The Hacking Problem

Infrastructure resiliency is an important area of my research, and disruptions to infrastructure come from both natural and human actions. There is no need to mention the critical nature computers and networks play in modern society. The disruption to the essential Colonial Pipeline oil and gas distribution system got a lot of news a few weeks ago, and now the attack on the JBS food distribution company is causing disruptions and a lot of angst. Let’s look at three aspects of this: the impact of the disruptions themselves, the infrastructure security implications, and the role of both state sponsored and freelance cybercriminals.

First, the impact of the disruptions. Like with the Colonial Pipeline attacks, the JBS impacts should be transitory – but will probably end up being worse than it should be due to human behavior. Like the irrational pandemic inspired toilet paper runs last year, there will likely be a lot of spot shortages as people change their normal buying habits, creating a temporary supply shortage. Although modern logistics methods like warehousing-in-transit have reduced the safety margin, what people don’t think about is that supplies and distribution systems have slack build in to account for disruptions – and disruptions happen all the time due to maintenance, weather, and so forth. But that is all based on normal buying habits. When you horde or stockpile, you break that assumption, creating artificial shortages. Assuming the system is back online in the next day or so, price spikes and outages should be transient, but like disruptions from storms, may take a week or two to settle down. My guess is that if nothing breaks that shouldn’t, this will again have been a brief disruption.

As for the infrastructure implications, it’s an almost intransigent problem. It takes time to develop and deploy infrastructure. Even with fixed hardware, the firmware and software than runs on it takes time to develop, test, and deploy – and of course it is the ability to do remote upgrades and software changes that is the underlying cause of the problem in the first place. If you can access it to use it, much less upgrade it, you can probably hack it. The old DoD “Orange book” on computer security said the only secure computer was one that was unplugged with the hard drive removed. So while a lot can be done to improve security, ultimately there is no way to create a system that is both usable and completely secure against a determined, intelligent attacker. So like most things, the trick is to balance the two – maintain usability, but make it hard enough to keep out the amateurs, and have international standards, laws, and policies in place to deter and punish those who exploit system vulnerabilities.

And therein lies a key problem: governments use cybercriminals.

There is a love/hate, sometimes incestuous relationship between intelligence agencies, IT security companies, and cybercriminals. A not insignificant amount of the malware floating around was either developed, enhanced, or allowed to continue in play due to the action (or inaction) of intelligence agencies – including some well known episodes involving US intelligence agencies. Ironically, some of the most effective malware currently in circulation goes back to a hack of NSA and the release of their toolkit (ARS technica link). In addition, Agencies have been known to discover exploits, but because they are using them, don’t report them to operating system and software developers. IT and cyber security firms have been known to be complicit, in one at least one known case not fixing a hole until after No Such Agency had finished an operation requiring the exploit. And of course the need for computer virus protection, OS upgrades, cybersecurity consulting, etc. is a profitable business.

So it was remarkably hypocritical for President Biden to say that Russia bears responsibility for the hacks because the hackers (who in both cases seem to have only been after money) happened to be based there. Of course, President Putin didn’t really help matters when he “joked” …

Putin’s comments about hacking. Enki Research Photo, Moscow Kremlin.

“Hackers are free people, like artists: (if) they are in a good mood, they (get) up in the morning and draw. So hackers, if they wake up and read that something is happening in interstate relations and if they are patriotic, then they begin to make their contribution,” Vladimir Putin said.

Of course he went on to deny that Russia was sponsoring or exploiting hacking. While there have been cyberattacks in Russia, the security services pretty much hunts the criminals down and kills them. It is clear to these guys that if you’re going to do this, do it elsewhere. I’m not advocating that kind of quick “justice”, and the tolerance of domestic criminals who keep their crime offshore is something nations-states shouldn’t do, but in fairness it is absolutely not limited to Russia; the US is infamous for it with respect to other kinds of crimes, particularly essential and profitable but environmentally damaging enterprises.

In summary, treating cyber criminals as serious, dangerous criminals no matter where they are based or where their crimes are committed, is essential. Today one can kill with a computer by harming cyber infrastructure almost as easily as one can kill with a bomb. Therefore, as has been attempted with mixed success with nuclear weapons and biological warfare, nation-states need to put together frameworks to limit and prosecute the use of computer viruses and cyber attacks. That will be difficult – the system of international law and norms of behavior is in shambles (in no small part due to US actions over the last two decades, but that’s another story). The US, which pioneered these techniques, should take the lead in renouncing them and working with the international community to address the problem rather than hypocritically screaming about it in public all the while creating and using them in private (the US approach), or joking about it in public, making sure it doesn’t happen at home, but allowing it to occur elsewhere (the Russian approach).

#Atlantic #Hurricane Season Begins

Although there has already been activity in the form of “Subtropical Storm Ana,” the Atlantic hurricane season officially begins today. There is presently no activity in the Atlantic, and none forecast for foreseeable future (which is only a few days). There are some weak systems in other parts of the world including Choi-Wan, a tropical storm decaying to a depression as it brushes the northern Philippines. So how does the year look? We’ll know in December 😛 but for what it’s worth here’s the forecast ..

So the question most people have at this point is what kind of season is coming, and that usually devolves to the number guessing game. It’s likely to be an “normal to above normal” season in terms of overall activity. Here is a link to the official NOAA forecast. In short, hurricane activity in the Atlantic is largely driven by two factors. The first big driver is the state of the El Nino/Southern Oscillation (ENSO) cycle, which drive the big currents in the atmosphere that both control their formation and intensity (through wind shear) and direction of movement. The ENSO state transitioned from La Nina to “Neutral” this spring, and is forecast to stay neutral through the end of the hurricane season, with the possibility of returning to La Nina conditions late in the year. Here is the forecast from the main NOAA model, the Climate Forecast System (CFS):

The second big driver is the heat content in the ocean, which provides the energy for storms. The Atlantic remains above – here is the latest anomaly map (the deviation from long term averages).

You can see that while there are a few cool spots, much of the Atlantic, Caribbean, and Gulf of Mexico remains above normal, so there will likely be plenty of energy for storms to draw from (don’t worry too much about the complex swirls off the US Northeast; that’s just the Gulf Stream, and it meanders so some areas will be hotter or cooler on any given day).

So, what does that all mean? As it turns out, the post I did back in March is still mostly on track (click to read). For the Georgia and SC Low Country coast, the probability of a severe landfall is below normal early and middle part of the season (back door storms and annoying, evacuation-inducing bypassers are always possible) due to the ENSO Neutral conditions. Later in the year the risk is higher – if La Nina returns, risks are above normal for October/November (about a 50/50 chance of that). The Caribbean may be busy early – we’ll have to watch.

But for now things are quiet, so enjoy the late spring and start of summer. Once again as a reminder, this is the time of year to revisit your hurricane plans, especially insurance. There is a “lock out” period for changes prior to a storm and if you wait until one is headed your way, it’s too lateCheck out for checklists and advice.

#Invest Areas in the #Atlantic: not major threats (and some words on names and numbers)

There are two areas the US National Hurricane Center are watching, one has tropical storm force winds but isn’t really very tropical, the other is tropical but doesn’t have tropical storm force winds …

As always click any graphic to embiggen

AL90 is already above tropical storm winds, but isn’t tropical in structure. It will be moving over warmer water as it brushes Bermuda, and may acquire some tropical characteristics and get a name. More on how that works below. AL91, in the Gulf, may barely reach the threshold for being a storm before landfall, but this is only a gusty wind and rain event for Texas.

So how do all these names and codes work? Recall that in the US meteorological community tropical cyclones are typically tracked using an identifier known as the Automated Tropical Cyclone Forecast Identifier (ATCF ID). These identifiers identify unique storms with a code for the format XXNNYYYY, where XX is the basin (ocean) where the storm forms, NN is the storm number for a given year, and YYYY is the year. So the first storm to form in the Atlantic will get the ATCFID AL012021.

What is called a tropical cyclone (TC) has a very specific scientific definition (link goes to Wikipedia definition). The problem is how do you balance the science, the evolving nature of these storms (that start out not being tropical cyclones, become a TC, then become something else) with the need to communicate with the public and issue warnings. That is a complex process. A storm system that does not meet the definition yet (but might or might not) needs to be tracked. These systems are given temporary ID’s. Since no areas of the world get more than 50 storms in a year, storm numbers 90 and above are used as temporary ID’s. So the first “maybe will be something” area of interest, or “INVEST” (short for “investigation” area), gets the temporary ID AL902021. The second, AL91, and so forth. These are recycled, so there will be multiple AL90’s in a year.

What about names? Names are assigned for public use to make it easier (and supposedly names get people’s attention better than a number), but names are only assigned when the storm reaches tropical storm strength (34 knots, or 39mph). Storms weaker than that are called depressions, and are just called by their number. While in the Atlantic the names are consistent, in the Pacific different weather services (especially the Philippines) give storms non-standard names, so using the ATCFID is essential in those parts of the world to keep things straight. But in the Atlantic everybody sticks to the WMO name list.

In theory the progression of the first storm would be from an invest area (AL902021) to a tropical depression (AL012021, called “Tropical Depression One”) to a tropical storm (still AL012021, but with a name; this year the first storm will be called “Ana”). But nature doesn’t always like to follow our rules. The thing near Bermuda already has tropical storm force winds, but does not meet the definition for a tropical cyclone. It’s more like a Nor’easter, a winter storm, because it does not have a warm core and other structures that a tropical system has. But of course your roof doesn’t really care about that – it only sees the wind – and forecasters want to draw your attention to the storm. So the weather service has created a new category they are calling a “subtropical cyclone” – a system that has subtropical (not quite tropical) characteristics but still presents a threat. Expect AL90 to become “subtropical storm Ana” and get the ID AL012021 later today or tomorrow (80% chance according to NHC).

Of course this presents lots of complications. For one thing, it messes up the storm counts and makes people think storms are getting more numerous (and before somebody cries conspiracy, no, it’s not that). In the past nobody bothered with these non-tropical events. At the end of the year Ana will count towards the total even though this same storm in 1992, much less 1982, probably would not have counted. Also, this year NOAA changed the definition of an “average” year from 12 to 14 storms, and their forecast is for “13 to 20” storms. Last year that would be average to above average; this year that is “slightly below to above average.” So whenever you read an article talking about average or above average seasons this year that doesn’t put it in proper context that the definitions changed, be wary …

And so it begins … Invest area in Atlantic

By this weekend we will likely have a named storm in the Atlantic, so let the games begin. Here’s the obligatory maps … for now the TLDR is don’t worry about it unless you live in Bermuda, and even then it’s not likely be be much more than a windy day. But a good reminder the season is about to begin, so get ready. NHC says 70% chance of formation in next 48 hours, 90% within five days.

Track models map – storm is probably going to do a doughnut and make waves.
Swath of Doom: No real doom other than potentially Bermuda, rip currents along US East Coast.

#Hurricane week: what’s an average season? #Climate

This spring the US National Weather Service is rolling out a new “climate normal data set” – average temperatures, precipitation, highs and lows, and other variables including what is an “average” hurricane season based on a new 30 year reference period. At first glance the changes for daily weather may not look terribly significant, but they are quite consistent with the fact that average temperatures have been warming over the last century. For Savannah International Airport, the average temperature in May based on 1981-2010 data was 73.3 degrees F. The average temperature using 1991 to 2020 is 74.1 F, a 0.8 degree difference. Across the year that’s about the average increase. Only one month, October, saw a decrease in average temperature, from 59.3 F to 59.1 F. The biggest change was 1.5 F in December, followed by 1.2 F in January. Here’s a plot of the data …

Savannah about .8 degrees warmer on average …

So what does this have to do with hurricanes? As part of the assessment of the “new normal”, NOAA has re-evaluated what constitutes an “average” hurricane season. The old number, based on 1981-2010, was 12 named storms. The new definition says an average season will have 14 named storms. Here’s the summary:

Click to go to the NOAA press release …

While I think the overall reassessment is needed, I think the period is too short in both cases and biases the data, especially for hurricanes. I think a 50 year baseline of 1961-2010 makes more sense. The problem using the 1991-2020 period for hurricanes is that mostly covers the period of enhanced hurricane activity including the peak Atlantic Multidecadal Oscillation (AMO). On the flip side, NHC is counting storms that in past years would not have been given names (both due to better observations systems and changed procedures), so the high bias may be covering other sins in the statistics. Either way, if you hear that 2021 is an “average” year, keep in mind that’s two more storms than what an average year was in the past.

Which brings to mind one other point: averages don’t really tell you much about extremes. As as simple numerical example, the average of 30, 40, and 50 is of course 40, with extremes of plus or minus 10. But the average of 10,40, and 70 is also 40 – but with extremes of plus or minus 30! So you need both the average and another parameter like the variance to really understand a data set. This is a concept known in statistics as the (f)law of averages … so don’t be like this guy:

Hurricane season creeps closer

Tomorrow is hurricane awareness week in the US, and just in time a tropical storm has formed off the Pacific coast of Mexico … Tropical Storm Andres shouldn’t be a problem other than for shipping; it is forecast to remain a weak tropical storm for the next day or so then fade out by midweek …

Tropical Storm Andres – click to embiggen the first East Pacific Storm of the year.

NHC has this to say in their 11am advisory:

Andres is the earliest tropical storm on record in the eastern 
North Pacific basin, just beating out Adrian of 2017. 

There is a lot to talk about for hurricane season prep this year. One big change that National Weather Service is making this month across the whole range of their forecasts is updating their “climate normals” to reflect new data over the last 10 years. This has big implications for more than just hurricanes, but in that regard 14 storms is now considered a “normal” season rather than just 12. I’m working on a longer discussion about this, I have mixed feelings about how NHC is going about this.

For the Enki Blog, and particularly for Patreon supporters, some major upgrades are in store for this hurricane season. For starters, I’ve activated a new mapping system that will let Patreon supporters access dynamic real time maps of hurricanes, earthquakes, severe weather, and in the US, radar and lightning among other things. It’s a work in progress, but will hopefully be fun/interesting/terrifying depending on what is going on in the world …

Doomwatch, 13 April 2021

Lots going on today, with multiple ongoing volcanic eruptions on Saint Vincent (which is becoming a worse humanitarian disaster in part due to the response) and Iceland (which now have multiple cinder cones, are fascinating to watch without guilt as they aren’t hurting anyone at the moment – the cameras are obscured this morning due to weather) , and Cyclone Seroja made landfall in Australia leaving several small towns devastated. In the West Pacific, the second tropical cyclone of the year has already formed – but is weak, well away from land, but bears watching.

But by far the biggest concern is the potential for a major conflict to erupt in Ukraine. Despite rhetoric that on the surface seems geared towards defusing the situation (such as Biden’s offer to meet Putin), under the surface all sides are preparing for war, and all four major parties (the US, Ukraine, the DPR/LPR, and Russia) believe the situation is in their favor. Three of them are right. But we all know who loses: the average person caught up in the conflict zone … more on the situation in Donbass/Ukraine later this week.

Tornado outbreak expected today in mid-south

Some severe weather is expected in the US this afternoon – here is the warning graphic from the US Weather Prediction Center (WPC):

WPC Forecast – red areas are at risk of severe thunderstorms that may product tornadoes

An active and dangerous day of weather is set to unfold across the
Mid-South today, highlighted by a High Risk of severe weather issued by
the Storm Prediction Center. The primary weather driver of this impending
tornado outbreak is a strengthening area of low pressure out ahead of a
sharp and intense upper level trough tracking into the middle Mississippi
Valley and Ohio Valley this evening. Powerful thunderstorms are forecast
to blossom in the South this afternoon and track into the Ohio and
Tennessee Valleys tonight. These intense thunderstorms are may contain a
myriad of hazards that include violent long-track tornadoes, damaging wind
gusts, and large hail. In addition to the severe threats, hydrologic
hazards are also a serious concern from northern Alabama and Mississippi
to the Tennessee Valley and southern Appalachians. Torrential rainfall
rates in these areas that also contain overly saturated soil is a recipe
for flash flooding. As a result, a Slight Risk of excessive rainfall is in
place with a Moderate Risk located over northern Alabama, northwest
Georgia, and southeast Tennessee. Residents in these areas should have a
plan of action if severe weather threaten their respective locations. In
addition, high winds from the lower Great Lakes to the northern
Mid-Atlantic Thursday night into Friday morning. High Wind Watches are in
place for portions of these regions as strong winds may result in downed
trees and power lines.

From WPC Discussion as of 8am ET, 25 March 2021

None of this is expected to make it into the coastal GA/SC area. In Savannah GA for example, there is only a slight chance of thunderstorms Friday afternoon, and again Sunday into Sunday night.

#Severeweather risk to Coastal #Georgia, SC today …

The storm system that has already spawned tornadoes across the south continues to sweep eastward this morning …

Radar composite Thursday Morning, 18 March 2021

Inland areas of Georgia are likely to see strong thunderstorms today, with the potential for more tornadoes. It’s going to be a busy weather day. But, being self centered, what about the coast? TLDR: be prepared, hopefully you have a weather radio handy for alerts. There is a good potential for strong winds and intense thunderstorm cells, and some potential for tornadoes. For Savannah/Hilton Head, arrival times look to be at 3pm, with the main line passing through Savannah around 4pm. Here is the latest (6am) High Resolution Rapid Refresh model forecast for 3pm EST:

The wind and simulated radar at 3pm ET from the HRRR model 5am run. Click any image to embiggen

The strongest storms should stay west (inland) of I-95, and there is an area to the north of the Hampton SC area that has some potential for stronger storms and tornadoes. In the above model run you can see that area of severe storms approaching stretching up to Walterboro. But the entire region should pay attention to this event and be prepared to take shelter from any tornadoes that form. Here are some tornado preparedness tips from FEMA/DHS.

As for the details, like most things it’s complicated. As a start, while forecasts are much better, with high resolution tools running hourly to update the forecasts, this is still a dynamic situation with some uncertainty. It seems the risk along the coast is lower based on the latest data, however, here is what the National Weather Service’s office in Charleston has to say:

IMPORTANT MESSAGE: After much internal collaboration with the SPC and neighboring WFOs this morning, the earlier “moderate risk” has been replaced with an “enhanced risk” for given the continued uncertainty on how stability profiles will evolve through the day. This action SHOULD NOT be misconstrued as a lowering of the severe risk for the area as conditions still remain favorable for a potential outbreak of severe tstms some of which could produce a few strong tornadoes. It is simply an attempt to better message the uncertainty with how widespread today`s severe weather will be. Media partners are asked to help
convey this critical message today.

From NWS Forecast discussion as of 622 AM EST, Thursday 18 March 2021

It will be interesting to see how local media handles this request. Asking local weather forecasters to continue to push a message that things have the potential to be bad is likely to be successful 😛 . But … it also needs to be clear that despite the need for vigilance, these storms might well break up as they reach the coast. I’ve seen some comments that they never come here. Well, sometimes they do … so be prepared.

How dangerous is COVID? How about the COVID Vaccines?

We’re starting to get enough data to draw some conclusions. TLDR: COVID is dangerous – 4.5 times more deadly than the 2017 Influenza strain, which was a bad one. With the caveat that the long term studies are still underway for a lot of at-risk populations, COVID itself is about 215 times more deadly than the vaccine. The COVID vaccine isn’t really significantly more dangerous than the Influenza vaccine. Here’s a bit more detail and context …

You can’t get this vaccine for some reason.

There is a lot of argument and discussion over the relative risk of COVID vaccines, especially in Europe with the reports of the AstraZeneca/Oxford vaccine potentially causing blood clots in some people, and the Polyethylene Glycol (PEG) in the mRNA vaccines causing anaphylaxis (allergic reactions) here in the US. Both are concerning – and there is an urgent need to figure out why certain people are more vulnerable to adverse reactions than others. Certainly those with known allergies should be very careful to check the components of each vaccine before receiving it – the CDC publishes guidelines for this, and if you have sensitivities check with your Doctor before getting a shot (or any) procedure. This is the dilemma of vaccination: it’s best for the vast majority of people, but can be dangerous for a few. But care must be taken not to blow that true statement out of proportion.

What are the overall risks – in context with other risks? Lets take a closer look at the data from the FDA’s Adverse Event Reporting System as well as the CDC’s National Center for Health Statistics data bases and a few other data bases at CDC, NHTSA, and the FBI for context. Here is what your chances of dying this year look like:

  • Chances of dying from COVID: 1 in 163
  • Chances of dying from COVID Vaccine: 1 in 35,000
  • Chances of dying from Influenza (2017 H5N1 strain): 1 in 740
  • Chances of dying from Influenza Vaccine: 1 in 100,000
  • Chances of dying in any Accident: 1 in 1,350
  • Chances of dying from Gun Violence (you are a criminal): 1 in 3,000
  • Chances of dying from Gun Violence (you are not a criminal):1 in 220,000
  • Chances of dying from a Weather or Earthquake Hazard: 1 in 2 million or so

So in context, the vaccines are not risky compared to the disease – and certainly not compared to dying in a car accident (1 in 6000 or so). There has been some reports and talk that the COVID vaccines are significantly more dangerous than the Influenza vaccines. That’s a bit hard to judge. For one thing, the COVID vaccines are being scrutinized in a way the Influenza shots have not been. But even given that, the raw numbers show that the potentially associated mortality rate is about 2.8 times higher. It’s likely that difference would disappear if similar tracking were in place, but even if true isn’t bad. So the “50 times more side effects” stuff you see circulating is overblown.

Hope that helps put things in perspective …