I said, it’s for paranoiac only. It’s just a little thought that come up in my mind today, enjoy it.

Nuclear in the news today

There are two interesting piece of news concerning nuclear security. The first one is from the BBC. The Kyrgyz authorities had arrested 2 men that tried to sell 60 small containers containing plutonium-239. Who said that terrorists or other criminal groups don’t have the power to find and buy such material? This is possible that the news isn’t true. This is possible that the Kyrgyz government to prove something to the Russian or American government invented this. However, personally I think that such a situation is possible. Think about it 2 seconds. The CIA probably doesn’t have many agents in the central Asia zone since 1980 or 1990. The US army have a base in Uzbekistan but they are confined here. We need to rely on local governments for such investigation and probably the world security. The problem is that they have their own problems. Is that possible the Kyrgyz government had arrested them? If it’s true, praise them. Is that the first time that criminals try to buy/sell such products on the black market? I doubt. Why a country where 80% of their weddings are done with kidnapped women care about some criminals that sell/buy plutonium on their territories? The possibility exists; but I have doubts. What’s freaky is that we rely on such governments(there governments in central Asia) to do the work that concerns us. We need to change our mentality and put back our agents on the field where the things append. When I say “we”, I talk about the countries that care about their homeland security or countries that need to care about it.

[In addition to the post: 02 October 2004]
———————————————–

It was finally a false alarm. It suppose to be in reality 55 old-fashioned Soviet smoke detectors. I warn you in the first edition of the post that this was possible that this piece of news was not real or true. However most of the facts remind I said on the subject remain.

———————————————–

The other piece of news is from SecurityFocus. They talk about cyber attacks against nuclear facilities. There are some interesting things that they said and that I want to think about:The fact: “Last year the Slammer worm penetrated a private computer network at Ohio’s idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor’s network, bypassing Davis-Besse’s firewall”. The solution they found to resolve the problem: “News of the Davis-Besse incident prompted Rep. Edward Markey (D-MA) last fall to call for U.S. regulators to establish cyber security requirements for the 103 nuclear reactors operating in the U.S., specifically requiring firewalls and up-to-date patching of security vulnerabilities”. It’s sure that they have problems with their firewalls and vulnerability updates. But for the specific case of what append at Davis-Besse, the best firewall and latest updates would not stop the virus. Why? Because he propagated himself through the contractor’s network. The point here is to demand the same level of network security to their contractors. Any security system with a backdoor is not secure at all.

What if the contractor is bribed or menaced by a criminal group? Security is not just about firewalls and security updates. It’s more than that. You need to think about things that you don’t think about. It’s not just a process; it’s a way of thinking. It’s like doing a great discovery. You need a mind shift, imagination. You need to understand how your enemies work and think. You need to understand how your employees work, think and react in certain situation. Personally I see a great deal of psychology in security (any type of security), I’m I paranoiac? Security is not distributed in distinct parts, it’s a whole.

There is a hope when you finish to read the article:

“A working draft of the NRC guide reviewed by SecurityFocus would encourage plant operators to consider the effect of each new safety system on the plant’s cyber security, and to develop response plans to deal with computer incidents. Additionally, it would urge vendors to maintain a secure development environment, and to probe their products for backdoors and logic bombs before shipping.”

But as I said, this is not just a question backdoors and logic bombs in software. However they are in the good way because we can see that they are preoccupied by their sofware development companies and their interaction with them.

There is not any link between these two piece of news. But I think that it’s a good opportunity to think about the problem. There are probably many things that I don’t understand in the situation, but if I base my thoughts on what I perceive, there is a real problem for the world security.

Some thoughts and highlights on the Global Information Security Survey 2004 of Ernst&Young

There are some of my thoughts and highlights that I wish to share with you about the Global Information Security Survey 2004 of Ernst&Young.

First, there is the targeted population: more than 1230 enterprises in 51 countries. 22% of them have more than 1 billion in revenues and 56% of them more than 100 millions.

One of the things that I need to point you out in this survey is what I already observed and I posted on this blog since 3 weeks. This thing is the management-based approached of security. It’s the importance of the employees as a security layer in the infrastructure of the system. Unfortunately, senior management is more trusting than prudent. This situation seems to be the root of many problems.

As many people think, one of the best security layer that enterprises can have is his employees. Ironically, this same layer can also be the weakest link. The problem is that they need to be trained and educated in there role in the infrastructure as a security layer. If you do so, you’ll have one of your strongest link; otherwise, there is a good probability that this layer would be your weakest.

The main influence factor in the security of an enterprise is the senior management. It’s their decisions that will affect the security of their enterprise. If they don’t care, who will? This is the problem that I pointed many times before on this blog. First, we need to educate our top-level administrators and managers. After we’ll be ready to educate employees of other levels. However, the idea is not viable if senior managers are not aware of the situation.

The easiest and less expensive attack that we can perform to enter a system is by exploiting the human factor. An attacker only needs one negligent employee to attack the whole system and take into it. By knowing that, it’s now ease to understand why it’s so important to educate every employee of an enterprise, from the concierge to the Board of Director.

After this said; we can get a look at numbers.

Interesting numbers are them related with the human dimension of the security. You can see them at pages 13 and 14. Only 53% of the respondents train their employees in a security and awareness program. Don’t forget, it’s an important factor in the success of a security infrastructure. Only 56% train there employees to identify and report suspicious activities. Finally, 60% provide instruction to there employees to classify data. The problem with the former is that the biggest asset an enterprise tries to secure is their data.

Companies correctly identified insiders as the second highest rated threat. The problem is that they don’t do many things to cope with this reality as we can see in the results up there. As said in the survey:

“Employee misconduct involving information systems”
cited as a distant second behind “major virus, Trojan
horse or Internet worms,” the top threat to organizations
– Less than 30 percent listed “raising employee information
security training/awareness” as a top initiative in 2004

As you know, security is a process. This means that you need to periodically upgrade and change the security policies to cope with his changing environment. The problem is that 39% of the enterprises of the survey fail to periodically review their security policies for compliance. Moreover, close to 70 percent[15% monthly, 16% quarterly, 8% semi-annually, 10% annually, 39% ad hoc, 11% never] of the respondents’ board of directors failed to receive a quarterly report about the organization’s information security status.

According to Ernst&Young, top obstacles to effective information security in 2004 are Lack of security awareness by users, Budget constraints or limitations, Availability of skilled staff, Difficulty proving the value of information security and Pace of information technology change. The three firsts can be overcome by education. The first by the education of the employees of the enterprise. The second by the education of the senior managers and the third by talking with the universities and other educational institutions to help them bringing programs that cope with the needs of the private industries. Three obstacles; one solution: education.

99% of the respondents have antivirus software and respondents said that with an occurrence of 68% major virus, trojan horse, or internet worms was the result of an unexpected or unscheduled outage of their critical business systems in 2003. Why? Because of the insiders. They see an attachment in an email, the click on it. Another possibility can be the lack of system upgrade. Think about Codered or other major virus.

Another interesting numbers are the ones that talk about outsourcings. 28% of the respondents outsource information technology operation(s) to foreign-based solution providers. Take note that the percentage grows to 46% with companies with revenues over 1 billion. The problem is that only 20% of the respondents conduct a regular assessment of their IT outsourcer’s compliance with the host organization’s own information security regulatory requirements. Moreover, only 30% of the respondents conduct a regular assessment of their IT outsourcer’s compliance with the host organization’s own information security policies. This is unbelievable but this is true. Companies have some type of security policies, but they don’t necessary demand the same level of security for their foreign-based solution providers. I have some thoughts related with the security in outsourcing that I’ll write about in a future post. As said in the survey:

– 80 percent failed to conduct a regular assessment of
their IT outsourcer’s compliance with the host
organization’s information security regulatory requirements
– 70 percent failed to conduct a regular assessment of their
IT outsourcer’s compliance with the host organization’s
information security policie.

I encourage you to read the whole survey. It’s a really interesting reading and it succeed to cope the whole thing. Moreover the analysis done by Ernst&Young is short, accurate and readable without being boring. So, go on and enjoy the reading.

Social responsibilities toward violence

This is just a little thought about a piece of news that appeared on the BBC this week. This post is hard to write because anybody can read it, from anywhere on the planet, from any culture. The perception toward the violence depends greatly from a place to another, from a culture to another, from a social layer to another. I just want to warn you that it’s strictly a personal thought that don’t need to be shared; so read it with your eyes and if you not agree with it, then start a discussion and I’ll be happy to try to understand your point of view. Don’t be shy, I’m really open with others’ thoughts, it’s how I learn and it’s how I can adapt myself and survive in a new environment and situation.

So, have you read this article? This is just a story like many others. It’s in China but you can see the same thing anywhere else in the world. It’s not a question of race or religion, it’s a question of violence. It’s a question of people toward violence, pure violence. They had probably a motivation to do it, possibly none. The fact is not there. The question I need to ask is: Is everybody having a social responsibility toward violence? A couple of bums versus 80 other peoples. Two of them done a blood bath. Nobody reacted to the situation. They have knifes? Clients had chairs, keyboards, probably some type of poles, etc. There were security guards. Nobody moved. It’s sure that no one know how they will react in this type of situations before live it. Think about it. You, what would you have done in this situation?

Can we check other citizens been slashed in our face without reacting? Do we have the duty to try to do our best in these situations (and not just bow our head)? I think it’s a good society question. We need our society as secure as possible. They are not, they’ll never be. The thing is not to live in a completely secure world. The thing is to be aware of the problem, to study it and try to understand it. The real problem is that people play the ostrich and hide there head in the sand. They don’t wish to sea the reality. Personally, here in Canada, it’s how it work. People don’t need to get stock in the story of others people. Personally, I think we are wrong to think in this way. I think that we need to help other citizens if they are in danger. We need to help them at our best and not fear the prosecution. I also think that we need to learn this thought to citizens and to our future generations. Really, I’m dreaming, I don’t think that a majority of Canadians agree with me but it’s my point of view for the moment. What lack in Canada and probably in many other countries? The citizenship spirit.

If I wish to have the sense of security in my community, I think that this same community needs to have a citizenship spirit , be able and have the courage to help me if I’m in troubles. I’ll do it for them, but will they’ll do it for me?