Cybersecurity, Hackers, and Our Educational System

Brian Krebs posted a relatively long article entitled, “Why So Many Top Hackers Hail from Russia.” (https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia/) He cites conventional wisdom as saying that one reason for that is that, “[Russia and parts of the former Soviet Union] have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools,” and that his post will “examine…that assumption by examining a breadth of open-source data.” His analysis centers around two main areas. The first is computer science-focused standardized testing in the U.S. and Russia, and the second is the curriculum taught in the two countries.

Since Brian Krebs is not an expert on educational systems, either the U.S. or Russia’s, he makes some false assumptions and ends up with a flawed analysis. I now work in infosec, but I also have an Education degree and taught middle and high school for about five years. I also have a son who is now in college and on track to get a degree in cybersecurity and networking. This gives me a unique perspective as compared to most infosec folks.

In the testing area, he compares the Advanced Placement (AP) Computer Science exam in the U.S. to the Russian Unified National Examination on Informatics. Krebs makes a big point out of the fact that 60,000 Russian students each year take the Informatics exam, while the U.S. had 270,000 students take the AP Computer Science exam in the ten years between 2005-16, or about 27,000 students per year. This simple analysis ignores the differing purposes of the two exams. In Russia, the Informatics exam is required for admission to Informatics programs in universities (http://www.cs.cmu.edu/~cfrieze/courses/a14-khenner.pdf). The AP exam, however, is for students who are in high school but want to get college credit for their high school coursework. After taking a class, and AP classes are almost solely focused on passing the associated AP exam, then you take the test and, if you score high enough, you can receive college credit. While it is possible to take an AP exam without having taken the associated course, from an AP-credentialed teacher, this is very rarely done.

These differing purposes lead to vastly audiences for the exam. For example, my son just finished his first year at a local college. He graduated high school early, and so this weekend, when his friends are getting their HS diplomas, he’s already taken a host of IT-focused courses, ranging from programming to database administration to how computers work (Comptia A+). He will not take the AP exam because it is simply irrelevant and redundant for him. There’s at least one other person who’s taken some of the same classes he’s taken at the college who is only 15, as well. The other kid doesn’t have a high school diploma yet and is taking the college coursework under a dual-enrollment program. While not normal, this is also not unusual. Every state has some kind of dual enrollment program which can be accessed by students (http://www.ecs.org/dual-concurrent-enrollment-policies/). These aren’t new, either. I graduated high school in 1998 and was only a couple classes shy of an Associates degree through Washington state’s program, although I focused on mathematics at the time and not informational technology.

Additionally, students going into the military directly out of high school may not take an AP computer science exam, even if they are planning to go into an IT-related field. These students would take the military’s ASVAB test. Although it does not have an area specifically focused on computer science, it’s “Skilled Technical” test area is used to qualify for IT-focused service areas (https://www.goarmy.com/learn/understanding-the-asvab.html).

Krebs then goes on to talk about the content of the Russian Informatics curriculum and compares that to the content of the AP computer science exam. Alan Paller, director of research for the SANS Institute, tells Krebs that the Russian curriculum and exam is more hands-on and the AP curriculum is more abstract and contains almost no programming requirements. Again, this misses the purpose of the AP exam. It is meant to replace an introductory computer science course in a university. It is not meant to be a well-rounded curriculum focused on ensuring students are ready for a career in a computer science field. All the other courses a computer science student would take at university contribute to that purpose. Also, the AP computer science curriculum is not a comprehensive, multi-year curriculum.

The Computer Science Teachers Association has comprehensive, kindergarten-thru-grade-12 (k-12) standards (https://www.csteachers.org/page/CSTA_Standards). These include such things as a k-2 standard to,  “Decompose (break down) a larger problem into smaller sub-problems with teacher guidance or independently.” This is the kind of standard which is age-appropriate and also has direct application to learning programming later. The 3-5 standards specifically refer to programming, such as to, “Use mathematical operations to change a value stored in a variable.” Whether these standards are widely adopted in the U.S. is another question (and gets into politics and states rights and other areas), but they are more appropriate to compare to a multi-year curriculum like Russia’s Informatics curriculum than the single AP course’s curriculum.

Krebs also compares the number of students taking the AP Computer Science exam to the number taking other AP exams, with almost 58,000 taking the computer science exam. Krebs compares that to the more than 500,000 taking the AP English exam, and that, “some 159,000 students went for an AP test called ‘Human Geography.'” Again, I’m not sure that Krebs understands the reasons behind these numbers. The Human Geography test is mostly taken by ninth-graders (see the chart in Krebs’ post). The reason for this is that it is usually taken by freshman as the AP-equivalent to the general 9th-grade social studies course. So, students who are expecting to go to college will get tracked into the AP Human Geography class for their social studies course if it is available, and it is therefore the first AP course many students take. The other courses Krebs highlights as having a large number of test-takers are required for both high school and college graduation. When you remember that the purpose of the AP exam is to serve as college credit in that subject area, it is only logical that there would be many more test-takers in subjects which are required by both high schools and colleges.

The topic of education is near and dear to my heart, and I think that computer science education in the U.S. does need to improve, it is important to use statistics for the purpose they were compiled. Comparing the number of students taking tests which have two different purposes will lead to skewed analysis, and comparing a multi-year curriculum (the Russian Informatics curriculum) to a single course’s curriculum (AP Computer Science) will also lead to skewed analysis.

Bad Stats – Cyber-Value Connection Report

CGI, a multinational cybersecurity and business consultancy, released what they call The Cyber-Value Connection report. This is a white paper focused on the relationship between data breaches and the shareholder value of companies. CGI says that their study shows that, after a data breach, “that share prices fall by an average of 1.8 per cent on a permanent basis following a severe breach. To put that in context, investors in a typical FTSE 100 firm would be worse off by an average of £120 million.” Unfortunately, there are many problems with their analysis, and most of them stem from the poor use of statistics.

Just Trust Us

One common problem that occurs when an organization releases a white paper is that while they say the analysis is based on data, but they do not release that data. Companies will try to add an academic veneer to their work, such as CGI referring to Oxford Economics developing “analytical methodology to examine share price movements in companies that experienced cyber breaches.” An actual academic paper would release the data used, though, so that other anlaysts or researchers would be able to verify the results and, critically, develop alternative explanations for those results which may better fit the data.

Two thirds of companies had their share price adversely impacted, in comparison with their peer group, after suffering a cyber breach.

If a full third of the companies surveyed had their share price positively impacted, that raises questions right off the bat. Does that mean that, in some cases, having a data breach is positive for a company? Or, more likely, does that mean that there is not really a strong correlation between what a share price will do and whether or not a data breach happened? Since the data supporting their finding is not released, then we can’t say for sure.

Even Though We Make Stuff Up

Another common problem in white papers written to seem more academic than they are is to create their own definitions. Compounding the problem, they put that alternative definition in a footnote, which are often skipped by readers and a technique which can be used to hide the fact that you are using a non-standard definition of the term.

In this study, the term ‘breach’ is used to describe any form of major cyber incident.

This doesn’t match up with what most security practitioners would say a breach is. For one, breaches do not have to be “major”. More importantly, a breach is usually taken to mean that data has been viewed or stolen by an unauthorized person. There are other types of cyber incidents, however. For instance, a DDoS attack would not generally be considered a data breach. Ransomware may not, either. And, of course, something like the 2015 and 2016 power outages in the Ukraine would not be considered data breaches. Those would all be cyber incidents, though. It is important when trying to do academic work, or in this case pass something off as a rigorous study, that terms be used appropriately.

The Scale on a Graph Matters

Another misleading technique somebody might use is to change the scale on the x- or y-axes of a graph. In this report, they did that by making the absolute distance different for each of the axes, even though both of them are showing comparable subjects.

In this graph, performance above or below the company’s peer group prior to the incident is on the x-axis and performance above or below the company’s peer group after the incident is on the y-axis. But, the value of 10% on the horizontal axis is quite a bit further out than on the vertical axis. This serves to make the findings look more like a line of best fit would be really appropriate. We can look at what the graph would look like if the scales were not skewed, though.

This makes it look less like a line could be fitted neatly going from the lower-left quadrant to the upper-right quadrant. In the second graph it looks more like a big blob in the middle. While that isn’t the largest problem with this white paper, and this misuse of the scale isn’t as blatant as other bad graphs, any time you see a graph which skews the scales like that, it should raise a red flag in your mind that they may be purposely trying to mislead you.

Extrapolation Can Lead You Astray

There are several times where CGI applies their findings to “a typical FTSE 100 firm,” saying that the 1.8% loss in market capitalization would equate to £120 million loss in value.

The problem is, there is nothing in the data presented which would lead one to conclude that a “typical FTSE 100 firm” sees that 1.8% drop. The FTSE 100 are the 100 companies on the London Stock Exchange with the highest market capitalization. The CGI white paper luckily includes an appendix on the methodology they used. In there, they say that they, “focus on 65 ‘severe’ and ‘catastrophic’ breaches occurring since 2013 across seven global stock exchanges.” In statistics, if you extrapolate outside of the data set you actually used, then the possibility of erros occurring increases dramatically. If they stayed within the data set they used, then we would say they were interpolating the data, which is much less likely to introduce errors into your analysis.

CGI could have found the average market capitalization of the companies on those seven exchanges and then found what 1.8% of that average market cap would be. This would have been interpolating from the data. But, this would lead to a much smaller dollar value and CGI would no longer be able to use that “£120 million loss in value” line, as they did several times throughout the white paper.

CGI does include in the article the country of the ten firms which had the largest percentage drop in share price. The top two countries both came from the UK, but none of the other top ten did. Maybe this means that the two “worst” companies were from the FTSE 100 and the £120 million number should be higher. Or maybe those two weren’t even in the FTSE 100, and smaller companies had larger percentage effects. Since the data was not released, we cannot know the answer.

Playing with Timelines

CGI also played with timelines. They used two cases to demonstrate their idea that share price dropped.

The problem with this analysis is that the stock market is not a four-week long process. It is quite likely that the price would have rebounded in the following weeks (for example, see this Harvard Business Review article which discusses just that phenomenon). By creating this artificial cutoff of the timeline, the results can be very misleading. That second graph also refers to a “UK communications firm” in CGI’s description of the graph. Their largest effect, where the share price fell by -15%, also said it was in the UK Media and Communications sector. So, it is likely that they cherry-picked their most dramatic example for creating this graph.

CGI also plays with timelines in the next graph they show, although in a different way.

This time, they show the percent impact on a firm’s share price as being worse as time goes on. But, since they decided to combine 2015 and 2016 into a single entry, it makes me wonder why they would do that? One explanation would be that 2015 actually had a big jump, but then 2016 had a regression back towards where the 2014 effect was. This would not work with the FUD they’re trying to sell about things getting worse, and so they would need to combine those two years. Personally, I cannot see any other reason to make the graph this way.

Their next graph, like the line graphs of share price over time, also uses an artificial cutoff date. There is no logical reason to use an arbitrary day of the week to perform this analysis. Assuming CGI’s hypothesis is correct, then why wouldn’t they compare 7 days after the breach instead of on Friday. Or why not pick the Wednesday after the breach to focus on? There’s no real explanation for why the Friday following the breach is significant.

Data & Results Aren’t Important Enough to Talk About

Another clue that can tell you that the data and the findings should be questioned is if the data and results are given short shrift in the white paper. This More than half of this white paper dealt with things unrelated to the data, such as CGI using an entire page to a partner insurance agency to sell their insurance offerings.

Internal Discrepancies

Remember the two graphs showing the share price of a given company for the two weeks prior to a breach and the one week after?

Notice that the graph starts four weeks prior to the data breach? Well, look at this from the appendix on the methodology.

To gain a realistic assessment of share price performance, the analysis tracked the subject companies’ shares in the two weeks leading up to the breach (emphasis added).

This is an example of what I would call an internal discrepancy. At the least, this implies there was a serious lack of fact-checking, editing, and quality control on the production of this white paper. At the worst, this means that they were making things up. Again, since the data was not released, in the end it is impossible to know what this means, other than it should be noted and remembered when you think about whether you should use data from this study.

Do the Conclusions Fit the Data?

Last of all, we can look at the conclusions and ask ourselves they fit the data we’ve been shown. CGI says that, “Overall, share values in affected companies were seen to perform less well than shares in companies that had not been affected. Furthermore, this damage is permanent: an affected company’s shares do not recover their pre-breach performance relative to the control group.”

This is a huge stretch. From their methodology section, they say that, “The analysis tracked the movement in the share price for one week following the breach incident: using this short time window eliminated the influence of any ‘noise’ from factors unrelated to the cyber breach affecting the share price.” That a share price did not recover in one week has absolutely no informaitional value in trying to determine whether the company’s shares recover or not. Share prices go down for a week all the time, for all sorts of reasons. To try to say that just because their price went down for one week means their “shares do not recover” is somewhere on the spectrum between misleading, wrong, and idiotic.

What One Thing Should We Do? Five Different Answers from Five Different Experts

Politico’s Morning Cyberssecurity newsletter had a short article about the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing which occurred yesteday. The hearing was focused on the current state of the Department of Homeland Security’s private sector engagement on cybersecurity. At the hearing, Politico said that subcommittee chairman John Ratcliffe (R-TX) asked the five witnesses to “name the one thing they’d tell the government to focus on the most.” The answers give insight into what is wrong with the cybersecurity industry.

From Politico (I changed the formatting to be bullet points instead of their original paragraph-style formatting, but did not change any of the statements):

He got five different answers.

• Daniel Nutkis, CEO of the HITRUST Alliance: he would like guidance about what the industry role should be.
• Scott Montgomery, chief technologist at Intel Security Group: Developing a well-trained cyber workforce should be highest on the government’s list .
• Jeffrey Greene, who runs global government affairs for Symantec: The Trump administration should specify that the Homeland Security Department will remain the civilian government leader on cybersecurity.
• Ryan Gillis, a vice president at Palo Alto Networks: the government should focus on implementing existing cyber laws.
• Robyn Greene, policy counsel at New America’s Open Technology Institute: The Trump administration shouldn’t water down privacy protections under the landmark 2015 information sharing law.

The fact that there would be 100% disagreement on the most important thing shows that industry, as a collective, doesn’t know what the most important things are. Additionally, some of these answers are just terrible. First of all, saying that the Trump administration should release a statement doesn’t really move the needle on helping to protect our critical infrastructure. While it would be good (I don’t think moving critical infrastructure protection to the Department of Defense, as Trump has intimated he’d like to do), it’s more of a checkbox item than something that moves us forward.

I’m a big proponent of privacy rights, but again, how does maintaining a law passed two years ago qualify as the most important thing we should do moving forward? Even if the Cybersecurity Information Sharing Act (CISA) was a game-changer in improving our security, it would be the information-sharing parts of the law that would improve the security of our critical infrastructure, not the fact that the sharing was done in the confines of protecting people’s personal information when cyber threat information was shared.

I could maybe understand the argument that government should focus on implementing existing cyber laws, but it’s not quite there. First of all, you can’t make an organization or an industry secure just by passing a law saying they need to be secure, or saying they need to do X, Y, and Z. You can’t legislate your way to security. You may be able to legislate your way to compliance, but that is not the same thing. And, laws by themselves don’t accomplish that. Laws can lay the groundwork, but it takes individuals, organizations, and industries having a sustained focus on building a secure infrastructure for productive changes to happen.

The other two answers, however, at least do provide a blueprint for moving forward, and I could make an argument for each of them to be important. Identifying what roles private industry and the government will play and developing a larger workforce of more qualified individuals. I could make an argument for either of those being worthwhile as the first priority government should focus on, but that’ll have to wait for another post someday.

A Look at Trump’s Inaugural Speech

Dissension and hatred descended upon us. With profound distress millions of the best men and women from all walks of life have seen the unity of the nation vanishing away, dissolving in a confusion of political and personal opinions, economic interests, and ideological differences.

The establishment protected itself, but not the citizens of our country. Their victories have not been your victories; their triumphs have not been your triumphs; and while they celebrated in our nation’s capital, there was little to celebrate for struggling families all across our land.

For when our nation lost its political place in the world, it soon lost its unity of spirit and will….

For many decades, we’ve enriched foreign industry at the expense of American industry; subsidized the armies of other countries while allowing for the very sad depletion of our military; we’ve defended other nation’s borders while refusing to defend our own; and spent trillions of dollars overseas while America’s infrastructure has fallen into disrepair and decay.

We’ve made other countries rich while the wealth, strength, and confidence of our country has disappeared over the horizon.

The misery of our people is horrible to behold! Millions of the industrial proletariat are unemployed and starving; the whole of the middle class and the small artisans have been impoverished.

But for too many of our citizens, a different reality exists: Mothers and children trapped in poverty in our inner cities; rusted-out factories scattered like tombstones across the landscape of our nation; an education system flush with cash, but which leaves our young and beautiful students deprived of knowledge; and the crime and gangs and drugs that have stolen too many lives and robbed our country of so much unrealized potential.

And as leaders of the nation and Government we vow to God, to our conscience, and to our people that we will faithfully and resolutely fulfill the task conferred upon us.

This American carnage stops right here and stops right now.

The task with which we are faced is the hardest which has fallen to statesmen within the memory of man. But we are all filled with unbounded confidence for we believe in our people and their imperishable virtues. Every class and every individual must help us to found the new Reich.

That all changes – starting right here, and right now, because this moment is your moment: it belongs to you.

It belongs to everyone gathered here today and everyone watching all across America. This is your day.

The Government will regard it as its first and foremost duty to revive in the nation the spirit of unity and co-operation. It will preserve and defend those basic principles on which our nation has been built.

We are one nation – and their pain is our pain. Their dreams are our dreams; and their success will be our success. We share one heart, one home, and one glorious destiny.

A concerted and all-embracing attack must be made on unemployment in order that the working class may be saved from ruin…

The ruling parties have ruined the working class in fourteen years.

In fourteen years they have created an army of millions of unemployed.

Within four years the working class must be rescued from the quagmire into which it has fallen.

Within four years unemployment must be finally overcome. At the same time the conditions necessary for a revival in trade and commerce are provided.

We will bring back our jobs. We will bring back our borders. We will bring back our wealth. And we will bring back our dreams.

Americans want great schools for their children, safe neighborhoods for their families, and good jobs for themselves. These are the just and reasonable demands of a righteous public.

As regards its foreign policy the Government considers its highest mission to be the securing of the right to live and the restoration of freedom to our nation. Its determination to bring to an end the chaotic state of affairs in Germany will assist in restoring to the community of nations a State of equal value and, above all, a State which must have equal rights. It is impressed with the importance of its duty to use this nation of equal rights as an instrument for the securing and maintenance of that peace which the world requires today more than ever before.

For many decades, we’ve enriched foreign industry at the expense of American industry; subsidized the armies of other countries while allowing for the very sad depletion of our military; we’ve defended other nation’s borders while refusing to defend our own; and spent trillions of dollars overseas while America’s infrastructure has fallen into disrepair and decay.

We’ve made other countries rich while the wealth, strength, and confidence of our country has disappeared over the horizon.

One by one, the factories shuttered and left our shores, with not even a thought about the millions upon millions of American workers left behind.

The wealth of our middle class has been ripped from their homes and then redistributed across the entire world.

But that is the past. And now we are looking only to the future. We assembled here today are issuing a new decree to be heard in every city, in every foreign capital, and in every hall of power.

Since the prior government is incapable of lending support to this work, we ask the people whom we represent to perform the task themselves.

We, the citizens of America, are now joined in a great national effort to rebuild our country and to restore its promise for all of our people.

We are transferring power from Washington, D.C. and giving it back to you, the American People.

But the Government cannot make the work of reconstruction dependent upon the approval of those who wrought destruction.

For too long, a small group in our nation’s Capital has reaped the rewards of government while the people have borne the cost. Washington flourished – but the people did not share in its wealth. Politicians prospered – but the jobs left, and the factories closed.

May God Almighty give our work His blessing, strengthen our purpose, and endow us with wisdom and the trust of our people, for we are fighting not for ourselves but for our country.

Together, we will determine the course of America and the world for years to come.

And yes, together, we will make America great again. Thank you. God bless you. And God bless America.

In case you didn’t realize it, the blockquotes are from Hitler’s Proclamation to the German Nation, February 1, 1933, with some minor edits so that it didn’t explicitly refer to Germany. The regular text comes from Trump’s Inaugural Address.  

This was inspired by a tweet by Dr. Krypt3ia.

 

Bad Stats in the QER

I often notice people, even educated people, with a poor understanding of numbers and statistics. Our example today is going to come from the second installment of the Quadrennial Energy Review, released by the Department of Energy. One of the QER’s Key Findings was:

Electricity outages disproportionately stem from disruptions on the distribution system (over 90 percent of electric power interruptions), both in terms of the duration and frequency of outages; this is largely due to weather-related events. Damage to the transmission system, while infrequent, can result in more widespread major power outages that affect large numbers of customers with significant economic consequences.”

Over 90% sounds like a lot. But, the frequency of outages is really not that surprising. In 2014, there was450,000 miles of high-voltage lines and 6,000,000 miles of distribution lines in the United States. This means that 92.5% of lines (measured in miles) are in the distribution system. That means that “over 90%” of disruptions is NOT disproportionate. Actually, it sounds like the frequency of power outages stemming from disruptions on the distribution system is just about what you would expect.

The QER also claims that the duration of the outages on the distribution system is more than the duration of outages on the transmission system. While it’s not as simple as looking at the total miles of power lines to verify if that claim makes sense, it should also not be very surprising if you think about it for a little bit.

I used to live in a house that was at the end of a dead-end. We were the second-to-last house on the road. The start of the dead-end was about 4-5 miles from my house, and the road only had about a dozen houses. Behind our house was BLM forest land. In other words, it was quite rural. We had a power outage one time when a tree fell and took out a powerline during a storm. It happened between our house and the last house on the road, and we were the only two houses which lost power. Since there were only two houses affected, we were lower on the priority list for the power company in responding to that storm. If they have two places where they need to send a crew and one of them affects an entire neighborhood while they other only affects two houses, the two people are out of luck. They’ll have to wait a bit longer before they get their power back.

This can help explain why distribution outages last longer than transmission outages. By definition, an outage to a transmission line is going to affect more people than an outage on a distribution line. So it makes sense that responding to the outage on the transmission line is going to have a higher priority than responding to an outage on a distribution line.

 

Coaching Kindergarten Basketball

I coached my kindergartener’s basketball team this fall, but I’m not able to coach his team this winter because I’m starting OSCP training this weekend, and so I won’t have any extra free time. I wanted to collect a lot of what I did as a coach, though. It’s difficult to let somebody else coach my kids. I’m pretty good at hiding my critique from their coaches, but since I know quite a bit about basketball and coaching, I quite often catch myself thinking about how I would have done things different (read: better) than their other coaches.

This post will be a collection of ideas and games and “drills” I used for the kindergarten team earlier this year. My plan is to share it with his coach and tell her that she can use it or not, but since she hasn’t coached basketball before, it may give some good ideas. These ideas will be more heavily weighted toward ballhandling and passing than shooting for a couple reasons. The first is that the fall league was for kids 4-5 years old, and some of the kids (especially the four-year-olds) couldn’t get the ball to the hoop no matter how hard they tried. The other reason is that I always emphasize ballhandling. I’ve seen too many kids who couldn’t get on the court as they got older because they couldn’t handle the basketball. On the other hand, if kids are good ballhandlers, then they can handle more aggressive and athletic defenders and play above their athletic level.

A lot of the things listed under “Drills” are also games, but I put them under whatever skill it was if the game was specifically targeting that one skill, such as how Dribble Tag is focused on dribbling. One of the things I always say in the parent meeting for youth teams is that my goal is to have fun. I want my kid to be a good basketball player, so I’m going to teach them solid basketball skills. But, if a kid in youth basketball doesn’t have fun, then he’ll stop playing. As long as he has fun and wants to play again the next season, then he can continue to develop his skills. If he quits because it wasn’t fun, then he’ll never develop those basketball skills. Along that same idea, a lot of these games could have a winner and a loser, but I wouldn’t even talk about that for most of them. Especially at the kindergarten level, they aren’t going to remember who won what at practice anyway, and if you don’t talk about it, then every kid will likely walk away thinking they “won.”

Dribbling Drills

Dribble Tag – Everybody has a ball. One person is “It” and they try to tag others.

Circle Dribbling – Get in a half-circle around the coach and dribble with one hand. Talk to the kids about how to dribble with their finger pads, not slapping the ball with their palm. Call out “Left hand,” “Right hand,” or “Alternating (change) hands,” so that the kids practice with both hands.

Numbers – Same as Circle Dribbling, except hold up some number of fingers. Kids need to call out the number shown. Change the number every few seconds. This forces kids to dribble with their eyes up.

Red Light, Green Light – Same as the regular game, except they need to dribble as they go down the court. Make them do a jump stop when they stop for the red light. They need to catch the ball and stop, not catch and keep running.

Follow the Leader – I would start as the leader. Get creative here, you can do anything like dribble in circles, do air dribbles, dribble with a certain hand, etc.

Dribble Relay – A relay race where teams run down and back while dribbling. Change up how they dribble. Dribble right-handed, then left-handed, then alternating hands. Make them go backwards or make them go sideways. Going backwards will make them not look at the ball as much, because they’ll be looking backwards over their shoulder. Dribbling sideways (feet moving like a defensive slide) is basically doing a power dribble, which is used by players at all levels up to professional.

Dribble Relay with Pivots – Same as a dribble relay, except instead of going fullcourt, they dribble to the near free throw line, jump stop, pivot, and throw the ball back to the next person. This is obviously done closer to the end of the season when they’ve already been exposed to things like “What’s a pivot?”

Passing Drills

Partner passing – Partners on opposite sides of the lane. Talk about passing mechanics (two hands on ball, step towards partner, extend arms, thumbs point down at finish). Talk about “strong passes,” no rainbows or bounce passes. Try to make the pass in a straight line. Add bounce passes after a while (or even the next practice), which uses the same form but they want the ball to bounce one time, about 2/3 of the way to their partner.

Defense Drills

1-on-1 Mirror Drill – Kids get in pairs. One is the “offense” and one is the “defense,” and they get on a line, with one kid on either side of the line. For example, the offensive player will be on the inbounds side of the baseline and the defensive player will be on the out-of-bounds side of the baseline, or the offensive player will be on one side of the halfcourt line and the defensive player will be on the other side of the halfcourt line. The offensive player tries to stay away from the defensive player, while the defensive player tries to stay in front of them (like a mirror). This is a great way to practice change-of-direction, too. When I did this with HS/MS players, I made the defensive player be in a defensive stance. With the younger kids, I didn’t do that.

Shooting Drills

Hit the Money Spot – Tape a dollar bill to the top corner of the square on the backboard. This is the “Money Spot.” Practice layups, telling kids to try to hit the Money Spot. I also like to not have the kids dribble when they are focusing on learning layup form, so they can focus on their shooting form and not trying to dribble without losing the ball.

2-line Shooting – Basically the two-line layups many teams do during pre-game warmups. I would sometimes have the first player dribble in and shoot, and sometimes have them do a give-and-go with the other line. I also like to do this as a pre-game warmup because if you just let the kids shoot around, somebody’s going to get hit with a ball and start crying at this age. Also, if they’re just shooting around then the less aggressive, less skilled kids won’t get as many rebounds and won’t get as many shots as the more aggressive, more skilled kids.

Line Shooting – I did a little bit on form shooting with the kids, mainly just trying to get them to push the ball with one hand instead of two, and nothing more complicated than that. When we did that, though, we did a drill where instead of shooting for a hoop, they started on a line and tried to shoot it up and make it land on the line about 10 feet away. This forces them to try to shoot straight, which is the first thing most shooting coaches focus on with older kids, too.

Games

No Dribble Scrimmage – My favorite game for basketball practice. I’ve used this with high school and college players, too, but even five-year-olds can figure this one out. It’ll take them a couple tries before they start getting  the idea of moving without the ball and looking to pass to move down the court, but they can do it if it’s emphasized. We did this game probably every other practice with my kidnergartener.

Scrimmage – The kids love to scrimmage. I think we did it every practice, even if it’s only for 2-3 minutes. I emphasize dribbling and matching up with their opponent (as opposed to just chasing  the ball). I also use the whistle to make them stop, since they need to get used to doing that for the games.

3-on-3 Fullcourt – I like this even more than a regular scrimmage, because with smaller sides the kids will get more time with the ball, and with playing fullcourt they will get a lot of practice dribbling and passing.

Coach Says – The same as Simon Says, except my name isn’t Simon. Commands  I would use would be “pivot,” “triple threat,” “[right|left] dribble,” (where they dribble once and then pick it up back into triple threat), and “shot.”

Race to the Spot- Call a spot out and the kids race to it while dribbling. You can also call “left hand,” “backwards,” or anything else like that. I might say something like, “That door over there,” or, “The volleyball stand.” After a few rounds, have the kids take turns calling out the spot. I made this game up one practice because I had extra time and needed something to do. I’m sure somebody else had come up with it before me, but I don’t remember seeing it. It sounds kind of dumb, but the kids seemed to like it.

Monkey-in-the-Middle – Keepaway. We’d usually do it with two offensive players and one defender. The offense has to stand still, and they can’t pass it until the defender is on them. So, if you’re on offense and you receive the ball, then you need to wait for the defender to get over to you. Any deflection would get the defender out of the middle. We’d also have a “no rainbows” rule: the pass couldn’t just be a lob over the top of the defender.

I Can ___, Can You? – Call out what you can do, and then the kids do it. After a few rounds, have kids take turns being the caller. Some examples are to skip and dribble, run backwards and dribble, hop on one foot and dribble, shoot a layup, etc.

Scarecrow Tiggy – A variation of tag.  The taggers don’t have a basketball. If a person is tagged, they stand with the ball over their head and their legs spread out. Other dribblers get them back in the game by rolling a ball throught the legs of the tagged person.

War – There are two teams, each lined up on either sideline. Each player has a number, but you need to ensure that they are matched up appropriately so that player 2 on one team isn’t the best player while player 2 on the other team is the worst player. Call a number and throw the ball out towards midcourt. The players whose number was called go and play 1-on-1 fullcourt. If you call out two numbers, then they’d play 2-on-2, or so on.

Players Choice – This is always our last “drill” of the season. I ask the kids what they want to do. I think every team I’ve ever coached has chosen a scrimmage, so it’s basically the same as ending the last practice with a scrimmage, but the kids get to feel like it was their choice.

Squirrels Are Not the Issue

Every once in a while, usually after Ukraine has had a power outage caused by a cyber attack, there’s articles like this one from Ars Technica. I understand, and agree with, Cris Thomas’s [SpaceRogue] main complaint: there have been a lot of false claims of “Cyber Atttacks!!!” and most of the time they are false alarms or people looking to sell a book, plus squirrels have caused more power outages than cyber attacks, by a long shot. SpaceRogue runs the CyberSquirrel1 twitter account and website, which tracks power outages caused by animals, mainly squirrels.

What articles like this recent Ars story don’t get, though, is that responding to a squirrel causing out a power outage and responding to a cyber attack causing a power outage are two different things. There are literally tens of thousands of linemen in the U.S., and they can all respond to something like a squirrel causing a power line to short out or even causing a pole to fall down. That kind of work is even so standardized that when a storm comes through an area, such as when Superstorm Sandy hit the Northeast, crews are able to come from all over the country to help with the restoration. That’s because jobs like stringing a power pole, while requiring skill, are also reproducible and one lineman can step in to work with another trained lineman if they need to.

A cyber attack is very different, though. There are not tens of thousands of people in the world who will be able to investigate and restore power if a utility is affected by a remote cyber attack. And just as importantly, there is not a standard way of responding to a cyber attack on a power utility, like there is with a squirrel attack or storm recovery. For storm recovery, there is a long history of mutual assistance, where a utility not affected by a storm will send employees to an area with storm damage in order to make recovery time faster. There are some beginning efforts by the electric industry to create a similar program for cyber incidents, but there are several barriers to success. For one, if a cyber incident affects a group of utilities, other utilities, even if they have expertise on staff, are likely to be hesitant to send that expertise out, since they would not have a guarantee that they may not also be targeted. There also is the problem of a learning curve if somebody from one utility is not familiar with the hardware and software at a second utility, although this problem can likely be mitigated, as shown by the IR efforts of the ICS-CERT and private consultants.

The idea that “squirrels are worse” also downplays another problem. If a small electric distribution company is affected by a cyber attack, there won’t be a large problem for customers. Some customers may lose power, but the people operating the electric grid would be able to recover relatively quickly, becuas the power grid is resilient, and electric utilities have spent decades working to build that resiliency. The concern, though, is that multiple utilities will all be affected. The 2015 Ukraine incident involved multiple distribution companies being affected, and the campaign also targeted other utilities which didn’t have power outages. The 2016 Ukraine incident, though, targeted a transmission company. What happens if those tactics are combined, and multiple transmission operators are affected? Or what happens if instead of 6-8 months of preparation, like in Ukraine, there is 18-24 months of preparation? Maybe then, the attacker is able to affect even more. It’s not inconceivable to imagine targeted attacks against widespread targets.

The bottom line is, not everybody who’s talking about the vulnerabilities of the electric grid are chicken littles (coughTedKoppelcough) running around saying that the sky is falling. There are some tough problems which still need to be addressed, and being dismissive of those problems is not any more helpful than using FUD to try to sell a security product.

 

BSidesLV Wrapup

I was able to attend BSides Las Vegas a couple weeks ago. It was the second year that I’ve gone to the con. Last year, though, I competed in the Pros v. Joes capture-the-flag (CTF) event. While I’m glad I did the CTF (shout-out to the rest of the Labrynth Guardians, 2015 Champions), that meant that I wasn’t able to go to any of the talks or really spend any time doing anything other than the contest. This year, I wanted to still be involved in something at BSides, but I didn’t want to have my entire two days take up with it, so I decided to volunteer. That also meant I wouldn’t have to stand in line to get my badge, which was an added bonus.

In order to qualify for the volunteer badge, there was a minimum of (I think) 8 hours that you had to volunteer, so that basically meant three normal shifts throughout the con. By the time I saw a tweet asking for volunteers and decided to sign up, a lot of areas were filled up, a few areas had one or two slots left, and then the Room Host position was pretty much unfilled. I liked the idea of being a room host, because I do like to do large-group presentations, but since I had never been to a talk at BSidesLV I didn’t want to try to be a room host without seeing how the actual talks went. Instead, I worked at the information booth for one shift, rode the BSides Bus for one shift, and worked the silent auction for my third shift.

The info booth was ridiculously easy to do. One of the BSides Staff (Jason, I think) had created a three-page FAQ for the volunteers at the info booth, and that combined with the questions we did get made the shift pretty easy. There were a few questions about where things were, a few questions about T-shirts, and a lot of sitting around and talking to the other people working in that same area. The bus was also relatively easy. Once I had a couple tweets copied and ready to  go, it was just a matter of tweeting out when we got to a stop and when we were leaving a stop, and saying where we were going next. The auction, though, was a bit more hectic. It would have been just as easy as the other shifts, but I was working the final shift. They had told us that we took PayPal and cash, so that’s what the volunteers had told bidders throughout the two days. Then, when we got to the end of the auction, nobody knew how to take the PayPal payments, or how we were organizing the close out, or how people would receive non-tangible items like tickets to other cons. I started telling people that if they had cash to pay for a tangible item, then I could take it, and started collecting money and making a pile of bid sheets that had been paid for, so there could be some kind of accounting, and just had the cash in my hand. I never did count how much cash I collected, but I probably had $1-2 thousand. Eventually, somebody put the BSides PayPal address in the volunteers’ Slack channel, so I closed out a few PayPal items, including the highest-priced item: an NSA challenge coin which went for $1500, and which the winning bidder said he partly bid so much for the irony of the NSA coin going to support the EFF.

I also learned a couple things about volunteering at BSides. One of the perks of volunteering is that you get a free meal at the con, but you only get that if your shift is starting immediately after the meal time. So, I got breakfast one day, but I wasn’t able to get lunch either day because my shift both days was from 4pm-7pm. Since my trip this year was out-of-pocket, that was disappointing. Also, I didn’t fly into Las Vegas until late Monday evening. If I had taken an earlier flight, then I could have volunteered for setup on Monday, which would have let me take care of several of my hours. Then I would have had more time on Tuesday and Wednesday to watch talks and participate in the other activities. I think that may be what I’ll do next year. Either that, or get some of my hours from being a Room Host.

I was able to see a couple talks, though. I saw one talk in the Underground track. It was an interesting talk on Active Incident Response and REDACTED. (I had written this on the plane with no Internet, and I had written a couple sentences here which were a high-level overview and my recollection of what was in the BSides program guide, but when I was checking the online BSides schedule for the names of the presenters, it said that the description was withheld by request of the presenters (or more likely their lawyers). It was a good talk, though.

On the second day, I was able to go to the I Am The Cavalry track for about 1.5 sessions. I wish I would have been able to be there for more of their sessions, as it was also very interesting. It was more of a discussion than a presentation, and my main takeaway from that was the need to get involved. The hacker and security communities need to engage with lawmakers if there is to be any hope that our laws and regulations are going to be effective and not make our security situation worse.

I hope to see you all next year, when I heard BSides is taking over the entire Tuscan hotel.

Another Senate Hearing on Encryption Where Facts Are Secondary

The Senate Armed Services Committee held a hearing on “Cybersecurity and U.S. National Security.” The hearing got most of its coverage because Sen. John McCain used it to repeatedly complain about Apple CEO Tim Cook’s decision to turn down an invitation to testify. But one person who did testify was Cyrus Vance, the Manhattan District Attorney. He has been leading the charge to mandate law enforcement access to tech products, and has testified at Capitol Hill several times. Unfortunately, despite the practice, he hasn’t gotten any better and has a tendency to, purposely or because he just can’t learn, misconstrue the facts and argue against a strawman.

Vance: The debate over encryption and public safety has matured significantly since 2014. The issue has crossed over into mainstream consciousness, owing in large part to Apple’s public refusal to assist the FBI with unlocking a terrorist’s iPhone in San Bernardino.

Fact: “Apple had asked the F.B.I. to issue its application for the tool under seal. But the government made it public, prompting Mr. Cook to go into bunker mode to draft a response.” [http://www.nytimes.com/2016/02/19/technology/how-tim-cook-became-a-bulwark-for-digital-privacy.html]9](http://www.nytimes.com/2016/02/19/technology/how-tim-cook-became-a-bulwark-for-digital-privacy.html)

Vance: Apple and Google’s decisions limit our access to critical information under a questionable claim of an increase in privacy. The encryption Apple provided on its mobile devices pre-iOS 8—that is, up until the end of September, 2014—was both secure for its customers and amenable to court-authorized searches.

Vance uses a bit of a strawman argument here. It’s not just a claim of an increase in privacy, but also of security. People are more likely to lose their phones than they are to be a drug dealer or child pornographer. I have a good passcode and I would turn on encryption on my phone even if it wasn’t the default. But, by going to an encryption-by-default model, Apple is protecting the much larger number of non-tech-savvy people who wouldn’t know or think to do that, but still run the risk of losing their phone.

Vance: We have good cause to believe that because Apple itself characterized its iOS 7 operating system as the ultimate in privacy, touting its proven encryption methods, and assuring users that iOS 7 could be used with confidence in any personal or corporate environment….Which is to say, Apple itself had already demonstrated that strong encryption and compliance with court orders were not incompatible.

It appears that Vance believes that using good encryption is an end-state. However, it is constantly evolving. Due to increases in computing power as well as the simple fact that people’s knowledge and techniques improve, what was considered secured by good encryption 10 years ago is no longer adequate. Microsoft also said that Windows was the most secure operating system ever at various points in time, that doesn’t mean it holds true today.

Vance: But with evidence from that defendant’s smartphone locked behind a passcode known only to him, and existing solely on his device, we could only charge a far less serious offense.

This ignores the times when prosectors can get a contempt of court charge if the person refuses to decrypt their computer, like this case where the defendant will “stay locked up indefintiely until he decrypts the drive.”

Vance: Also consider financial services, one of the most regulated industries in our country. As we learned more about how criminals were using banks to move money, Congress required firms to fight money laundering and to better know their customers – and specifically, to retain customers’ data and make that data available to law enforcement with a court order.

This is really comparing apples to oranges (see what I did right there?). Those are bank records. Apple can be compelled to turn over customer records, which Apple has, which is something Apple already does. If you use iCloud backup, then Apple has information on you. And Apple will turn those records over to law enforcement. That’s a lot different than introducing a vulnerability into the banking system, which would be the equivalent to Apple introducing a vulnerability into their operating system.

Also testifying at the hearing was Kenneth Wainstein, a partner at Cadwalader, Wickersham & Taft and formerly a top lawyer at the Department of Justice. I’ll only focus on his call-to-action at the end of his writtent testimony.

For the tech industry and civil liberties groups, this means laying out technically specific support for the contention that a government accommodation would undermine the integrity of default encryption. They should provide hard data that demonstrates exactly how—and how much—each possible type of accommodation would impact their encryption systems.

Perhaps he missed it, but this has been done. A group of some of the biggest-name cryptographers released a technical report through the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory. From it’s conclusion: “This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict. The costs to developed coun- tries’ soft power and to our moral authority would also be considerable. Policy-makers need to be clear-eyed in evaluating the likely costs and benefits.”

Understanding Your E-ISAC

The Electricity Information Sharing and Analysis Center (E-ISAC) released Understanding Your E-ISAC (what I’ll refer to as the “Guide”) in June. Note that this isn’t a summary of the Guide, but rather is a collection of observations I made while reading it.

The Introduction of the document includes what is included every time somebody from NERC talks about the E-ISAC, the disclaimer that they are separate from NERC.

The E-ISAC is operated by the North American Electric Reliability Corporation (NERC) and functions as an independent group and is organizationally isolated from NERC’s enforcement processes. This intentional isolation was put in place to assure entities that any information shared with the E-ISAC would not be used for enforcement actions or shared with NERC compliance personnel.

This actually seems like it is less strongly worded than what I have heard in other places, such as at industry events. Normally E-ISAC people emphasize that they are separate from NERC, and wouldn’t use that “operated by NERC” language. This is related to one of my favorite visuals.

I think it’s hilarious that the E-ISAC always talks about how it’s so separate from NERC, yet they use the same template for their reports, albeit with minor tweaks in coloring and what part of the grid pattern is visibile.

Anyway, the Guide starts off by talking about the benefits of information sharing, and includes most of the points that are always used in that discussion. You could basically substitute “ISAO” or “Threat Intelligence” or “CISA” for E-ISAC in this section and it would still make sense.

The Guide then goes on to discuss how the E-ISAC safeguards information. A big emphasis here is on the existence, and the following of, the E-ISAC Code of Conduct. One interesting thing from the Code of Conduct is that it defines “E-ISAC Personnel” as, “The CSO as well as all NERC employees who report to the CSO.” This is mildly interesting because the Guide includes an organizational chart.

The Code of Conduct doesn’t seem to include Tim Roxey as E-ISAC personnel, because he reports to Gerry Cauley, NERC’s President and CEO, instead of Marcus Sachs, E-ISAC’s Senior VP and CSO. I’m sure Roxey still follows the Code of Conduct, but I would think NERC would want to make that more clear.

After a section on what the roles of the Watch Operations and Analyst groups are, the Guide talks about who the members of the E-ISAC can be. It says that “Industry members include vetted electricity asset owners and operators (AOO) – or affiliates, such as trade associations and contractors – in North America.” This seems to contradict what the E-ISAC says on their website, which is that, “The E-ISAC portal is currently restricted to owner/operators and selected government partners.” The website description is the one that is actually used, as I know of at least one trade organization which has tried to get involved in E-ISAC activities and was told that it was limited to asset owners and operators.

The Guide hits the separate-from-NERC topic hard, including this part:

No personnel from NERC (including compliance enforcement personnel) and the regional entities are not allowed membership or access to the E-ISAC portal.

I’m reasonably certain this was an editing fail, as it would imply that personnel from NERC are allowed access. As a former English teacher, this made me smile. That pesky double-negative can be difficult to notice when you are reading your own writing, since in your head you know what you mean. That the “no” and the “not” are spread pretty far apart in this sentence probably increased the likelihood of the mistake being missed.

The membership section also talks about access revocation. It is the member organization’s responsibility to notify the E-ISAC if an individual has left their organization and should therefore lose their E-ISAC portal access, which is really the only way that could be done. This part is worth quoting in full, though.

The E-ISAC terminates accounts when notified by a member or partner that an individual has left the organization. It is an organizational responsibility to notify the E-ISAC, recognizing that delays may occur in notification when someone has left an organization. This consideration is why the E-ISAC only allows organizational account domains as one of the first steps an organization takes when an individual departs is to de-provision the individual’s enterprise information technology (IT) access accounts.

This references that owners and operators are vetted partially through their use of corporate emails. That is a valid requirement, and I wouldn’t expect the E-ISAC to just take some random gmail address and believe an assertion that they are in the electric industry. But this reason for requiring corporate emails doesn’t make sense. It seems to imply that because an organization would de-provision corporate email access, that somehow would cause the former employee to also lose access to the E-ISAC portal. But once the employee is verified and provided access to the portal, whether they can subsequently access the email address they used to register has nothing to do with whether they can still log in to the portal.

The Guide then goes into describing the products and services the E-ISAC offers. Among them is webinar access, with a “3,000-person webinar capability is used to host monthly webinars as described in the program section.” As a former math teacher, one of the things I hate is the bad or misleading use of statistics. This number is supposed to be impressive and show capabilities, but it provides no actual information. Does this mean they fill that capacity? What kinds of numbers do they actually see? If the attendance is consistently and considerably less than 3,000 people, then this number means that they are paying for a capability they don’t need, wasting money. If they consistently max out the attendance and end up “sold out” of spots then they are providing a service people want but not reaching as many people as they should be. If they just want to sound cool and have a big number, then they could just as easily pay GoToWebinar or whoever more money and say something like a 10,000-person capacity. Or, maybe, they are consistently at something like 2,700 attendees, in which case they are getting their money’s worth in the capacity and meeting the demand they have. But the 3,000 number doesn’t let us know any of that.

The products and services section also talks about the Cybersecurity Risk Information Sharing Program (CRISP), which allows me the opportunity to draw your attention to this story about a Public Utility District in Washington feeling the need to complain to their congressional delegation and the Department of Energy because NERC was pushing CRISP and pressuring them to sign up for that quite expensive program.

All in all, if you are an asset owner or operator, it’s probably a good idea to get an account with the E-ISAC, and this Guide is probably worth at least a skim. Since they are closed off to trade organizations, though, even those that specifically work on cybersecurity for the electric sector, I can’t say for sure how helpful their information sharing programs may be.