UK crisis analogue prepping?

[MikeFromLFE]

Primary purpose of this, when I find time to put it together, is radio operating out in the field (camping trips) but it is nice that it potentially does double duty during zombocalypse.

The thing that will knacker us though, is that if societal breakdown does occur, someone will just bludgeon us both to death with a blunt instrument in order to take our provisions.

But with the radio comms who are you going to call, and what do you want of them?
If you can't get a local contact on 2m or 70cm, do you then hope that your NVIS antenna for 60m brings some joy? Then what? Do you just narrate the zombie attack while listening to the same story from the rest of the net?
Without a trusted network of self-supporting people that you are in regular contact - I really don't know what use any radio will be when things go wrong.

If society breaks down, sadly it'll be survival of the fittest, and that ain't me.
Once we start considering protecting ourselves from the zombies then we're heading into the mad bad world of the USAnian preppers and their stockpiled weapons hidden in caches underneath a dead cat in a car park in Wigan.

[quixoticgeek]

So this is the classic known unknown.

What will happen when society collapsed? Will it descend into individualism and everyone for themselves? Or will groups self organise to make things better for everyone?

I'd really like to hope more for the later than the former.

J

[cygnet]

Primary purpose of this, when I find time to put it together, is radio operating out in the field (camping trips) but it is nice that it potentially does double duty during zombocalypse.

The thing that will knacker us though, is that if societal breakdown does occur, someone will just bludgeon us both to death with a blunt instrument in order to take our provisions.

But with the radio comms who are you going to call..?

Ghostbusters. 
But if they can't help, and if you can find them, maybe... The A-Team

[Afasoas]

Primary purpose of this, when I find time to put it together, is radio operating out in the field (camping trips) but it is nice that it potentially does double duty during zombocalypse.

The thing that will knacker us though, is that if societal breakdown does occur, someone will just bludgeon us both to death with a blunt instrument in order to take our provisions.

But with the radio comms who are you going to call, and what do you want of them?

There's still some semblence of local RAYNET left. Optimistically I think in the event that all other comms are out then it may be away of coordinating local disaster mitigation efforts. Pessimistically, it will be a way of finding out whom among the regulars I speak to still have comms and waiting around to see whom amongst them is the last to go off air.

That said, I've not been on air much at all for months outside of a couple of regular weekly nets but by all accounts U/VHF locally are all but dead. (Too busy with work and outside of that trying to get myself ready for the full license exam).

So this is the classic known unknown.

What will happen when society collapsed? Will it descend into individualism and everyone for themselves? Or will groups self organise to make things better for everyone?

I'd really like to hope more for the later than the former.

J

In most areas of the UK, the former is most likely given the panic buying that ensues with fuel protests and pandemia  :'(

[farfetched]

I remember watching a French mini-series called "the collapse" it aired on Dutch TV about 2 years ago.
 L' Effondrement for the Francophiles. I think it was 5 or 6 short 20min stories.

 https://www.imdb.com/title/tt11248266/

None of the dramatic Hollywood happy-ending garbage, real people in realistic situations.
It zooms in on what would happen to various small communities, it was very good.

[davelodwig]

I'm in the local County Raynet group and we've just been handed a sack of cash to build a resilient communications and data network for emergencies.

We have pretty good coverage of all the district council offices, and rest centres, especially now we've moved out of the old bunkers and into the new planning rooms they've set up with generator power and nice lighting and such.  It takes a lot of effort though to maintain the relationships with the civil protection officers, fire service and all the other bodies.

D.

Primary purpose of this, when I find time to put it together, is radio operating out in the field (camping trips) but it is nice that it potentially does double duty during zombocalypse.

The thing that will knacker us though, is that if societal breakdown does occur, someone will just bludgeon us both to death with a blunt instrument in order to take our provisions.

But with the radio comms who are you going to call, and what do you want of them?

There's still some semblence of local RAYNET left. Optimistically I think in the event that all other comms are out then it may be away of coordinating local disaster mitigation efforts. Pessimistically, it will be a way of finding out whom among the regulars I speak to still have comms and waiting around to see whom amongst them is the last to go off air.

That said, I've not been on air much at all for months outside of a couple of regular weekly nets but by all accounts U/VHF locally are all but dead. (Too busy with work and outside of that trying to get myself ready for the full license exam).

So this is the classic known unknown.

What will happen when society collapsed? Will it descend into individualism and everyone for themselves? Or will groups self organise to make things better for everyone?

I'd really like to hope more for the later than the former.

J

In most areas of the UK, the former is most likely given the panic buying that ensues with fuel protests and pandemia  :'(

[fruitcake]

A current risk is of institutions' and government IT systems being hacked, perhaps with user data being held to ransom, or perhaps with Bad Actors taking control of internet-connected physical systems, (such as water treatment plant, or electricity grid - hence a risk of blackout.)

The report in the original post references the annual risk and resilience statement, which lists cyber incidents and the misuse of AI. It mentions state supported hacking groups.
https://www.theguardian.com/technology/2023/dec/13/uk-at-high-risk-of-catastrophic-ransomware-attack-report-says

Reducing vulnerability to that would involve what you might call 'good data hygiene' in organisations, which in turn requires workplaces to keep their computer networks secure, not using end of life unsupported systems, good password policies, not using email for sending/storing restricted info, using 2FA, and their staff not falling for phishing attacks and similar (and having been trained to recognise such things). In short, this is mostly about boring old information security practice - the stuff that organisations (and their staff) kinda know they should be doing anyway, but they're not very good at, because they haven't really thought about it; it is not sexy.

Yet I expect every employee, even those of us who are aware of this stuff, could raise their game. So the project facing gov.uk and our institutions is a communication challenge, or rather an education challenge: workplaces are going to need to teach their staff the right way to handle restricted information, etc.

[quixoticgeek]

An interesting side effect of the move towards renewables is the idea of power station now covers everything from a grid connected 1kw solar panel on someone's roof, upto a multi gigawatt nuke plant.

I saw a talk two days ago at CCC in Germany by someone who had done a security assessment on a popular inverter used with small scale solar systems. The security on it was laughable (remember kids, the S in IoT stands for security).

So what? who cares if you can hack into someone's roof solar... Well there are 2.6 million properties with small scale solar in Germany alone. If you can hack into a few thousand of them, have they turn off, and off again synchronised, the grid will shut down in self defence. We're familiar with the movie plot of hackers hacking into nuclear power plants and the like. They generally have great security, they are a really hard target. But that IoT internet connected inverter in the cupboard connected to the solar on your roof? That's candy from a baby in comparison.

In many ways renewables being a distributed architecture is a more resilient one. Driving a truck bomb through the gate at a nuke or gas plant takes a lot more power off line than setting fire to a wind turbine does. But That distributed nature also works the other way in providing a larger number of attack surfaces for other types of attack.

J

[Afasoas]

A current risk is of institutions' and government IT systems being hacked, perhaps with user data being held to ransom, or perhaps with Bad Actors taking control of internet-connected physical systems, (such as water treatment plant, or electricity grid - hence a risk of blackout.)

The report in the original post references the annual risk and resilience statement, which lists cyber incidents and the misuse of AI. It mentions state supported hacking groups.
https://www.theguardian.com/technology/2023/dec/13/uk-at-high-risk-of-catastrophic-ransomware-attack-report-says

Reducing vulnerability to that would involve what you might call 'good data hygiene' in organisations, which in turn requires workplaces to keep their computer networks secure, not using end of life unsupported systems, good password policies, not using email for sending/storing restricted info, using 2FA, and their staff not falling for phishing attacks and similar (and having been trained to recognise such things). In short, this is mostly about boring old information security practice - the stuff that organisations (and their staff) kinda know they should be doing anyway, but they're not very good at, because they don't think it very much; it is not sexy.

Yet I expect every employee, even those of us who are aware of this stuff, could raise their game. So the project facing gov.uk and our institutions is a communication challenge, or rather an education challenge: workplaces are going to need to teach their staff the right way to handle restricted information, etc.

It's the same old story, with the huge technical debt companies tend to carry around. They won't make the investment to address it. Many systems still in use today pre-date the Internet and have security models ranging from non-existent to easily defeatable.

All the training in the world is not going to help unless board members take the security threat seriously and front the capital to actually re-implement these systems using secure-by-design principals.

I saw a talk two days ago at CCC in Germany by someone who had done a security assessment on a popular inverter used with small scale solar systems. The security on it was laughable (remember kids, the S in IoT stands for security).

I like the phrase Immensely Ovious Threat, coined by one of the famous (in technology circles) security bloggers, whose name escapes me at the minute.

[barakta]

Employers could do well to stop behaving like scammers themselves, especially HR departments. We got a random email from RandomCompany telling us our employer (not named) wanted us to register with them. I sent it straight to IT as 'scam' and deleted it.

Turns out it was legit. HR had been using a third party to check DBSes or something, which unsurprisingly most of us ignored, so HR-junior had to email everyone instead. But being a poorly trained numpty, HR-JuniorBCCed everyone using her boss's name - a boss we'd never heard of, so most of us refused to follow instructions in that too. HR numpty didn't know how to use Mail Merge or that her "you rush rush do thing" tone was also very scammy looking.

I didn't get a bollocking from my boss cos I explained these are all scammy behaviours and they cannot have it both ways. I'd rather get a personalised bollocking for refusing to comply with crappy HR crap than fall for a phish and be shamed by the employer for it. I give no fucks about HR and their lack of staffing or planning is an employer problem not a me problem.

I can imagine a lot of organisations with sensitive data also don't staff their IT/HR properly so they do dodgy shit like this.

Our IT is taking cybersecurity really seriously, to the point where they just locked loads of people out of their long-term systems including building-management with no warning to "meet their certification", so IT are understandably unpopular as they didn't give anyone time to rejig systems appropriately, or create siloed systems to enable building management to keep managing their buildings. Apparently it's cost the employer over a million more in wasted energy cos they can't turn stuff on/off properly months down the line.

It all ends up turning into top trumps, cybersecurity, eco-management, disability-accessibility, wanky-manager's-flagshit-project...

[fruitcake]

HR probably knows they should not be asking your managers to request email photos of your passport. But do they know what transmission method should be used? And when will they start asking for that?...

That middle manager probably knows he shouldn't be emailing himself with his password and username for any given system. But does he know what password storage method he should be using: has anyone sat down with him and explained that, and then watched him do it?

That junior administrator knows she just entered her credentials into a phishing site... but it didn't occur to her before she followed the link in the email. That email seemed official, and urgent; it's been a busy week. And yet it's obviously from a dodgy domain.

A little bit of education would go a long way.

[Lightning Phil]

Many systems still in use today pre-date the Internet

Amazing the systems still around from the 1960s eh?

[quixoticgeek]

Many systems still in use today pre-date the Internet

Amazing the systems still around from the 1960s eh?

Predate the internet being more than just a military and academic curiosity at least...

J

[Afasoas]

Many systems still in use today pre-date the Internet

Amazing the systems still around from the 1960s eh?

I thought, as I wrote that, I should qualify it becase someone might make a pedantic remark.
Note, I said "Internet" rather than "internet". The Internet Protocol Suite was standardised in 1982 and it was a few years after that the various militiary and academic 'internets' really started coming together trans-continentally.
Private/Commercial access to the Internet didn't really take off until the very late 1980s.

HR probably knows they should not be asking your managers to request email photos of your passport. But do they know what transmission method should be used? And when will they start asking for that?...

That middle manager probably knows he shouldn't be emailing himself with his password and username for any given system. But does he know what password storage method he should be using: has anyone sat down with him and explained that, and then watched him do it?

That junior administrator knows she just entered her credentials into a phishing site... but it didn't occur to her before she followed the link in the email. That email seemed official, and urgent; it's been a busy week. And yet it's obviously from a dodgy domain.

A little bit of education would go a long way.

It is often the case that people do know what they are doing is bad. Some describe that as the difference between a technology lead business and a business that uses technology. AGain, the time/money/capital needs to be expanded so that there are secure ways for staff to collect, process and share data. The training side is well catered too, at least in terms of information security and data protection. It's the tooling that is often lacking. That often leaves staff, with a choice of doing the job and keeping their immediate managers happy, or adhering to their training and making their managers unhappy.

[MikeFromLFE]

I had this in my last job (I retired about 15 years ago) in The Great Fax Wars.

Everyone seemed to accept that using fax in healthcare was a Bad Thing, and everyone seemed to have a jolly anecdote of Mrs Gubbins test results being sent to a garage, but no one would do anything about it.

Why? Because every other bloody department was using Fax and why should they be first, and anyway it's only every couple of months that a fax ends up where it shouldn't.

The technology to use (relatively) secure email was there at the time. The training telling staff and managers about data security was certainly in place. But no one would do anything about the use of insecure fax.

It was largely about the comfort blanket of an existing system, the lack of trust in the alternative, and management inertia to force change.

I think it took government edict to force the issue, but I lost the plot long before then.

I'm not sure how this scales to current data security issues, but it is a worthwhile study - for someone - in how embedded methods are hard to change

[ian]

Use our new password manager. It'll make secure password management simple! Learn how to use it in this 20-minute video...

[Pingu]

Our IT dept sent out a couple of test phishing emails. Apparently ~5% of staff clicked on the embedded links and gave away personal details. We have regular warnings, annual mandatory training and we're still recovering from the cyber attack a couple of years ago... 

[fruitcake]

Use our new password manager. It'll make secure password management simple! Learn how to use it in this 20-minute video...

This is the challenge though: find better software; invest time learning to use it. Stop using email for absolutely bloody everything. (And think before you click links.)

For large organisations, for government departments, it's learn more secure methods or risk being hacked. And, honestly, recovering from a cyber incident takes months. Months of publishing updates to your customers and your staff about the data that's been stolen and which of your systems are still down; months of being unable to provide your services in the normal way; hundreds of thousands of pounds spent on IT support, data governance reviews, legal advice, and credit checks for the staff and customers your organisation's negligence has put at risk. And the reputation of the organisation, in the eyes of your staff and customers, goes down the toilet. All because some staff were storing passwords unencrypted (and were probably adding customer data to random spreadsheets in unsecured buckets, and were replying to emails with login credentials).

A little training...

[quixoticgeek]

I got an email from an outside organisation I wasn't expecting. It just had a short one sentence, and a link. I reported it as phishing and ignored it.

It was a real email, from an org we deal with, it was not actually phishing. My not clicking the link cost the company a few hundred euros.

When I told my boss what happened, I got congratulated for doing the right thing. Even tho it cost the company money.

This is the correct attitude to have. In the line of work we are in, we also get targeted a lot with spear phishing. New person starts, within a few hours of updating linked in, they will get a spear phishing email. We now brief staff on this.

I'm of the view that phishing awareness email campaigns don't work, they just make staff feel shit. I'm just not 100% sure what does work...

J

[Afasoas]

What does work, is finding and sharing examples of successful phishing attacks and their consequences. Especially when they affect similar organisations.
Also why I think it's important organisations do share post-mortems when they fall victim it a phishing/ransomware campaign.

[quixoticgeek]

What does work, is finding and sharing examples of successful phishing attacks and their consequences. Especially when they affect similar organisations.
Also why I think it's important organisations do share post-mortems when they fall victim it a phishing/ransomware campaign.

Agreed. The boss got caught with that booking.com scam. He was very very open about it and explained how it had worked. We all learned a lot about it.

A few weeks later I get an email from booking.com my first thought is it's phishing. Nope, turns out my credit card had expired and I had to put a new one in. All done within the app, no links clicked.

J

[fruitcake]

In the line of work we are in, we also get targeted a lot with spear phishing. New person starts, within a few hours of updating linked in, they will get a spear phishing email. We now brief staff on this...

That briefing of staff is effective training, because it's relevant and memorable - clearly!

What does work, is finding and sharing examples of successful phishing attacks and their consequences. Especially when they affect similar organisations.

That's effective training because it's interesting, and relevant, and real. We're all interested in hearing about other people's mistakes.

The ten-minute animated video on GDPR you watched on your first day - when you'd just been made to watch the fire safety video, and the export controls video, and the DSE ergonomics video - not so much.

[Cudzoziemiec]

I had this in my last job (I retired about 15 years ago) in The Great Fax Wars.

Everyone seemed to accept that using fax in healthcare was a Bad Thing, and everyone seemed to have a jolly anecdote of Mrs Gubbins test results being sent to a garage, but no one would do anything about it.

Why? Because every other bloody department was using Fax and why should they be first, and anyway it's only every couple of months that a fax ends up where it shouldn't.

The technology to use (relatively) secure email was there at the time. The training telling staff and managers about data security was certainly in place. But no one would do anything about the use of insecure fax.

It was largely about the comfort blanket of an existing system, the lack of trust in the alternative, and management inertia to force change.

I think it took government edict to force the issue, but I lost the plot long before then.

I'm not sure how this scales to current data security issues, but it is a worthwhile study - for someone - in how embedded methods are hard to change

What makes fax less secure than email?

All I can think of is that you get a physical print out, which might then be seen the wrong person. But then if you send an email to the wrong address, it's likely to be read by the wrong person, whereas if you send a fax to the wrong address it's likely to get connected to not a fax machine and not be read by anyone.

[Afasoas]

I had this in my last job (I retired about 15 years ago) in The Great Fax Wars.

Everyone seemed to accept that using fax in healthcare was a Bad Thing, and everyone seemed to have a jolly anecdote of Mrs Gubbins test results being sent to a garage, but no one would do anything about it.

Why? Because every other bloody department was using Fax and why should they be first, and anyway it's only every couple of months that a fax ends up where it shouldn't.

The technology to use (relatively) secure email was there at the time. The training telling staff and managers about data security was certainly in place. But no one would do anything about the use of insecure fax.

It was largely about the comfort blanket of an existing system, the lack of trust in the alternative, and management inertia to force change.

I think it took government edict to force the issue, but I lost the plot long before then.

I'm not sure how this scales to current data security issues, but it is a worthwhile study - for someone - in how embedded methods are hard to change

What makes fax less secure than email?

All I can think of is that you get a physical print out, which might then be seen the wrong person. But then if you send an email to the wrong address, it's likely to be read by the wrong person, whereas if you send a fax to the wrong address it's likely to get connected to not a fax machine and not be read by anyone.

Email isn't necessarily any more secure than using a fax machine ........ but it can be. Email should at least use opportunistic encryption on transmission. And security-conscious organisations can configure their email servers (or email services) to force encryption. The only problem with that, is that some third party email will not be delivered.

Fax machines, AFAIK, transmit information without any type of encryption so a tap anywhere along the line could be used by a third party to obtain a copy of a fax.
Additionally, fax machines tend to be shared amongst teams/offices.

[Kim]

if you send a fax to the wrong address it's likely to get connected to not a fax machine and not be read by anyone.

I can't be the only one to have suffered from my phone number ending up in someone's outgoing fax queue, and have their fax server retry repeatedly at random hours.  Last time it happened the only way I could get it to stop was to dust off a POTS modem and receive the fax.  Which, unsurprisingly, came from a mistake agent.

Makes xkcd://1279 emails seem positively un-annoying.