Feed aggregator

Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however, where security and climate change overlap, interlock, and influence one another. Let’s have a look.

To understand how climate change and the methods to counteract its rapid ascent will affect cybersecurity, we first have to look at how computing contributes to global warming. Your first instinct about their relationship is probably right: computing involves energy consumption and heat production. As long as we cannot produce enough “clean energy” to satisfy our needs for electricity, the energy consumed by computing—and security within it—will continue to contribute to global warming.

The big energy consumers

There are a few fields in computing and cybersecurity that guzzle up huge amounts of energy and produce heat as a byproduct:

• Supercomputers
• Blockchain mining
• Data centers
• The Internet as a whole

Before you dismiss the problem of the supercomputers (because you assume there are only a few of them)—even I was astounded to find out that there are over 500 systems that deliver a petaflop or more on the High Performance Linpack (HPL) benchmark. Most of these supercomputers consume vast amounts of electrical power and produce so much heat that large cooling facilities must be constructed to ensure proper performance. But in recent years, vendors have started to produce supercomputers that are more energy efficient.

In 2019, the mining of Bitcoin alone consumed more energy than the entire nation of Switzerland, which equals about one quarter percent of the world’s entire energy consumption. There are many more blockchains and cryptocurrencies, although Bitcoin is by far the largest energy consumer among them. This is mostly due to their operation on the proof-of-work concept and the high value of Bitcoin.

While cybercrime experienced a huge jolt in cryptomining in 2018, the frenzy has mostly died down as Bitcoin value dipped and plateaued. However, cryptomining continues as both a legitimate and illegitimate activity—especially because miners can switch to other cryptocurrencies when Bitcoin drops off.

An even bigger impact on energy consumption are data centers, which already use over 2 percent of the world’s total energy consumption, and that number is expected to rise fast. The prediction is based on the growing number of content delivery networks (CDN), more Internet of Things (IoT) devices, the growth of the cloud, and other colocation services. So, not only do computer centers consume massive amounts of energy, their use is expected to grow astronomically.

The Internet can’t be completely separated from the data centers that enable it. But despite the overlap, it’s still worth mentioning that the total energy consumption of the Internet as a whole lies at around 10 percent, which is more than the world’s total energy production from renewable sources such as wind and solar.

However, it’s fair to note that the Internet has taken over a lot of tasks that would have cost more energy or created a greater carbon footprint if they had been performed in the “old ways.” Consider, for example, the energy saved by working remote: the energy expended on the Internet and inside one’s home is far less damaging than the carbon monoxide released into the atmosphere by fossil fuels from a daily commute to the office.

Global warming’s trickle down effects

Conversely, global warming and its effects on the climate, environment, and economy do have a direct impact on our everyday lives, and that trickles down to cybersecurity. Some of the projected dangers include:

• Flooding of certain areas
• Prolongation of the wild-fire season
• Spread of diseases
• Economic costs
• Scarcity of fresh water in certain areas

By 2030, climate change costs are projected to cost the global economy $700 billion annually, according to the Climate Vulnerability Monitor. And The International Organization for Migration estimates that 200 million people could be forced to leave their homes due to environmental changes by 2050.

Climate change and its implications will act as a destabilizing factor on society. When livelihoods are in danger, this will spark insecurity and drive resource competition. This does not only have implications for physical security, but in modern society, this also has an impact on cybersecurity and its associated threats.

From a big picture, worst-case-scenario perspective, climate change could trigger profound international conflicts, which go hand-in-hand with cyberwar. Beyond nation-state activity, individuals that have no other means of providing for their families could turn to cybercrime, which is often seen as a low-risk activity with a potentially high yield.

But on a smaller scale, we’re already seeing the impacts of climate change on cybersecurity, whether via social engineering scare tactics embraced by threat actors or disruptions to Internet-connected home heating and cooling devices meant to track energy consumption.

Global warming scams

NO, we’re not saying that climate change is a hoax or a scam. But we want to issue a warning related to the subject. As with any newsworthy topic, there are and will be scammers trying to make a profit using the feeling of urgency that gets invoked by matters like climate change.

For example, the Intergovernmental Panel on Climate Change (IPCC) issued a warning against several scams abusing their name.

“IPCC has been made aware of various correspondences, being circulated via e-mail, from Internet Web sites, and via regular mail or facsimile, falsely stating that they are issued by, or in association with, IPCC and/or its officials. These scams, which may seek to obtain money and/or in many cases personal details from the recipients of such correspondence, are fraudulent.”

Natural disaster scams are increasing in the same frequency as natural disasters themselves, often claiming to be collecting donations for a particular cause but putting money in their own pockets instead. We’ve seen social engineering tricks ranging from phishing emails and malspam to social media misinformation campaigns on hurricanes, tornadoes, fires, and flooding. Expect this sort of gross capitalization on tragedy and fear to continue as the effects of climate change become more dramatic.

Improving efficiency and preparing for changes

The number of datacenters is down, but their size has grown to meet the demand. This is potentially a step in the right direction since it decreases the power needed for the overhead, but not as big as the step that could be made if they would actually work on their power efficiency.

Online companies typically run their facilities at maximum capacity around the clock, regardless of the demand. As a result, data centers are wasting 90 percent or more of their power. Smart management could make a substantial difference in energy consumption and costs.

Cryptomining could improve on energy consumption if the most popular currencies would not be based on proof of work but proof of stake. Proof of work rewards the largest number of CPU cycles with that the highest energy consumption.

NEO and Hyperledger are next generation blockchain technologies with much lower electricity cost. NEO uses what it calls delegated Byzantine Fault Tolerance (dBFT), which is an optimized proof-of-stake model. Hyperledger Fabric centralizes block creation into a single resource pool and has multiple validators in the participants. It’s an enterprise collaboration engine, using blockchain smart contracts, where validation is much easier than creation, and creation will be centralized on a single, optimized platform.

More effective methods of cooling would both help supercomputers and large data centers. At the moment, we are (ironically) using electricity to power cooling systems to control the heat caused by electricity usage. In fact, cooling gobbles up about 35 percent of the total power in high performance computing with air cooled systems. Hot-water liquid cooling might be a key technology in future green supercomputers as it maximizes cooling efficiency and energy reuse.

Interaction between climate change and cybersecurity

As we have seen, there are opportunities for those in security and computing to slow the progression of climate change. But there are also opportunities for those in cybercrime to take advantage of the destabilization caused by climate change, as some already have through related scams and malware campaigns. As long as we don’t drop security in attempts to counteract global warming, we’ll be able to protect against some of the more advanced threats coming down the pike. But while we still can, let’s rein in our carbon footprint, improve on computing efficiency, and remember our cybersecurity lessons when criminals come calling.

Stay safe, everyone!

The post The effects of climate change on cybersecurity appeared first on Malwarebytes Labs.

The Bandana Scarf Bib is a multi-use drool bib that is soft cotton and double thick for extra protection. And it’s multi-use too – unfold it into a burp cloth or wipe cloth to clean up spills and spit up on the go! Make a bunch of trendy bibs for baby with this free crochet...

Read More

The post Bandana Scarf Bib appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

2

This post originally appeared in 2010, but recent events brought it to mind...


A little light reading about the Plague of Justinian the other day (and the plague of no home internet access I continue to suffer) got me to thinking about the use of epidemics or even pandemics in gaming. Obviously, succumbing to infectious disease isn’t the most adventurous way to die, but plagues, particularly big ones, have a tendency to cause a great deal of social, economic, and religious upheaval, which is the perfect backdrop for an rpg campaign, or fodder for adventures.

First a few terms. An “epidemic” occurs when the outbreak of new cases of a particular disease exceeds the expected number for a given population. This is, as the definition suggests, somewhat subjective. A “pandemic” is when epidemic conditions exist over a wide geographic area--possibly even the whole world.

The most famous historical pandemic is probably the Black Death which affected Eurasia, and peaked in Europe around 1350. Low-end estimates have it killing a third of Europe’s population. The traditional culprit was thought to be bubonic plague caused by the bacterium Yersinia pestis, though their are some new theories.

The societal effects were profound. Depopulation meant fewer people to farm, and that coupled with livestock plagues, and climatic changes lead to famine and starvation. Fearful people blamed convenient scape-goats--often Jews--and Jewish communities were wiped out in some places. Fringe religious groups like the Brotherhood of Flagellants became more widespread.

The Plague of Justinian (541-542 CE) is also thought to have been caused by bubonic plague. This plague may have weakened Byzantium enough that Justinian I was unable to reconquer Italy, shattering any hopes of reconstitute a whole Roman Empire. It may have also weakened Byzantium for its coming face-off with the Arabs a century later.

Y. pestis isn’t the only malefactor out there. Smallpox, influenza, cholera, and typhus caused pandemics before the the 20th century. Measles, yellow fever, and dengue fever never had the same spread, but have caused localized epidemics. Of course, in a fantasy world plagues might be more exotic, even magical in nature.

I can think of three broad ways a plague could be used in gaming. The first is plague as background color. Carts of dead, or oddly dressed plague doctors might just be part of the general ambience of a setting--particularly one with a grubby, "real" Middle Ages feel. It could be treated seriously, or darkly humorous.

The second is plague as apocalypse. As its been pointed out before, there is a post-apocalyptic element to the implied setting of D&D. Perhaps the apocalypse isn’t just a remote event, but ongoing? This could cast the player’s not as pioneers on the frontier, but as defenders of the fire of civilization. This might or might not have implications on the sort of adventures had, or it might just influence the tone.

The third is plague as campaign focus. Maybe the point of the whole campaign is defeating the forces of evil behind the plague? It could be introduced early, as a minor background element, but as more people succumb to the disease it grows in importance. Eventually, finding a cure might become the PC’s central concern, but only after its grown “naturally”( or unnaturally).

The post Video of the Day – BuzzFeed Celeb, 2020 appeared first on Blogtor Who.

A week on from the Series 12 finale, we now have the +7 viewing figures update for the finale, as well as the final official number for Can You Hear Me? While there’s an update for The Timeless Children, with the official metric for television viewing figures now being the +28 measure – including all […]

The post Viewing Figures Update: FINAL Can You Hear Me? and Timeless Children +7 appeared first on Blogtor Who.

An incomplete list of things i have not been correct about lately.

1. I thought the baby would be here by now.  She is not. Clearly she’s on a timetable all her own, and is well and happy on the inside and I guess we just keep waiting.

2. I thought that since the baby was not here by now, that the mystical power of the knitted baby blanket was prevailing, and that as soon as i finished, she would arrive. I finished. She did not arrive.

3. I decided then that it must be that it didn’t work was because I hadn’t blocked the thing, and that the knitting force is so strong within this young one that she was calling bull on her grammy, and so I blocked it. She did not arrive.

4. When that didn’t work, I thought – fair enough. it’s not dry, and folded and I haven’t snipped off the last two ends.

The child noped that too. She remains unmoved. (Meg had high hopes for that moment, let me tell you. I’m going to wait to show you the whole thing until she produces the worlds next great knitwear model.)

5. I also thought that there was going to be a way for our Strung Along March retreat to go forward next week, but after looking at the situation realistically, realizing how many of the attending knitters are in the high risk group and having a chat with public health out Port Ludlow way… there wasn’t.  Our retreat thus joins the ranks of so many other knitting events that are cancelled or postponed due to Covid-19.  I don’t know a single knitting teacher or event organizer who doesn’t feel like they did the right thing when they cancelled, and isn’t committed foremost to the health and well being of our communities,  and to slowing the roll of this thing, so as not to strain health resources any more than they have to be…  but I’m not going to pretend it isn’t difficult.  Lots of people are going to have a hard time economically over the next little bit in all sorts of industries, but today I raise my glass to all the knitting teachers, vendors and event organizers out there who’d already written cheques and signed contracts and are wondering what comes next for their businesses.  Lets hang in there together.

6. I thought people might be upset or angry when the retreat postponed, but I was overwhelmed with the generosity and kindness of everyone involved, including The Resort at Port Ludlow. I think it’s that spirit that will mean that these events will still be around when this is over.

7. I thought I was mostly over the urge to embroider on knitting.

Turns out I’m not even a little bit over it.  I finished a little sweater for the baby, and then something came over me and I put a rosebud on it, and the next thing I knew I had seven colours of embroidery floss and whammo.

I am in love with it more than I can say.  I really hope this baby isn’t one of those spitting up kinds. I haven’t given the sweater or blanket to Meg yet, I have decided to withhold all knitwear deliveries until she makes good on her part of the deal. She gives me a baby and I give her the goods. No exceptions.

7. I thought I was done knitting for the baby, but it turns out that I am helpless in the face of this kind of expectation and so now I’ve started something else.

8. I thought it would be finished today but it’s not. A wee vest thing – it’s the handspun merino from a few weeks ago.

9. I thought I could promise that maybe I would knit something for someone who weighs more than 10lbs.  I can’t.  I think I’m just going to keep racking it up over here. Maybe another bonnet.

10. I thought being a grandmother for the second time would be a bit more chill.

Grouping For Looks is a page-by-page retelling of the Looking For Group saga through the lens of a mirror universe where Cale is a goateed tyrant and Richard is a holy soul trying to set him on a good path. […]

The post GFL – Page 0014 appeared first on Looking For Group.

"The adventurers find themselves outside of a set of caves in the Dragon Teeth Mountains. They do not remember how they got here or why they came. But they feel drawn by the psychic energies from within the cave and feel compelled to explore them. This is an AD&D psionics adventure for 4-6 characters of from 7th to 10th level of experience. At least one or two characters from the party should Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

With coronavirus starting to take hold globally, international travel restrictions are kicking in and more workplaces are advising to work from home whenever possible. When self-isolation is a potential solution, public gatherings are increasingly looking like a terrible idea. Events are becoming a bit of a hotspot for cases, leading to inevitably bizarre scenarios where coronavirus conferences are cancelled due to coronavirus.

Many major security conferences are already reassessing whether going ahead is worth it. Indeed, some cases of coronavirus have already been confirmed at RSA—one of the biggest security events on the planet. Given the number of attendees and the nature of their jobs (government and private security officials), that alone could have repercussions galore.

Some security events have decided to cancel outright, while others are going with the “temporarily postpone and see what happens at a later date” approach. While it’s tempting to suggest “just going virtual” as some are doing, that’s not always easily achieved.

Cancel, postpone, or virtual

Here’s a short rundown of some problems faced by event organisers in the wake of the current pandemic:

1) Putting on an event costs a lot of money. The venue, advertising, food, setup, safety, insurance, transportation to and from the event for organisers—it all adds up. People pay a ton of cash in advance to secure the event location, and not every venue operator is willing to hand $100,000 back if an event organiser phones up and says, “Actually, about that global pandemic…”

2) Lots of smaller conferences rely on sponsors. If sponsors suddenly bail without considering the impact of vanishing, the event could easily go under, and it won’t get a second attempt the following year. In turn, this (combined with the difficulty in recovering venue fees) could force some events into going ahead or facing financial ruin. It’s in everyone’s best interest to work together as much as possible in those situations, and see if there’s a possibility of going virtual.

3) I’ve helped with a few online events in the past—only small ones—and it was difficult. You can’t just throw up a website and yell “job done!” Streaming can be expensive. Locking down the site and figuring out how to only give content to paying virtual attendees isn’t straightforward. Which time zone are you aiming for when the event happens, and do you even need to stream?

It’s all online anyway, so would it be better to simply record everything and lock it behind a portal somewhere? What software will you use? Does your license accommodate your plans? Can you afford an upgrade if it doesn’t? Will the tech go wrong during the event, and what sort of contingency plans are in place if it does? These are just some of the questions waiting in store for intrepid event folks.

Taking stock of the situation

It’s difficult enough running a virtual event from scratch. I can’t imagine the stress of finding out you suddenly have to switch everything to online or shut everything down at short notice.

While it may end up costing less than a physical event, it may well cause more headaches than planning for the real world, where there’s a fairly solid set of event planning criteria/expectations.

With this in mind, and with a growing collection of security events going into lockdown, we thought it’d be good to pass you a few handy lists that explain what’s going on in security conference land for the foreseeable future. 

The current state of play

In a nutshell, the current state of play is “bad.” Wild West Hackin’ Fest is one such example of an event having to cancel and losing a lot of money in doing so to keep people safe from harm. They’ve decided to go virtual, just like Kernelcon who announced their decision today to do the same thing. Good luck to them both.

Meanwhile, the first major roundup of affected events over on ZDNet grew from nine to 22 in just two days. As per the list itself, some notable changes to your potential event schedule:

• Black Hat Asia and DEF CON China are both postponed
• Notable BSides events, including Budapest and Vancouver, are postponed, though Charm (Baltimore) is giving the option to go virtual alongside real-world presenting
• Kaspersky’s incredibly popular Security Analyst Summit is also postponed
• Infosecurity Belgium, a huge trade event, has been postponed

Those are just some of the big shakeups heading the infosec industry’s way. That list is constantly being updated, as is the comprehensive listing by region over on Infosecurity Conferences.

More disruption is likely

Regardless of which list you use to keep yourself informed, there will absolutely be more events affected in days to come. Your workplace may already have implemented no-travel policies, but even if you’re going it alone, you may wish to give some events a pass this time around.

Of course, that advice isn’t exactly good news for people who make their living from organising these events or even speaking at them. Whatever your involvement in security conferences, it’s going to be a rough old time of it for the foreseeable future. Stay safe and be well.

The post Coronavirus impacts security conferences and events: check your schedule appeared first on Malwarebytes Labs.

The world of work is changing—by the minute, it feels these days. With the onset of the global coronavirus pandemic, organizations around the world are scrambling to prepare their workforce, and their infrastructure, for a landslide of remote connections. This means that the security perimeter of businesses small and large has transformed practically overnight, requiring IT leaders to rethink the way they’re protecting their organizations. 

Even before the spread of the virus, preparing business security protocols for a mixture of remote and on-premises work had become a forgone conclusion. With increasing globalization and connectedness, remote work is fast supplementing, if not outright replacing, traditional 9-5 office-based hours. Upwork Global predicts that by 2028, up to 78 percent of all departments will have remote workers. 

This trend is affecting companies of all sizes. In fact, a study by Owl Labs indicates that smaller companies are twice as likely to hire full-time remote workers, and a State of Telecommuting study found that telecommuting grew by 115 percent over the last decade. 

These numbers clearly show that remote work is here to stay, whether in quick response to dire crises or simply as a slow, societal shift. What companies are now grappling with is how to manage a ballooning remote workforce, and more so, the security challenges that come with that growth. 

In the past, traditional work made it easy to create and enforce on-prem security policies. Simple controls like logical and physical access were handled through a centralized command and control hierarchy. As workforces become increasingly distributed, such security hierarchies are starting to underdeliver. Companies are now faced with novel security challenges posed by the diverse work conditions remote workers operate within. 

The rise of RemoteSec

Remote Security, or RemoteSec, is a set of security tools, policies, and protocols that govern the IT infrastructure supporting remote teams. As most remote workers rely heavily on cloud tools and platforms, RemoteSec addresses security challenges that almost always fall under this category, though other tools, such as virtual private networks (VPNs) play a role, as they are often deployed to establish secure connections to the cloud. 

For any business working with remote teams, understanding the role cloud security plays in securing remote teams is crucial to realizing overall remote security. However, one challenge that remains is how to replicate the success of on-prem security within a cloud environment. 

Before we delve into the details of RemoteSec, it’s crucial to note the difference between RemoteSec and overall cybersecurity policy. While both deal with securing networked resources, RemoteSec focuses mostly on securing remote teams and the cloud resources they use. As such, organizations with cybersecurity policies may need to extend them to cover security issues that emerge when remote workers relying on cloud infrastructure are added to the workforce matrix. 

Crucial RemoteSec considerations

Remote workers—which include freelancers, contractors, or in-house employees working from home, in coworking spaces, or at coffee shops—do their jobs under a diverse set of conditions. These unique and unpredictable conditions form the body of challenges RemoteSec addresses. 

For example, 46 percent of staff members admit to moving files between work and personal computers while working from home. A further 13 percent admit to sending work emails via personal email addresses because they are unable to connect to an office network. 

With these challenges in mind, here are some crucial RemoteSec considerations you should focus on to secure your remote teams. 

Global location of employees

Remote workers that are spread across the globe face different security challenges. As each part of the world has its own unique IT infrastructure characteristics, it is essential to standardize remote work environments for your entire team. Using VPNs and virtual desktops can help provide a uniform and secure work environment for your remote team, despite their location in the world. 

Remote data security policies

Data security is a significant challenge when working with remote teams. For example, remote workers may access public unsecured Wi-Fi hotspots, exposing company data to eavesdroppers or cybercriminals. Also, remote workers may use free data storage tools like Google Drive without knowing that such tools are vulnerable to ransomware attacks.

RemoteSec addresses these issues through comprehensive cloud data policies that cover remote data access, public hotspots, USB devices, password management, device management, network compliance, and others. 

IT and network infrastructure

Endpoint security is another area that organizations must address when it comes to RemoteSec. Remote workers tend to use multiple endpoints (devices) to access company resources. However, in many instances, these devices may not be secure or may be connecting through unsecured network channels.

Issuing mobile device management (MDM) policies, using secure VPNs, deploying cloud-based endpoint security on all remote devices, and enforcing secure cloud network protocols can ensure remote workers do not circumvent network or endpoint security measures. 

Remote IT support

Not all remote workers are tech-savvy. As more roles move to remote, non-technical remote workers may face challenges accessing IT support. If a remote worker halfway across the world experiences technical problems, they may turn to non-secure, outside IT support, exposing your company’s confidential resources. Using cloud tools to deliver IT support can help maintain seamless security across your technical and non-technical remote workforce. 

On-prem security tools vs. cloud-based RemoteSec 

Most companies extol the virtues of on-prem security and rightly so. On-prem security is the gold standard of information security. However, that standard falls apart when stood up against today’s hybrid workforce of remote teams and in-house professionals using a diverse range of endpoints—especially when that workforce is quickly ushered back into their homes for safety purposes. Why? Because on-prem security protocols are designed to contain information in an airtight box. 

Cloud and remote teams not only open that box, but they also turn the organization into an open platform with multiple access points and endpoints. So, how can an organization achieve on-prem security levels with remote teams in the cloud? The answer lies in using the right security tools to migrate your organization from an on-prem mindset to one that considers remote security equally. 

Cloud security tools include desktop infrastructure, file system snapshots, remote data and activity monitoring, and remote device encryption and data wipes. Such mechanisms not only safeguard company data, but give more control over IT resources used by remote workers.

In addition, deploying a single-sign on service with multi-factor authentication can better protect company data stored in the cloud, as well as assist in access management. VPNs, both desktop and mobile, can further provide authentication while also encrypting network traffic and obscuring private details, which may be necessary while connecting in public places.

A massive shift

Cloud services, at once the hero and villain of information security, will prove to be an ace up the sleeve for companies transitioning away from underperforming on-prem security standards. While remote work seems to have caught on—and is sometimes necessary—we are only at the beginning of a massive tectonic shift in how work is done. 

RemoteSec, therefore, is an emerging security field in security, one that’s been discussed for years but never quite tested to this degree. As organizations gain more remote workers, the need to embrace RemoteSec at the forefront of cybersecurity policy will only escalate. Addressing the crucial areas outlined above can help organizations mitigate the emerging risks while embracing a remote workforce. 

The post RemoteSec: achieving on-prem security levels with cloud-based remote teams appeared first on Malwarebytes Labs.

Get your sweatbands and glow gear on for Activate on Saturday, March 21st! Activate is like a video game, except YOU are the player! Games will require you to jump, crawl, run, and hide or risk losing a life. Bring runners and workout gear as you WILL get your sweat on! Check out www.activate.ca for more details of our venue.

Meet at Activate Games (3338 Portage Ave) at 7:15pm to sign waivers and store your stuff in provided lockers, start time is 7:30pm. Cost: $25 for 90 minutes required at sign-up.

You’re also invited to The Daily Grind for beverages after the event at approximately 9:10 PM.

RSVP by Wednesday, March 18th at churchoftherock.ca/sign-up (spots limited. Payment required at RSVP).

The post Activate Games appeared first on Church of The Rock.

The Octopus Squish Tutorial takes you through the basics of this adorable and huggable free crochet softie pattern – in both right and left-handed videos! Disclaimer: This post includes affiliate links; materials provided by Yarnspirations and Furls USA. Octopus Squish Tutorial: How to Crochet the Octopus Squish – Right Handed How to Crochet the Octopus...

Read More

The post Octopus Squish Tutorial appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

2

Today’s planet is experiencing many tragedies and global disasters. In response a collection of Doctor Who fans are working to help out some of the victims of the Australian wildfires by holding a Doctor Who fundraiser.  G’Day of the Doctor is a one-day event held at the The Royal Vauxhall Tavern from 1pm – 6pm […]

The post G’Day of The Doctor – Charity Event featuring Katy Manning, Nicola Bryant, Mark Gatiss and more appeared first on Blogtor Who.

Art by quiteproustianThe promiscuousness of infernal beings is well-known, so it isn't surprising that by-blows of their trysts are found among mortals. While rare in most of the world, those with infernal blood are the majority of the populous in Demonland1, a city-state across the mephitic Wastes from the Country of Sang. Why so many descendants of infernal bloodlines should be found in one place is a mystery, but perhaps the area had a sulfurous air of hominess for their grandsires and granddams.

Demonland proper is built upon a cluster of small islands in a lake formed by hot springs. The boiling, caustic, malodorous waters are a perfect defense --though they also make life less pleasant for the inhabitants. Demonland’s potable water comes from filtered rainwater collect in cisterns and also by magical purification of the water of the lake itself. The city is only accessible by boat and all goods and visitors make the trip over by ferry.


Demonland is nominally ruled by a Duke (or Duchess), and though this ruler’s power is theoretically absolute, it is most commonly exercised in throwing lavish revelries at which the true rulers of the city go masked. These princes (and their masks) represent the seven capital vices exalted in Demonlander religion and culture. The prince of each vice is officially appointed by the Duke but in practice is more or less elected by general consensus, as the Duke shrewdly defers to the inclinations of the mob. They serve for an indefinite tenure, usually a year and a day. The princes are meant to most perfectly embody their vice, and would-be candidates campaign vigorously (all except the candidates for Prince of Sloth, of course) for the title by engaging in the most audacious (and public) displays of sinfulness to capture the jaded hearts of the populous. The princes hold absolute authority with regard to the practice of the vice they personify and make legal proclamations and levy taxes or duties that might be pertinent as they see fit. They are allowed to keep a percentage of any monies collected for themselves.

Diabolism is the state religion of Demonland. It inverts the morality of most human faiths, promoting vice and condemning virtue. Self-interest and the pursuit of pleasure are valued over altruism and self-denial; Greed and vanity are extolled, and charity and modesty condemned. Demonlanders, however, are only a trifle less likely to fall short of the ideals of their faith than folk elsewhere, so their practice of immorality is as prone to lapses as the practice of morality in other lands.

Art by Arthur Asa1. The correct demonym is "Demonlander." Never call a Demonlander a "demon" as this is both inaccurate and rude. "Tiefling" is just as bad.

"Even in the far gulfs of space, the struggle of Law against Chaos, Good versus Evil is eternal. But wherever evil is not extinguished, it will revive to exact vengeance on those who would keep it at bay... ...On the fringes of the realm, where civilization wanes and adventures begin, rumors are whispered of a castle that fell from the sky. Some say it has poisoned the land where it fell Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

The post Video of the Day – Florida Supercon, 2016 appeared first on Blogtor Who.

The post 1382 appeared first on Looking For Group.

Downtime and Demesnes
On Downtime and Demesnes (2019)by Courtney C. CampbellPublished by Hack & Slash Publishing
Old-school D&D has been fairly well supported by adventures over the last decade. Rules and character options, we have had more than we needed (we honestly didn’t need that many). This book targets a fairly neglected niche: campaign-level play. This is the stuff that happens between the characters go on adventures – when they spend their well-earned money, advance character and party goals, and gear up for the next expedition. In modern models of play, a lot of this has fallen by the wayside; the role-assumption-vs-adventuring dichotomy has taken hold too firmly in peoples’ minds. You are either supposed to be doing silly voices, or you are supposed to be heaving skulls (silly accents optional).
I suspect many old-school games also forgo this element, or simplify it to “okay you buy equipment, you go to the cleric, you ask the sage, what about you?” This is all right. However, OD&D, Ready Ref Sheets, and the Dungeon Masters Guide hint at a game that expands the scope of D&D into domain management, trade, diplomacy, hireling management, and similar activities… something D&D’s “complex wargaming” precursors like Blackmoor and Tony Bath’s Hyboria were already doing. It is a loss that most “OSR” rulesets – even the better ones – have largely stuck to copying the rules or inventing their own, while failing to cover the true scope of expanded play you can find in the AD&D rulebooks.
On Downtime and Demesnes is a supplement meant to introduce these elements to your game. (The default system is B/X, but the lessons apply just as well to all the other D&D variants out there.) Its approach is to create easy, straightforward procedures to turn downtime activities and strategic-level play into gameable content. This is undoubtedly the right way to do it. The guidelines the book offers are not as hard as ironclad rules (game mechanics), but they are also not vague like general guidance – they are somewhere in-between, a tool to navigate game situations in a fair and interesting way, a bit like dungeon crawls have procedures for random encounters, treasure allocation, or light sources. The end result should provide a challenge, have a meaningful stake, and produce a better game experience. As the book suggests, only significant or interesting forms of interaction are worth the attention (a wise principle regarding spending game time), and the subsequent guidelines tend to stick to this maxim.Laying the GroundworkAccordingly, the book covers all the varied situations that may come up during downtime. This is a comprehensive work, in that it offers either a procedure, a random idea generator, or at least basic advice for most things that could reasonably come up in a realistic game situation. Healing from sustained injuries – there are guidelines for that. Earning an income – here is a way to handle it. Amassing a library of exotic books for future benefit – yes. Hiring specialists or launching the career of a secondary character to step in the main PC’s footsteps – it is there. Investment in mercantile ventures? Mining? Clearing terrain? Building stuff? Breeding bizarre monstrosities to terrorise the land? Yes, yes, yes, yes and yes.
These guidelines are of varied complexity. None of them would make play burdensome, and most tend to be something you can resolve with a few player decisions and random rolls. Earning extra XP by carousing is a 1d8*100 roll, deducted from gp and added to XP, followed by a saving throw to see if there have been complications. Sacrifices to dark gods can net you gold, XP, a magic item or the services of an evil creature, depending on the implied value of the sacrificed person/animal. Spending a week bragging about the party’s adventures nets 5% more experience (but you have to roll maintenance). Racketeering gains 100 gp per level per month on a successful Move Silently roll (but has a small, unspecified odd of attracting unwanted attention). A few guidelines are on the level of mini-games – designing your own fortress and clearing/developing the land around it is more involved, as it should be.
Making it Come TogetherI believe some areas are underserved by this otherwise useful book. I was excited to read the guidelines on political influence, but it only outlines what influence entails, and how you can gain it – not how you might use it in concrete terms, what you may gain through influence (and how much), or what happens when two influence conflict or simply overlap. It seems to be the beginning of something, a thought experiment that was never properly finished. This is the case with a few more interesting guidelines – the author pitches an intriguing what-if, but doesn’t give a satisfying answer. There is an extensive set of tables to ideas and guidelines to build ships with various capabilities and unstandard quirks, but no system for sea battles or just sailing adventures to put these capabilities to the test. The end results are a bit fragmentary and scattershot, even if it is very strong on the idea level.
Where the general procedures are fairly universal, the “random ideas” are oddly specific. A list of 10 bizarre pet stores includes a shop selling attack chickens, an ant farm, and a balloon animal store. Do you really need one of those? If yes, how many times?
Then we come to a curious flaw that seems to permeate the whole work. All of this seems to take place on Horror World. I can’t put it otherwise: there is such a strain of pessimism and negativity about mankind running through the book that it seems deeply misanthropic. The philosophy, in turn, messes with the systematic outcomes. This is an implied setting where bad things happen, people are rapacious and evil, and you are screwed from day one. It first becomes visible in the random tables. An early one, “100 Obnoxious Peasants”, should have been rightfully amended “…who Will Ruin Your Life”. These village bumpkins are not annoying but funny louts – these are peasants who will flirt with your characters only to rile up their whole clan against them (94), offer them friendly handshakes while unwittingly infecting them with the plague (86), or buy them a beer while trying to provoke them to say something treasonous (99). Then there are “100 Noble Patrons”, more appropriately “100 Noble Patrons From HELL”. Here, we have a lady who invites the party for dinner to pick their mind, only to beat them to the score with a self-sponsored party (03), another lady who hires adventurers to awaken her evil god under the guise of making trade deals (96), a baron who invites adventurers to his castle to use them for flesh golem parts (35), another lady pursued by killers who will try to befriend you (27), and a baroness who runs a charity for orphans, sacrifices 10% of them to devils, and “If killed she arises as a vampire due to a wish she got from hell.” (09) You would think I am cherry-picking, but these are just two sequences of random rolls – most (almost all) of these peasants and patrons are literal or social deathtraps if you interact with them. Or not interact with them, because many will become extremely vengeful and dangerous anyway if spurned, and will come after you if you give them a wide berth.
Random Goblins Destroy Your Life's WorkCertainly, nothing like a corrupt, dangerous fantasy world to generate adventure opportunities. Sometimes it is appropriate – sure, goblins are nasty little evildoers, so 12 horrid goblin pranks are sort of useful (although, being so specific, they have much less use than the procedural elements). But in a bunch of these mini-games, the only winning move is not to play, and that pushes the players towards disengagement, non-interaction, and a foul kind of cynicism. Would you play Russian roulette with one chamber? Yeah? How about five chambers? This is like the social equivalent of a “negadungeon”, those stupid things promising to wreck your campaigns and the player campaigns therein if you play them. Fortunately, this particular mean streak does not invalidate the book, and is much less present on the procedural level than the “idea generator” level. But there, you can run into nasty stuff in seemingly inconsequential situations. Perhaps you were happy to inherit something – but you are fucked, because it is a necklace of decapitation, or a peculiar curse. The odds are really bad, and that makes for dull gaming.
So here is an enjoyable book (handsomely illustrated by the multi-talented author) filled with a whole lot of highly useful guidance for running campaign-level sessions, either to expand on the existing action, or to enter new domains of play. The procedures it introduces are clear, elegant, low-maintenance, and appropriate. In this respect, Downtime and Demesnes is an excellent resource and a great idea mine. It also has aspects which are half-baked, or damaged by a very peculiar view of how your average D&D world was supposed to function. These elements, good and bad, are mixed together in a single volume. You will need to exercise judgement to decide what to use from it (or how to use the flawed content in a fruitful way – this is a distinct possibility). It should be fairly easy. But it should have happened in the writing phase.
No playtesters are credited in this publication.
Rating: *** / *****

“A wizard of the Elder Race. He lives here in Valusia, by the Lake of Visions in the House of a Thousand Mirrors. All things are known to him, lord king; he speaks with the dead and holds converse with the demons of the Lost Lands.”The Mirrors of Tuzun Thune  (1929) by Robert Ervin HowardA Kull short story. First published in Weird Tales (vol. 14, no. 3, September 1929).Robert E.Howard's Kull Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0

Ironically, to keep costs low for their enterprise and mid-market clients, managed service providers (MSPs) are some of the most reliant on third-party vendors—including those providing security. While this is generally not an indication of dysfunction or vulnerability, the responsible MSP will be looking with a critical eye while vetting cybersecurity vendors to evaluate how they might increase the organization’s attack surface—especially with the uptick in targeted attacks over the last few months.

So how should an MSP—or any organization, for that matter—evaluate cybersecurity vendors not just for budget and effectiveness, but also security posture? And how can MSPs continue to monitor their security partners as product features and organizational needs change over time?

What’s concerning from a Chief Security Officer’s (CSO’s) perspective is the veneer of legitimacy many cybersecurity vendors are capable of producing: Scammy security companies generally have slick, professional websites, convincing sales engineers, legions of onshore support administrators, and almost invariably, one or more executives with ties to a government intelligence agency, whether in the US or abroad.

Given that almost all cybersecurity companies on the market strive to project an image of professionalism, how can a CSO sort out companies that are a value add from those with a less than legitimate business model? And what about the companies that are above board, but just not very good? Let’s take a look.

The ugly cybersecurity vendors

Most harmful to a business in the long run are the cybersecurity vendors who either don’t do much, or have a business model that skirts the edge of the law. The simplest and most cost effective way of avoiding these companies is conducting a community temperature check.

Bad vendors tend to acquire a collective disapproval in the infosec community long before their business model fails. A quick Twitter or Google search of the vendor name can often reveal detailed accounts by analysts who have used them and can provide candid assessments.

But the gold standard for a temperature check is to ask your own team. Cross-pollination of infosec personnel is at an all time high. As such, your team most likely has a broad range of experience with multiple vendors on a host of platforms.

Your team can provide invaluable data, like added operations costs over the long term, company billing practices, and interoperability with existing systems. They can also tip you off on issues with vaporware; generally defined as giving the appearance of having a product/feature, which is in reality much more limited or even non-existent.

Like most vendors of higher quality, the ugly will also have former intelligence agency personnel to give themselves a veneer of authority and competence. A question that rarely gets asked, though, is “Which agency?” Is it an agency with a formal mandate for addressing cyberthreats, with an established university pipeline and well-regarded reputation? Is it an agency whose cyber division was stood up relatively recently, with repurposed employees from other departments?

Further, how relevant is that experience to your business needs? If the majority of your security losses are coming from phishing and malvertising, is having access to analysts experienced in state-sponsored intrusions really relevant?

The bad cybersecurity vendors

Some infosec vendors really do try their best to provide a valuable product to the end user, but still fall awfully short of the mark. The problem here isn’t that they’re not trying to deliver a good product—it’s that they don’t necessarily understand what “good” is to you.

In the public sector, intelligence is often defined as information that is timely, accurate, and relevant. This applies to cyberthreat intelligence derived from security products as well. If you kick out any one of the legs on the threat intelligence tripod, you’re left with a platform too unstable to make any reliable judgement on cyber risk.

An organizational threat delivered to SOC personnel in a timely manner that hasn’t been vetted (i.e. is inaccurate) is not intelligence. Threat data that is timely and accurate, but not adapted to your business vertical (i.e is irrelevant) is also not intelligence.

What these threat alerts amount to tends to be a drag on organizational resources, as in-house security personnel are tasked with vetting ever-increasing quantities of data that don’t address business needs. Don’t those tier-two SOC techs have better things to do than retrace vague, un-targeted analysis?

Bad cyberthreat intel vendors often correctly identify the desired end goal of intelligence, but lack an understanding of appropriate methodology. Again, these companies often out themselves as undesirable with a quick community check.

A poorly-sourced, unreviewed report using inflated claims will quickly reveal itself as such when the infosec community reviews the content. Timely, accurate, and relevant threat data will be shared, retweeted, and commented upon much more frequently then less useful sources. Pausing for a moment to see how other organizations have integrated threat data being offered to you can provide a valuable check against letting a bad vendor slip through the cracks.

Some questions to ask the sales engineer:

• How will this data be tailored to my organization?
• How is the data delivered to us, and if it’s a portal, what is your upgrade release schedule?
•  And most importantly: How do you vet your sources?

Note: do not accept “We have to protect our sources and methods.” This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to “I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.”

The good cybersecurity vendors

Here’s the most difficult category and the holy grail for augmenting your security team: a company that delivers well-targeted services to your organization in a manner that is timely, accurate, and relevant. The catch here is that to properly spot the good company, your own organization has to have timely, accurate, and relevant defined down to a T. This brings us to the last and most important aspect of vetting: metrics.

Certain companies can provide an awfully impressive “real-time demonstration” of the product, sometimes offering you a head-to-head with competing products. They might reference the number of threats detected, speed of detections, analysis, or number of endpoints providing data.

There is a barrage of cybersecurity metrics available to benchmark performance, so how do you know which are valuable? The answer is: none of them. The only metric relevant to evaluate security performance is that which has been generated by your own team against a mature risk tolerance posture. Vendor metrics can’t possibly address the various risk tolerances of all their customers and therefore can’t be relevant to how they would perform for you. Once you know your own metrics, evaluating vendors can be a piece of cake. (And requires much fewer meetings.)

Some questions to ask the relationship manager for a great vendor:

• How can I share feedback from my security team?
• When can we revisit my business needs?
• What improvements do you have planned for next quarter?

To sum up, vetting vendors doesn’t have to be painful—as long as you know your own risk tolerance posture, and have a mature communication channel with your own security team.

The post Securing the MSP: best practices for vetting cybersecurity vendors appeared first on Malwarebytes Labs.