Rexxfield's Michael Roberts

Monday, August 18, 2008

SPIN - How the sociopath can get away with ... well everything.

Your understanding of a sociopath’s expert employment of “SPIN” is singularly the best way to begin to understand the way I and many others have found ourselves so frequently gasping in the wake of carnage left by my antagonist. When executing her anti-social agendas, her modus operandi was to sprinkle enough truth in any given lie to add credence to her deceptions. Alternatively, sometimes she will “kitchen sink it”. That is where she will overdose the performance with too much information; the end result is very muddy waters in which no reasonable person can navigate.
The clinical definition of this tactic is “SPIN”:
  1. The most common referents for spin are:

    1. a way of giving a positive cast to a negative story or;
    2. a way of giving a negative cast to a positive story (whichever is most advantageous to the spinner) or;
    3. a form of deception which tries to redirect the way (or whether) one thinks about an issue.

  2. Spin at its best:

    1. looks like it is addressing an issue directly but is not.
    2. cannot be factually disproved.
    3. uses language that allows “interpretation” so that the spinner can deny lying; an example might be Bill Clinton’s definition of a sexual relationship, although it differed from that of most objective bystanders, it allowed him to redirect the way observers perceived the Lewinski scandal; but in a way that he could not be directly accused of lying.


Michael Roberts Google+

Monday, August 11, 2008

Justifying IT Security Training & the ROI

This essay is based on observations over a 12 year period in which I have been involved in the IT Training industry; most recently with Mile2 which delivers what is arguably the best Penetration Testing Training globally.

Unlike “commodity” training such as commonly available Cisco and Microsoft certification courses, IT security training investments require a higher degree of due diligence on the part of the student and on the part of management personnel responsible for Information Assurance within their organization.

Unfortunately the managers of many organizations have yet to grasp the severity of risks posed by the vulnerabilities invariably present within their network because many are yet to be identified. As such, they are often reluctant to invest in the security training those on the frontline are desperately seeking. This is akin to a bank being slow in deciding if it should have an armed guard in the foyer just because it has not had a hold-up since it opened in 1919, even though the crime indicators for the area escalating. If a decision was made to hire a guard and the bank enjoyed another 5-year period without a holdup, the “bean-counters” might argue that the guard is not needed. The question is how many holdups were thwarted by the guard? In the same manner, how many network breaches are thwarted by a network secured by personnel with relevant, efficient and up-to-date IT Security Training? It is not a measurable statistic, but the assumption that many breaches were probably thwarted does stand to reason.

Unlike almost any other IT problem an organization may face, a security breach is far more serious than a broken router or a crashed hard drive which can be routinely remedied. After all, information assets such as customer databases, trade secrets and intellectual property are probably the most valuable assets on a commercial organization’s balance sheet; or, in the case of government or military entities, their databases contain some of the world’s most sensitive secrets. Information assets are usually the worst things to lose because when they are stolen, they are probably not insured and invariably create irrecoverable or irreversible damage.

What I am attempting to articulate here is something fundamentally obvious, but which no one seems to have adequately addressed. What is the difference between a “specialty IT security trainer” and a “great general instructor with a mediocre to great book”? An executive director of a large Asian delivery partner asked this question recently and it is a great question. It occurred to us that the difference isn't in the quality of instruction, or in the curricula, or in the courseware, or in the frequency of updates. It is in the just-right combination of all these elements.

A premier IT security training vendor does not sell training programs, or instructor days, or courseware; he sells an organization's security. Program graduates secure their organizations because they know what to do, when to do it and how, and they understand why. Good IA training vendors deliver on this promise time and again because they don't train just anybody (they insist on prerequisites), they don't rely on books and their instruction is a mix of from-the-field experience and pedagogical excellence.

In an effort to provide the best possible protection for their clients’ information assets, Mile2 Security Training Partners have elected to bring in “hired guns” from Mile2 to make sure students have everything reasonably required to create and implement effective security policies.

Good Training Companies will continue to utilize their internal team of multifaceted instructors to provide great training value for “commodity” training courses such as Microsoft, Cisco and Citrix to name but a few. However, with respect to IT Security Training, they bring in the experts. This decision allows local students a quality alternative to the “class in a box” security options offered by other training vendors and delivered by all-purpose trainers. These courses are generally obsolete by the time the courseware or book is shipped, let alone presented in class. IT Security evolves constantly and in keeping, related curriculum should be printed only a week or two before each event to allow for crucial last minute updates; hence, covering the latest threats.

You may be the decision maker for training budgets or you may have to go “hat in hand” to management for funding; either way, before you make a decision on what training to pursue, do a quick mental check list of EVERYTHING your organization can least afford to lose. Once you have the list, estimate the losses if that information is lost or stolen. If it is a customer database, how much would you lose if your customers lost their trust in your organization and went elsewhere with their business? This “scenario planning” is a great way to justify the training budget you need.

When management compares the cost of potential losses against the relatively low training fees, they will find an excellent return on investment. Quality information security training programmes equate to a very low insurance premium for your priceless information assets.

Michael Roberts Google+

Saturday, August 9, 2008

Define:Sociopath - What is a Psychopath?

THE SMEAR CAMPAIGN -- TRADEMARK OF A SOCIOPATH (A.K.A. Psychopath)

If you are under libelous attack by a person who has deceived and defrauded you, there is a possibility that the person is a sociopath. Sociopaths have no heart, no conscience and no remorse. They will lie, cheat and steal from you, and then tell everyone that it is all your fault.

Why is it so critical for you to know about sociopaths? Because millions of sociopaths, also called psychopaths, are living among us. Yes, many of them are criminals, locked up in jail. But far more are on the street, hurting people without breaking laws, operating in the gray areas between legal and illegal, or simply eluding the authorities. They can appear to be normal, but they pose a tremendous threat to us all.

So how many are there? Depending which expert estimates you use, psychopaths and sociopaths comprise 1 percent to 4 percent of the world's population. And many people think these estimates are low.

To learn more about sociopaths, Rexxfield recommends that you visit Lovefraud.com. This web site is dedicated to informing the public about sociopaths, particularly with respect to personal and romantic relationships, so you can protect yourself. You might also want to read this article in the Lovefraud Blog, Sociopaths and their smear campaigns.


Michael Roberts Google+

Delete Internet Libel & Search Engine Reputation

Essay - Internet Libel & Search Engine Reputation.
The very low-tech end to business and career.
by Michael Roberts of Rexxfield

Reputation: is what others say about you.

Character: is what you really are as evidenced by your actions when no one is observing.

IMPORTANT DISCLAIMER: Do not proceed without reading the linked disclaimer Click here to read.

IT security is a multibillion dollar industry which has necessitated new and constantly revised laws in almost every state on earth. These laws address the criminal aspects of aggressive and deliberate business or personal privacy invasion and information disruption or destruction via various technology mediums; commonly referred to as “hacking”, or more accurately “cracking”.

So what is the “low- tech" threat that goes largely unnoticed by the community, usually ignored by criminal prosecutors and yet the cause of billions of dollars in irreparable damage to business goodwill, personal reputation, and very significantly to the emotional well being of the human victims? The threat is called LIBEL; a form of the ancient legal theory of SLANDER with origins in Roman jurisprudence.

This issue is close to my heart because I have had a very frustrating and bitter experience therein. I have purposed to collaborate with Rexxfield experts from various fields including psychology, medicine, technology, legal and public relations to produce resources to assist victims in their efforts to remedy the wrongs and for potential victims to mitigate the risks.

Defamation is the term used internationally to generally describe an injury to reputation. Slander and Libel are false or malicious claims that may harm someone's reputation. Slander and libel both require publication with the fundamental distinction between the two lying solely in the form in which the defamatory material is published. If published in some fleeting form, such as spoken words or sounds, sign language, gestures and the like, then this would be slander. If it is published in more durable form, such as in written words, film, data disc (CD or DVD), blogging, web sites and the like, then it is considered libel. The key to these definitions is that the statements must be false. If someone published the truth about a person, it is NOT slander or libel. Slander and libel are not protected forms of free speech under the US First amendment. [Reference]

In law, defamation is the communication of a statement that makes a false or deceptive claim, expressively stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation. Most jurisdictions allow legal actions, civil and/or criminal, to deter various kinds of defamation and retaliate against groundless criticism. Related to defamation is public disclosure of private facts where one person reveals information which is not of public concern and the release of which would offend a reasonable person. Unlike libel or slander, truth is not a defense for invasion of privacy. [Reference]

The Security Enigma


The cost of acquiring and implementing IT security systems to protect the information assets of organizations is relatively large. Gone are the days when a VAR could hype a new appliance or software solution that promises the world but delivers only headaches. Instead common sense is applied with careful assessment of the return on investment ("ROI") for risk mitigation, disaster recovery and business continuity planning. After all, in most small businesses or enterprises the most valuable assets of the balance sheet is not insured against loss, damage or theft; those assets are the data, customer lists, secrets, plans and the organization’s or the individual’s reputation.

Despite the prudent and extensive developments to mitigate the risks associated with unauthorized breaches in network security and other business disasters, very little has been done to assess the cost or to stimulate moves toward equitable judicial reforms to combat low technology cyber stalkers, antagonists, liars, extortionists and emotional terrorists. One well placed blog entry or web site with a strategically placed keyword combination can destroy an individual’s career, or many years of reputation and goodwill building for a business. For this unethical and cowardly minority a blog can become the cyber equivalent of an IED (improvised explosive device) for his or her victim’s career in the case of an individual; or the livelihood of anywhere from a few people to thousands of families who depend on the continued good standing of their employer in the community. Unlike data, reputations cannot be backed up nor easily restored.

Although there is legislation for criminal prosecution of defamation offenders in some jurisdictions (17 US states), it is almost unheard of. This leaves only civil court action which is expensive, drawn out and emotionally draining. The remedies available through tort are hindered and largely neutered by the lie mongers’ ability to engage in guerrilla tactics and wield their poison keyboards with apparent impunity by hiding behind anonymous user names, guest passes and I.P cloaking solutions. The explosive increase in public hot spots in restaurants, airports and other anonymous internet connections makes anonymity easier by the day.

Additionally, the third party dissemination and republication of libel can turn the reputation problems into a wildfire. This can be particularly damaging if the victim has a unique name or trademark and a low appearance density in search engines. We all have a naïve and gullible friend or family member who insists on forwarding silly email rumors without checking the authenticity at snopes.com or other urban legend sites. It takes only a few of these “It was on the internet; it must be true!” people who have been enabled by simple blogging technologies to result in search results monopolized by lies; the devastating effect of which does not require rocket science to assess.

I have had extensive personal experiences with an antagonist who has relentlessly attacked me physically, emotionally, financially and publicly. The internet has been the most damaging venue to me as an entrepreneur; in early 2008 I had an agreement in principal with a European angel investment team to fund a start-up venture that I could not grow organically. Within 24 hours of the agreement they found my antagonist’s $1 a month “GoDaddy” web site and withdrew their offer immediately. In early April 2008, a $70 million enterprise was enthusiastically engaged in dialogue with me for a partnering venture in the USA… until they found “that web site” and withdrew.

Naturally, the more absurd the libelous assertions in a web page the less likely an objective observer will be to believe it. However, once that bystander becomes a potential employer or strategic partner in business the scenario changes drastically. The decision they make about associating with the libel victim will be filtered by the question “what will my customers think?”. If they have customers who believe everything they read on the internet, or who forward chain emails without checking for authenticity, then I am afraid you will likely become the proverbial leper. If your antagonists are clever, they will cast flaming aspersions against you that are altogether deceptive, but sprinkled with enough truth that, although benign in its own right, makes the tale all the more believable. I have a very good friend and business associate who was recently married; I trust this gentlemen implicitly and I believe he holds me in the same regard. He asked his bride whom I have never met to read the web site that libeled me when it was still online; when she had finished she stopped short of insisting that he have nothing to do with me. Thankfully my friend of over 10 years was a witness to many of the events on which the tales were spun and he was able to assuage her fears.

Take the High road, the Low road or the Futile road?

Litigation - The Often Futile Road (and expensive)

I have taken action in the civil courts and am still seeking relief; I am beginning to realize that the notion of “justice”, at least at the hands of man is just a warm a fuzzy feeling of false security. I am not suggesting that victims should not seek justice through the relevant authorities placed over society, or embrace anarchy, but I do counsel libel victims to set their expectations lower rather than higher, in doing so disappointment will not be so bitter if it is indeed the end result. Notwithstanding, I am can offer some hard earned experience to those wishing to pursue legal remedies. (Remember the disclaimer)

I would also submit that the less sophisticated the venue (courts in rural areas) the more likely it is that the Judge will be so intimidated by his or her lack of knowledge that he/she will err on the side of caution for fear of stepping on the first amendment. In my case, the Judge had previously made an off-record statement that “this computer business is foreign to me, if it was corn farming I could deal with it” or words to that effect. I filed an Emergency Motion for an injunction and had no relief after more than eight months. There are, however, instances throughout the USA where emergency motions have been treated as such and sites have been shut down or censored due to false claims and assertions within hours.

Keep in mind that where anonymity or skilled liars are involved, it may be difficult to prove the identity of the offender easily; in turn this could lead to a tangled web of finger pointing and subpoenas leading to dead ends.

If the plaintiff is merely a private person, the plaintiff must usually only show that the defendant acted negligently. If the private person wants to recover punitive damages, he or she must show evidence of actual malice.

Basic Requirements of a Defamation Case:

A defamation plaintiff must usually establish the following elements to recover:


  • Identification: The plaintiff must show that the publication was "of and concerning" himself or herself.
  • Publication: The plaintiff must show that the defamatory statements were disseminated to a third party.
  • Defamatory meaning: The plaintiff must establish that the statements in question were defamatory. For example, the language must do more than simply annoy a person or hurt a person's feelings.
  • Falsity: The statements must be false; truth is a defense to a defamation claim. Generally, the plaintiff bears the burden of proof of establishing falsity.
  • Statements of fact: The statements in question must be objectively verifiable as false statements of fact. In other words, the statements must be provable as false. (Caveat: Expressions of opinion can imply an assertion of objective facts. See Milkovich v. Lorain Journal.)
  • Damages: The false and defamatory statements must cause actual injury or special damages.
“Libel suits for material placed upon the Internet promises to be an exciting and volatile area of law. The methods that different countries currently use to resolve libel issues will have varying rates of effectiveness, and should be viewed closely as new legislation is developed to more handle the growing number of Internet libel cases. At the same time, strong consideration should be made of having an international methodology of handling Internet libel cases. Forum shopping problems and the worldly nature of the Internet may make an international approach the most realistic solution.” [Reference]

The Low Road

The Low Road is to fight fire with fire. In doing so you are simply going to inspire your antagonist to double his or her efforts. This is even more likely if the offender has a narcissistic or anti-social personality disorder such as in my case. The best thing you can do with this type of person is humble your pride and opt for a strategic withdrawal; that’s right! DISENGAGE. However, this does not mean you should give up. See “The High Road" option below for an explanation.

My father is a simple but wise man; I remember him once saying of some bullies who taunted and lied about me in grade four “what they say let them say”, I responded, “but some kids believe them!” He replied “the truth will remain the truth no matter how it is believed”. As it turned out I settled the issue with one of the two fights I have had in my life (both under the age of 12); but the fact remains that truth does remain the truth despite what Mr. Plato may think.

The High Road

As mentioned, don’t waste time fighting back; you will only fuel the fire. Seek injunctive relief through the courts by all means if the case is watertight, obvious and potentially affordable.

1st step – Give Libel Notice to the Antagonist

Give formal notice to the libeler of his/her libel. This leave them without excuse should you seek damages through court. You have an obligation to mitigate your damages as it is within your reasonable power to do so.

2st step – Give Libel Notice to the 3rd Party Publisher

Blog and forum owners don’t want to get dragged into a street fight or a court battle. Although the law is somewhat unclear as to the extent of 3rd party providers and republishers of information, I found that in every case except one, the site owners quickly removed the anonymous postings made by my antagonist when I provided them with very basic proof that they were perpetuating the distribution of libelous claims. Once they have been formally provided with proof of libel they become without a moral excuse. Notwithstanding, the united States Congress has given these republishers a legal excuse through Section 230(c) of the Communications Decency Act. This law allows them to turn a blind eye to innocent victim's without fear of being sued. This is a whole 'nuther issue that gets me pretty wound up... them's fighting words to me; you can read my essay on this farce here: United States federal law opens the door to abuse of Free Speech abuse

3rd Step - Dilution is the Key

The best strategy is to push the offensive and libelous material off the first page of Google and as far from the top of the list as practicable.

Chances are most people or organizations will not consider an online libel campaign as a serious risk to their future until an enemy has laid siege to their Google ramparts. As such, the appearance of remedial contingencies if any will be a simple coincidence, and probably only there if they have implemented a search engine optimization (SEO) strategy. Notwithstanding, there will probably be significant gaps and exposure to damaging defamation unless online libel threats were specifically anticipated.

Many organizations today are investing heavily in SEO campaigns using internal efforts as well as massive outsourcing contracts with SEO specialists. I strongly suggest that if you are implementing an SEO campaign, do it properly and incorporate an effective OLIMIRE strategy. Chances are you can piggyback OLIMIRE with your SEO for no or little extra cost; it will prove to be a prudent and economical insurance policy. In addition, an SEO vendor who understands the need for OLIMIRE is likely to be a more capable SEO practitioner.

SEO vs. OLIMIRE™


For Organizations

Search engine optimization (SEO) is the process of improving the volume and quality of traffic to a web site from search engines via "natural" ("organic" or "algorithmic") search results for targeted keywords. Usually, the earlier a site is presented in the search results or the higher it "ranks", the more searchers will visit that site.

The OLIMIRE approach often involves using keyword combinations which are not presently important but may be in the future as a result of bad press, smear campaigns, critiques, email chain letters and so forth. The most obvious contingency being the names of key individuals in an organization who may not necessarily have a high public profile now, but may be thrust into the limelight if named (rightly or wrongly) in a scandal, accident or other unfortunate event.

For Individuals

My personal testimony with regard to online libel is mortifying. The allegations that were leveled against me by my antagonist were heinous to say the least, and were unfortunately taken seriously by many due to the smoke/fire assumption. I was accused of child abuse, fraud, theft and many other crimes including veiled language suggesting a murder conspiracy. My accuser’s anti-social personality is a matter of record with a trail of chaos and many serious criminal and civil offenses, and yet the allegations were taken seriously by many who were not privy to this history.

It had taken me 20+ years to build my resume and reputation. Naturally anyone considering employing, partnering or contracting with an individual in any substantial way is going to “Google him” (or her). The first search conducted will probably be the person’s name and the name of his or her most recent business or employer. The efficiency, availability and reach of Google and other search engines has in a few short years permitted a person’s enemy to turn the victim’s greatest vocational asset into a liability; that asset being their resume or CV. In the case of an innocent victim this is a bad thing but where the allegations have basis in fact, it is in fact a good thing. I am sure many crimes have been averted due to the dissemination of information about a convicted child molester who has moved into a new community, for example. It appears at this time that the adage “you can’t make an omelet without breaking some eggs” applies.

Invitation

At this time I would like to invite submissions from anyone who has struggled with these issues. I am seeking case studies for a definitive book on internet libel.

Closing Thought


“A good name is a better choice than great riches”
Proverbs 22:1


How to Avoid The 7 Deadly Sins of Online Defamation Exposure and Online Reputation Management

DISCLAIMER:
This essay should not to be construed as legal, medical or mental health advice. This essay was not authored by or sponsored by an attorney, physician or therapist and is provided for informational purposes only and is not intended to express or constitute legal, medical or counseling advice to any reader. No attorney-client relationship between the reader and any attorney is created by the essay, and no reader should act or refrain from acting on the basis of any content in the essay except in reliance upon the advice of a qualified attorney licensed to practice in the reader’s or other applicable jurisdiction. The author is not an attorney or a firm of attorneys and is not licensed to practice law in any jurisdiction.


Michael Roberts Google+

Michael Roberts of Mile2 Discusses Computer Forensics

Michael Roberts of Mile2 Discusses Computer Forensics

Digital Forensics Training - Not Just for Cops

Having been involved in the IT Security Education space for some time I have found that it is a common misconception that Computer Forensics training is only for Law Enforcement. On the contrary, the FBI is currently so backlogged with computer related criminal cases related to terrorism and big crime that they will often pursue only serious felony cases. Even if the FBI decides to take on a felony case it can be subsequently shut down by their local US Attorney whose case load is so heavy that they cannot handle additional cases despite FBI's willingness to pursue.

Our team experienced this exact scenario two months ago despite unimpeachable evidence of unauthorized access by an individual to a bank account which resulted in a wire fraud of more than $100,000 as well as illegal interceptions from an "efax.com" fax service and unauthorized access to Yahoo Briefcase accounts. This only leaves local or county law enforcement authorities who, despite best intentions, often do not have the sophistication or skills required to prosecute a computer crime case; and if they do, lack of quality training can result in the evidence being corrupted due to improper chain of evidence procedures.

These problems leave the frontline network administrators in a frustrating situation with obvious crimes often going unpunished. Whereas, if organizations invested modestly in basic "first response" training for their network staff, then evidence can be preserved and documented in such a way that it can be admissible in criminal or civil actions. Successful actions serve further as a deterrent to would be hackers who will often choose "soft targets."

Legal actions are the most obvious benefits of effective Computer Forensics training, and effective forensics capability can be built in-house for a very reasonable investment. These skills can contribute significantly to effective security policies and implementation for a given enterprise because the knowledge gained can better identify "what went wrong" in any IT problem, whether it is caused as a result of malicious actions from within or without, or from an innocent glitch or rash action.

Original post : http://www.mile2.com/Michael_Roberts_Mile2_Digital_Forensics.html .

Feb '06