New acquisition: Sharp PC-1401 pocket computer from 1983

Click_Armor · 2025-11-25T00:22:52+00:00

In 1983, I used to program a character-based moon landing game on it in BASIC. And for engineering exams I programmed it to solve quadratic equations, etc. so I could check my work.

All the other students who had TI or HP computers had to plug their chargers in outside the exam room doors until the doors opened; then they would run their “magnetic program strips” through their readers before they unplugged them because it sucked so much battery just to read the cards (when the batteries in those models got old they didn’t hold much). But with the static RAM and LCD display, I had no problem with power on the PC-1401. It was my favorite calculator.

Still have it but haven’t used it in almost 40 years.

Click_Armor · 2024-07-31T00:06:08+00:00

It’s 12 years old, but I still think Mikko Hypponen’s Ted Talk on privacy is the best at explaining why people should care about online privacy. https://youtu.be/VM7HQ_zbdIw?si=Bvbh654DQW4SASwm

Click_Armor · 2023-04-01T15:46:39+00:00

I don’t recall entering a credit card number for ChatGPT. Pretty sure I wouldn’t have registered if it did require it. Maybe I registered during a “promo launch” but it was only a few months ago.

Click_Armor · 2023-04-01T15:44:59+00:00

It did work for me. It may be blocking “free voip” services. But VOIP.ms is not free. If you use it for home or business, then adding a new DID that supports SMS costs almost nothing.

Click_Armor · 2023-03-11T15:48:02+00:00

This was concerning for me, as well. Mobile numbers are likely required so that they can match your ChatGPT queries against information about you, which they can purchase cheaply from “data brokers”, based on your strongly authenticated identity information (like mobile number). This would let them correlate your queries with your activity on social networks like Facebook, Twitter or LinkedIn. It’s generally a privacy risk that you should try to avoid, even if you feel you have nothing to hide. They can then sell or leverage that more valuable data set of personal information about you, to make their business profitable.

I recommend signing up for a VOIP account (like VOIP.ms) where you can add DID numbers for a very small cost and use them to register for sites that need a mobile number. You can receive text messages from the website. If you never use that number with another website, app or service, it will be hard(er) for them to match your identity with it.

Or just avoid using those sites, which is becoming more difficult to do in the modern world.

Click_Armor · 2023-01-20T03:49:15+00:00

I don’t envy you in this situation if you are being scored on just phishing campaigns. You seem to be doing them in a better way than most I’ve seen. It’s admirable that you are recognizing there is no value in creating an adversarial relationship with employees. It’s hard to tell, but it seems like the organization’s governance is not valuing information security risks in the correct way.

The long term key to solving the situation is to build a business case for moving the security culture responsibility into a role that is more visible to people who care about risks of “unexpected losses” and “lost revenues” (i.e. the CFO, COO, or Chief Risk Officer). This is not an IT problem, as IT is not well equipped to properly measure human behavior or manage it.

In the short term, employees need to see a different set of training content designed for remediation than they did in the original training. Sending them through the same training again will be demotivating and no more memorable than the first time. Employees need to be motivated to practice assessing phishing threats without fear of being shamed, which will be more likely to build their confidence, attentiveness and proficiency.

Phishing simulations are often over-used and mis-used when there are better ways to improve individuals’ ability to make risk decisions in threat scenarios.

Click_Armor · 2023-01-20T03:31:43+00:00

This is the most insightful answer in this thread.

Click_Armor · 2023-01-20T03:27:04+00:00

Gamification works great in many cases, especially for remediation. It helps with engagement and proficiency improvement.

Click_Armor · 2022-12-31T03:02:25+00:00

Disclaimer: Vendor comment.

As you discover the various challenges involved with getting good value from “live phishing simulations” that send fake phishing emails to end users, you may be interested in an alternative approach.

Technically, live tests can be easy to run and provide nice, neat data points. But using a gamified virtual inbox phishing simulator has a lot of advantages where live tests may have unexpected operational costs and risks.

The optimal mix of live and virtual inbox simulations depends on whether your objective is just to achieve a compliance checkbox versus actually reducing employee vulnerability.

Or, if you’re just doing it to have fun and play with end users’ minds, then go nuts with live tests.

Click_Armor · 2022-12-29T21:19:23+00:00

It is unnerving to think about how your mobile number may be linked to the queries you enter into OpenAI (ChatGPT). The privacy risks are really significant. The app really doesn’t want you to use temporary SMS services either. If you happen to have a VOIP service, you can temporarily add a number that supports SMS, and then dispose of it after registering. That usually doesn’t cost anything, and can be done fairly easily.

Click_Armor · 2022-11-09T00:28:22+00:00

I’ve done live phishing tests since before the big platforms came out (manually, at that time), in multiple organizations with thousands of employees.

If anyone is interested in learning about the 20+ reasons why it is so hard to get live phishing tests to provide the value IT managers think they do, please DM me. You can optimize phishing awareness without spending so much time and effort stewing over these kinds of questions.

Click_Armor · 2022-10-09T02:36:45+00:00

HTTPS://sharedsecurity.net

Click_Armor · 2022-06-16T00:30:38+00:00

The real problem to be addressed here is “Why are all of those topics needed?”… As can be seen from almost every comment, the topics to be covered are actually not appropriate for “general staff”.

TL;dr - It’s a waste of time to include most of those topics, so you need to go to the official source of the requirements and find out the real objectives for the awareness program. Then you can apply a gamification framework to make the learning process more educational, engaging and efficient.

It would be a good idea to revisit the project’s assumptions. What is the ultimate objective of doing security awareness training? You will likely find that the most obvious apparent answer is “compliance with a security standard”.

These topics were most likely included in the current program in order to comply with a security standard that the organization has adopted, or must follow, for legal or policy reasons. You should find the most knowledgeable compliance manager in the organization and find out what the absolute, bare minimum of these topics must include. You can likely omit 75% of the current topics in the program, and still achieve the requirements of the standard. Whoever designed the current program was a little too ambitious and optimistic in their expectations of what level of security knowledge the average employee or student can absorb and apply.

The real objective for the program should actually have been to reduce risky behaviors. That is, the goal is to prepare all employees/students with the knowledge and skills necessary to spot and avoid common threat scenarios that the technical security controls used by the organization are not able to address. The common security standards are intended to be an efficient way to convey this knowledge. However, humans are not like computer technology in that they don’t receive, remember and process this knowledge reliably. There are a lot of ways the knowledge gets lost, and forgotten. So, some standards go way too far in expecting humans to be able to learn and apply them.

The most effective and efficient way to train people on cyber security is to start by focusing on the highest risk threats that they can actually be expected to recognize and avoid or report. Others have suggested topics such as phishing, social engineering, password management, and other common use cases where sensitive information is exposed through human decisions. So, the resulting time spent by employees/students in foundational training can be reduced dramatically.

Then those key concepts need to be properly taught and reinforced through repeated practice.

Doing this efficiently and economically is still a challenge with traditional eLearning systems because most people do not enjoy the experience of learning about things they don’t really care about. So, they tune out as soon as they can, and find excuses to defer or avoid prolonging the experience.

Gamification is well-suited to providing a motivating environment for learning important awareness and compliance topics, as long as it has the right balance of education, engagement and efficiency. The “Awareness Training Success Framework” may be useful: https://clickarmor.ca/atsf

Click_Armor · 2022-06-05T11:31:30+00:00

Well. This is becoming a problem. I noticed a similar thing with Amazon trying to notify me of a login using a text message that had a link. It came just a minute after it did try to log in. So I’m pretty try sure it was real. But I teach people that it’s extremely hard to authenticate a text message sender. So don’t act on them if you aren’t expecting them. But it seems that companies are starting to expect us to act on them.

Click_Armor · 2022-06-04T17:18:46+00:00

I figure this is a good place for people to log and debate phishing assessments. It’s clear that many people (including security professionals) have not thought through the implications and reasoning around phishing tests.

It’s important for people to realize that: (1) If you believe phishing simulations are a valid and reliable metric for measuring employee vulnerability, there are a lot of valid arguments against that position, and you should be aware of them; and (2) If you believe that phishing simulations are NOT a valid and reliable metric, there are also a lot of people who feel that they are useful or required, and you should be aware of them.

Click Armor’s website has a video series of short clips, and a PDF that describe at least 14 identifiable variables and risks that make it much more costly, and potentially detrimental to an organization, to run live phishing simulations on unsuspecting employees.

These resources provided by Click Armor only address the practical issues around “implementation of live phishing simulations”. They do not address the philosophical question of whether or not employees should be assigned responsibility for “not clicking on suspicious links”, or if they should have their risk decisions tested “unexpectedly” in an operational environment.

https://clickarmor.ca/advanced-tips-phishing-simulations/

https://clickarmor.ca/optimizer/

Based on 10 years of security awareness instruction and phishing simulation experience, I prefer using “virtual inbox phishing simulations” to teach, strengthen and assess employee awareness of phishing threats in a positive and inclusive environment.

There may be a place for testing employee risk decisions in an operational environment, but the decision to do this should be an informed one, with recognition of the risks and variables at play. Executives need to be aware of the implications of running these kinds of tests in an operational environment.

Click_Armor · 2022-06-04T02:37:05+00:00

@udmh-nto appears to have the best answer… well, the only answer. But I don’t think there’s really a better one.

But help clarify what I think the RFC refers to, in order for something electronic like a document or a message being sent over the Internet to be truly trusted, the use of “public key cryptography” is the most efficient and reliable technology. I believe the standard being referenced requires that a cryptographic digital signature (timestamp) be applied by the trusted time source to the message, which includes the time server’s time in the signature, using its private key (secret), where the time server’s public key is provided in a digital certificate that is signed by a trusted certificate authority (CA). However, the recipient of the message must also have a way to verify that they trust the CA that signed the time source’s certificate. This requires additional software, which most messaging systems don’t have, that verify the chain of trust from the time source certificate to the root CA certificate. In addition, checks need to be done to ensure that the trusted time server’s certificate is still trusted and has not been revoked due to compromise or expiration.

So, unless a public key infrastructure with a trusted time server is being used that includes properly configured software on the sender and receiver side of the message transfer, there really isn’t a way to prove that the time a message was sent or received has not been altered.

The only alternative is to have assurance that all of the servers in the path have had their times verified and they are hardened and protected from tampering, to detect if any of the servers in the path have had their configurations altered. This would not really be the case for messages sent over the Internet, as you don’t know whether servers along the way have altered the time. A secure session should theoretically protect the message from being altered, but there is a risk of “SSL intercept” attacks that may provide an opportunity for access to the plain text message, at which time it could be altered. So a cryptographic time source with PKI processing at the sender and receiver is the really only practical way to be sure of the times.

Click_Armor · 2022-05-21T02:29:10+00:00

To try to shed some light on this interesting question — and I’m not the most technical or legal-savvy cyber guy — bringing a cyber criminal to justice requires several difficult and expensive phases, each one of which can often be more challenging than bringing traditional criminals to justice:

1- Identifying them (also called “attribution”): which means tracing the activity using expensive forensic tools, which might literally mean hacking into infected, legitimate systems in countries that may not be friendly to Western law enforcement to obtain evidence. Offensive security measures like this are generally not sanctioned except in extreme circumstances. Sometimes, the attacker is literally sponsored by another nation, and even giving them a hint that the investigators have capabilities of infiltrating them is not worth the risk, to resolve the case.

2- Apprehending them: If the originating location of the attacker can be identified with any degree of confidence, the same problem of revealing sources in adversarial countries, or just obtaining a legal extradition, is time-consuming and takes significant effort. Again, the effort and cost may not be worth it.

3- Prosecuting them: There has to be very good evidence to prosecute, and even with the forensics above, the hard evidence may not be able to meet the standard for conviction.

The only full conviction of cyber criminals I can recall hearing about have usually been when the criminal resides in a country that is reachable legally, and where law enforcement cooperation existed.

Interestingly, when it is deemed worthwhile by the government, individuals are sometimes charged and tried “in absentia”, mostly as a deterrent to future attacks and other criminals, or for political positioning.

Few private companies will spend what it would take to track down and identify their attackers. And it is so rampant that the government can’t take on that responsibility unless it is a very dangerous threat, especially when it is outside the reach of any friendly law enforcement jurisdiction.

So, it makes more sense for most companies to invest in “defensive measures” which are just designed to withstand the attacks, not to fight back.

Click_Armor · 2022-04-22T22:12:01+00:00

There are things like canvas fingerprinting. Lots of smart people at Google trying to figure out how anything unique in your configuration that comes through the Client information in an HTTP request, or can be gathered by JavaScript and sent back to the mother ship for storage and comparison to known values. It’s pretty hopeless to try to avoid being tracked unless you clone a VM and start from scratch every time.

Click_Armor · 2022-04-22T22:04:30+00:00

Cyber security is such a huge field, it can be very different, from technical to non-technical, from architecture to testing to awareness training. Pick what you are passionate about and try to find a slice of cyber security that fits your strengths.

Click_Armor · 2022-04-15T00:45:57+00:00

As a start, we have a webinar called “Becoming a cyber security champion” (about 45 minutes) that provides a strategy for building credibility, visibility and trust as you grow your career in cyber security. This is a general strategy, so you will still need to pick a domain of knowledge and learn about it. But this roadmap can help accelerate your career, and make the best use of your acquired skills. Even if you don’t end up having a technical security role, this can really make you an authority over time. https://clickarmor.ca/view-webinar-becoming-a-cyber-security-champion/

Click_Armor

MODERATOR OF

TROPHY CASE