The Strange Case of the Covid-19 Tracing Tool…

There are currently lots of people posting garbage, etc. about the Covid-19 Tracing Tool that they have only just become aware of on their iPhone or Android smartphone, and there are also lots of conspiracy theories, misinformation and fake news about this so-called COVID-19 Tracing tool added to most Android and iPhones in the last month, or so. Let’s get a few thing straight:
1. It isn’t an app, it is a framework and doesn’t do anything on its own.
2. It isn’t switched on by default, and won’t be unless you enable it or a COVID-19 tracking app that does.
3. If you don’t want it to work, just turn off Bluetooth.
4. If you are using a smartphone and use most apps (Facebook, WhatsApp, Google apps, etc.) you are already being tracked and many of your rights to privacy have already been given away (by you when installing most apps or just having a smartphone, you have read the EULAs and Terms and Conditions, right?). So it is a bit late to get upset now (the horse has not just bolted, it has already been around the globe several times, and had great adventures along the way, and you hadn’t even realised that it had got out).
If you don’t want to be tracked or have you privacy eroded:
  • Don’t have a mobile phone (or any smart technology),
  • Don’t use the internet, don’t use credit or debit cards,
  • Don’t have a vehicle and don’t drive,
  • Live in the middle of nowhere and live below ground, and in a Faraday cage…never go out (if you do don’t forget your tin-foil hat ;-))!
In other words in this modern world it is almost impossible to not be tracked or not have our privacy eroded; we have all agreed to defer our rights to privacy by wanting ‘cool technology and apps, etc. and for our safety and security’.
No, I haven’t gone gaga, I am not a Luddite or technophobe (as anyone that knows me will confirm, quite the opposite). I’m just telling you all what most of us in technology and security have known for over two decades (actually longer, but who’s counting?)…
Links to more details:
USA Today:

What Does Climbing Mountains Have in Common with Cyber Security?

Carrauntoohil and the Hag's Tooth

Picture of Carrauntoohil and the Hag’s Tooth (the Reeks mountain range in County Kerry, Ireland)

Why am I writing about mountains? Well I have just come back from Ireland after climbing the highest peaks in both Northern Ireland (Slieve Donard) and the Republic of Ireland (Carrauntoohil) with my son.

Yes we climbed the infamous Devil’s Ladder on Carrauntoohil on Saturday the 31st of August, 2019 (it was more like the Devil’s Waterfall or Stream that day, as it had rained extensively for the last week).

The path to the base of the Devil’s Ladder – The bottom of the Devil’s Ladder – My Son about a quarter way up the Devil’s Ladder

So, this meant that we had to adapt our risk models, our strategy, our plans to conquer it and to get back down safely after summiting the mountain…

This may seem to be a silly analogy, but you’d be surprised how much they have in common:

In fact, they both require:

  • Extensive preparation, including testing that your plans/equipment/tools and your skills are relevant and fit for purpose, and that they work (as expected) before you need them for real.
  • The ability to be adaptable to changing conditions/threats/risks, etc.
  • Risk analysis/rating and to be able to classify risks as low (acceptable), neutral or high (unacceptable, or unwise).
  • Stamina (staying power), perseverance and digging deep (at times) to ensure success or when dealing with an incident (or potential incident) or the immediate workload.
  • Teamwork (in an ideal world) to be really successful; both mentally and physically. Also understand that you may need different perspectives (both in knowledge and risk) and skill sets.
  • That you need to have experts (or at least people with more knowledge than you) available if things go wrong; for small incidents you may be able to deal with it yourself, or with limited assistance, but when things go badly wrong you need ‘real expertise’ on call.
  • Suitable insurance; so that you have a way to offset risk and associated costs with an incident (just in case; worst case scenario).
  • That you understand you haven’t succeeded when you’re at the peak, but when you have returned to BaseCamp (normal business operations aka steady state).

Yes, we successfully summited the mountain which we did with nothing more than getting wet (several downpours, and even hail on the last push to the summit) and cold; it was about 20c at the bottom, but close to 0c at the top, when we were over 1,039m (3,409 feet) up, and a complete white-out, and my son slipped and twisted his ankle (slightly) when climbing up the Devil’s Ladder.

As it was a complete white-out  at the summit (well actually the top third of the mountain for most of the day), it can be easy to lose your way as visibility is very limited (a matter of a few meters at best), so veering off the path is easy and can be lethal, as there are cliffs around the summit on most sides of the mountain. I however had two GPS devices (with maps on and the route pre-planned) so that this was not an issue for us. I also had a compass and a paper map (as well as two smartphones with the 1:30,000 Harvey’s map on); so I had multiple backups in case one or more of the technical solutions failed!

Does this sound familiar to cyber security best practice?

Start of the Devil's LadderTop of the Devil's LadderAt the top (honest!)
Left to Right: Bottom of Devil’s Ladder – Top of Devil’s Ladder (looking down) – At the summit of Carrauntoohil
Please Note: The photos of the Devil’s Ladder do not show just how steep and technical it is in reality!
We also summited a second mountain in the Reeks range that day (Cnoc na Toinne), as we decided not to risk coming back down the Devil’s Ladder (the risk was high/unacceptable that day, going up was an acceptable risk), we decided to take the lower risk (but not risk free) route down via the second peak via the Zig-Zags*.

Most of the experienced hikers/climbers that day also decided against going down the Devil’s Ladder; like us deciding on a safer way down, either using the Zig Zags or the Heavenly Gates and/or Brother O’Shea’s Gully route instead!

As we were descending via this route, ironically a very experienced hill/fell/mountain walker just ahead of me tripped and almost fell over the edge, so this shows that things can still go wrong, even to the most experienced. Luckily that day, if he had fallen over the edge there were members of the Irish Mountain Rescue on the mountain (just below him, in fact), so help was at hand, had it been required, luckily he was fine, with just a few bruises to his body and his pride!

Why not broaden your risk appetite and knowledge, go on I know you want to, it will expand your knowledge and maybe get you out of your chair 😉

If you want to read more about our mountain climbing adventures (we have done all of the 5 highest peaks in the British Isles), you can find far more details on my other site, here:

*The Zig-Zags is often described as the ‘easy route’ up and down the mountain, however that same week there had been two accidents where the victim underestimated or didn’t respect the path (which although easier is not without challenge and risk). One wrong or missed step can see you falling down the side of the mountain (with nothing to stop you) until you get near to the bottom. This is a potential fall of over 800m (or over 2,500 feet)! To put this in perspective, the Shard in London is 310m (just over 1,000 feet) tall, so it would be the equivalent of falling over 2.5 times the height of the Shard (ouch)!

All photographs used in this article are Copyright, 2019 by Martin Overton, All Rights Reserved.