yojimbo

Thoughts that should have a longer lifetime than my Mastodon posts ...

Passwords are so last century ... there are two main replacements that you should consider instead, “passphrases” that are intended for you to remember and type in manually, and “password manager passwords”, which you will never type in yourself, instead relying on a specialist password manager application to copy/paste for you.

Password managers are great at coming up with high-entropy sequences of characters that you might be able to manually enter, but you're really not supposed to do so. dXD2cwb%xRm^3W^Qz2Sby3k!FhYZ^GX9 is a fantastic password (well, not now I've published it!) but you're not going to be able to remember it or type it reliably. If you can rely on a password manager application to be around whenever you want to use this, it's a great method to use.

But some things you just have to remember and type for yourself. The passphrase you use to open the password manager itself, for example. Perhaps you have another authentication action you perform a few times a day – sudo perhaps for the unix users. The login to your computer that you need to use on the screen lock whenever you leave the desk for a coffee ... a limited set of these are great candidates for being typed in by hand, and that sort of gibberish above just isn't going to work.

So instead we have passphrases – sequences of words, not sentences. Not lyrics to your favourite songs, not quotations from books, not the names of the players in the football team you support ... but a random sequence of unrelated words that were created by your password manager for you!

Here the number of words that you choose to use is the important factor, not the overall length of the thing. 6 or 7 words seems to be the current (2021) recommendation, but for things that you deem to be more critical or especially long-lived, 9 is a sensible max. Ideally this is something that you're going to be using several times per week, too.

But how easy is it to remember 9 unrelated words? This is what a few examples look like :-

  • barista diffusion reflux armful strife zigzagged security shelter backlash
  • nemesis domestic remover wool calzone wrongful enjoyer recolor voice
  • capable anatomy footman squiggly anew goldfish thirteen headway flattery

How are you going to remember all that?

Well, to start with, some unexpected advice ... as long as you don't work in a maximum security environment ...

Writing the phrase down on a small piece of paper that you store somewhere secure (like with your credit cards), while you're getting used to using it and remembering it, is a good idea! Just remember to securely destroy it when you don't need it any more, and of course don't write any other identifying information on there.

But there's another way to store a reminder for a passphrase too – turn the words into a series of icons or pictures, and use those to remind yourself of what the actual words are. The advantage here is that any given image that you choose could represent dozens of different words, depending on how they're interpreted, and no-one will be able to work out the actual passphrase directly. Have you ever played Pictionary?

This means that the reminder image could be somewhere less secure than your wallet – and therefore somewhere a little more useable. If you use a paper notebook, perhaps inside the front cover ... it's still somewhere relatively secure.

A great source of simple icons is https://thenounprojectcom/ but honestly any images you get from a search engine would work well too.

So let's take a new passphrase, only 5 words this time for brevity, and see what we can come up with ...

That's not a bad selection of icons! You can probably hand-draw a version of these onto a notebook quite quickly, and when you look at them later they help to remind you of the passphrase ...

Let's try another longer one ... can you work out what this set of images is for?

Some of the words in that passphrase didn't provide a direct search result, so I substituted some other related words in order to get a useable image. This is pretty much the point – these images are a reminder to me because I'm the one that did the work to choose them. If you want to hand-draw them, even if you're no artist like me, it'll still be effective, and you can change details to suit what makes sense to you ...

If you pick your own images to use for the words in your passphrase, you'll find them to be a very effective and reasonably safe reminder to use!

(Skip to the TL;DR section below if you just want the shortest list of commands)

I have a decent spec gaming PC (NVidia GeForce GTX 970 for the graphics card) that's been running Windows 10 for the last few years, since I started playing Elite:Dangerous. But recently the SSD C: started to die, and I switched over to a new drive with Ubuntu 20.10 on it instead. Any day that I don't have to run Windows is a good day.

I found some instructions on running E:D from Steam, using protontricks and launching via Lutris, and they worked! But I'm a bit unusual and have several E:D accounts; only one is on Steam, and I wanted to follow the pattern I'd had previously, with multiple copies of the EDLauncher authenticated to different accounts, but all running from the same single installed copy of Elite.

I tried to generalise the Steam version but in the process broke everything ... so I decided to start again. This time, I was going to try to understand what every step was meant to achieve, as much as I could ...

And just as a warning here – I did all this on my live OS, so there might be some steps I've missed, because I didn't realise pre-requisites were already installed from my earlier experiments. I'd like to rerun these instructions on a new clean install of Ubuntu, but right now I'm just wanting to get into the cockpit ...

Just WINE

I installed Wine 6.6 via the winehq-devel package from WineHQ's Ubuntu repository. I'd also had some other versions installed (notably 6.5) but had been careful to avoid them by careful use of $PATH.

I set WINEPREFIX to point to a new empty directory ($HOME/EDwine), and ran winecfg. This builds & populates a minimal Windows directory structure in $HOME/EDwine, 1.4GB of data, and then presents a Windows-style config box. You don't need to make any changes in there, but have a look around and see what it's up to. In my case, it was set for Windows 7 and to send audio through pulseaudio, which was fine.

The Elite Installer

I grabbed a copy of the EliteDangerous-Client-Installer.exe from my account's 'Downloads' on the Frontier store. There's probably nothing unique or personalised about that file, we probably all get the same one.

Running it directly under Wine was straightforward, and resulted in lots of components like the VC++ Redistributable and DX9 being installed into my minimal Windows filesystem. IIRC it suggested that I 'reboot Windows' so I ran wineboot instead.

EDLaunch

Now we get to the bits where things needed tweaking. EDLaunch.exe needs the right version of the Mono run-time to be present, to provide the things that real Windows gets from the .NET Framework. The version I used came via a protontricks page discussing support for E:D under Steam, and is just the default 6.1.1 version with a couple of small helpful tweaks – https://github.com/redmcg/wine-mono/releases/tag/wine-mono-6.1.1_ED

This is an MSI file, and therefore you install it with the Windows tool msiexec :- wine msiexec /i ...path/to/wine-mono-6.1.1_ED.msi

Now the Launcher will start – but it can't render any of the GalNet News or Frontier Store adverts because there's no web browser components available. Wine will prompt for your permission to install Gecko – say yes if you want; I don't think you strictly need it, but the Launcher looks more normal if you do!

You will need to log in with your CMDR's Frontier account now. It'll work as long as you remember your credentials!

You might also get the Hardware Reporter popping up, which is a debug reporting tool. Cancel it, because Frontier obviously don't support the game being played under Wine or directly on Linux, and can't do anything with your reports anyway.

Pressing PLAY ... but not yet!

At this stage, pressing PLAY will launch the actual game. However, this is where we'll start running into problems with the efficiency of DirectX running under Wine, and any complications with your actual video card drivers.

I had installed the proprietary nvidia-driver-450 previously, this isn't perfect (I occasionally see corrupted blocks on the screen after sleeping the machine, for example, but a simple move or redraw fixes them) but it's probably the best option for my card. Obviously many of you will have different video cards, and will need different drivers, but I don't think it is going to make a difference here ... as long as you have an efficient 3D driver for your card that exposes a decent API it shouldn't matter what it is.

But Wine running DX9 isn't going to know about this, as far as I can see. If you run the game, the 3D graphics will probably be CPU bound, and I ended up crashing my machine a few times. Going through the initial shader generation took over 30 minutes, too, which isn't helpful!

Vulkan

So, I installed Vulkan into the Linux machine. This is an alternative API to DirectX, that's known to give better performance, and as I'm installing it on the Linux side, it will be aware of the NVidia drivers. This doesn't help us completely yet, but ...

sudo apt install libvulkan1 libvulkan-dev vulkan-utils

DXVK

The next part of the job is to install DXVK into the Windows environment. This tool translates the DX9 requests that Elite makes within Windows into Vulkan requests that Linux knows how to answer efficiently.

(I've also heard that it's very good at doing the same thing in a pure Windows environment, speeding up Windows games trying to use DirectX by diverting their requests to the more efficient Vulkan API)

I went to https://github.com/doitsujin/dxvk/releases and grabbed version 1.8.1, unpacked the tar file and executed the setup script under Wine

wine ...path/to/dxvk-1.8.1/setup_dxvk.sh install

You can run winecfg again at this point, and you'll see overrides in the Libraries section, with various DirectX libraries now provided by 'native', which basically means the DXVK tools you just installed.

Success, but still some issues

At this point, pressing PLAY will launch the final game executable, that will make DX9 calls for 3D graphics when you actually enter the cockpit. DXVK will divert those calls to Linux's libvulkan, and from there to the NVidia driver, efficiently.

Now, I still had lots of problems and crashes, when trying to get to Fullscreen or Borderless setups. If you set a resolution & the game crashes before switching back, you may need to find Elite's DisplaySettings.xml file (in $WINEPREFIX/drive_c/users//Local Settings/Application Data/Frontier Developments/Elite Dangerous/Options/Graphics/) and change the FullScreen value back to 0 for 'windowed', and also perhaps the ScreenWidth and ScreenHeight values too.

However, after an actual reboot of Linux (which might have made some difference to the order things were loaded in) and a couple more retries of the Graphics settings in-game, I now seem to have a stable Borderless 1920x1080 display with Ultra settings.

All I need to do now is to remap my HOTAS and I can fly free once more!

o7 Commanders!

CMDR Yojimbosan, Radio Sidewinder 📻🐍

TL;DR

  • nvidia-driver-450 for my GeForce GTX 970
  • apt install libvulkan1 libvulkan-dev vulkan-utils
  • Wine 6.6
  • wine setup_dxvk.sh install
  • wine msiexec /i wine-mono-6.1.1_ED.msi
  • wine EliteDangerous-Client-Installer.exe
  • wine "$WINEPREFIX/drive_c/Program Files (x86)/Frontier/EDLaunch/EDLaunch.exe"
  • Optionally allow Wine to install Gecko
  • PLAY Elite:Dangerous!

Once “the Internet” discovers a new SMTP service, it will be hammered by the spammers' botnets.

History Lesson

In the Old Times, every email was wanted, and every connection that was made was precious. Even spam, which was invented in 1978 (by a salesman). Then in 1994, large-scale spam was invented (by a lawyer, of course; because there were no laws on the subject, no laws were being broken) ... and by 1996 the idea of 'reputation' for a server was developed and the first blacklists of IP addresses were developed.

Of course, as any infosec practitioner should be able to tell you, maintaining blacklists is fundamentally impractical. Unfortunately for the Internet, maintaining whitelists of trusted senders was also impractical, as more and more companies sprang up on the Internet running their own mailservers.

Some of these new mailservers were configured in the old default co-operative manner – they didn't care about where a message came from, they only cared about trying to deliver it. This original position was no longer tenable, and became shamed as an “Open Relay”, and this damaged their reputation so that no-one else accepted their messages ... and when companies reputations are threatened, they sometimes fight back. Some of the blacklist operators went out of business as a result.

In the early 2000s, email content analysis was an increasingly popular approach, but did not put an end to the rising tides of spam. Laws were passed, and enforcement in many countries caught up with some egregious offenders; but as spam is effectively free to send, and some users still receive, read and interact with it (for a multitude of reasons), it continues. I'm not going to discuss content analysis here, we don't have time for it.

As we move into the early 2020s, the techniques for sending spam have changed from abusing the pre-existing and broadly legitimate email infrastructures, to sending via 'botnets' – vast collections of computers and other internet-connected devices that have been compromised by attackers and without the real owners' permissions are used to attack the rest of the Internet.

The other main sending technique is more invidious – email services belonging to real people are compromised, generally via phishing. Then the compromised accounts are used to send outbound email – sometimes in a targeted fashion to existing contacts of the user, but also sometimes just a large-scale attack on un-related destinations.

Types of spam

A non-exhaustive selection of spam types ...

  • Selling products
    • Legal products – this is “marketing”, and is where spam started. Lots of spam advertises porn websites that are themselves legal.
    • Illegal products – in the USA, this is often pharmaceuticals and oddly enough the 'companies' selling the drugs often provide excellent customer service – even if its just to prevent complaints that the credit card companies might find out about!
  • Malware
    • “Virus” propagation
  • Exploitation of the user
    • Phishing – steal the user's credentials
    • 'Advance-fee' scams (e.g. the 'Nigerian 419', romance scams, iTunes cards, etc)
    • Vanity publications – 'fake' Diplomas, pay-to-publish presses, directory listings
    • Financial fraud – fake invoices, traffic tickets, etc

Many people are somewhat wary of email coming from an unknown sender, but conversely much more trusting of email that claims to come from an existing correspondent. With the use of compromised accounts for sending email, the trust mechanism is even easier exploit.

Techniques for defence

IP blacklisting / reputation scoring

Blacklisting IP addresses was discussed above, and attempts to enumerate 'known to be bad' sources. Unfortunately this doesn't help you with 'not yet known' sources – although the absence of a 'known to be good' signal might sound like it is helpful.

However, reputation lists suffer from some issues. The range of IP addresses is large for IPv4, and immense for IPv6. Therefore your blacklist can grow to unmanageable size very quickly, and you're left considering when you can remove entries from it, which only increases the size of the 'not yet known' category.

Ideally, your blacklist should be a co-operative effort with other people listing IPs that they have found to be bad, in order to reduce the 'not yet known' group. In practice, commercial providers running anti-malware services aggregate their observations and create these lists, but they tend not to sell them independently from their services.

And the whitelist approach has some deficiencies, which only SPF has attempted to allay; one unexpected problem is that so many companies have outsourced their email handling to a small list of global suppliers, and “everyone is using gmail” means that you have to assume that some compromised accounts will be sending spam from the very sources that you wanted to whitelist.

It ends up being a bit like the Battle of Wits from The Princess Bride ...

All I have to do is divine from what I know of your IP address. Are you the sort of person who would send spam from his own server, or from his enemy's? Now, a clever man would send the spam from his own server, because he would know that only a great fool would accept a connection from an unknown sender. I'm not a great fool, so I can clearly not accept the IP address in front of you. But you must have known I was not a great fool; you would have counted on it, so I can clearly not accept the IP address in front of me.

IP greylisting

It has been observed that the software used by botnets to send email doesn't tend to have the same approach to 'reliability' as a normal mailserver – if there is a problem in delivery, botnets tend to just assume the worst and move on to the next target, whereas a legitimate email server will hang on to the message and retry repeatedly over time, giving the far end the opportunity to fix their presumably broken servers.

As such, if you start every conversation with a previously unseen server with an immediate disconnection, you are relying on legitimate mailservers to retry later (when you will accept their connection) and on botnets to give up on you and not come back.

There are two failures associated with this – large services like gmail maintain a pool of many outbound email servers, and the next retry will probably not come from the same IP address anyway. So you have to reject your way through most of their servers before any get accepted, and if your greylist list is itself time-bounded (to prevent it growing uncontrollably) you might never be able to reliably accept email from such a source.

The other failure is that although that one single message might have been avoided, the botnet operators simply don't care, and your email address will stay on their lists, and they'll still attempt all their other deliveries to you anyway.

The final issue affects everyone – timeliness of delivery. Greylisting doesn't allow you to specify when a message should be retried, it is up to the sending server. Many people are getting used to the idea that email is fast – go to a website, fail to login, fill in the 'forgotten password' form, receive the email with the link to re-enable access ... wait. Retry. Wait again. Curse. Go do something else ... and eventually the reset email turns up, but you're busy now with a different task ... this time-scale isn't controllable by you, and the sending server doesn't tell you what it will be doing. The users suffer.

SPF, DKIM, DMARC, DNSSEC

These technologies all try to provide methods to 'prove' that a given connection is legitimate, and that you as the receiving server should accept the message they represent. They all need a form of mutually-agreed “authority”, and in this case they rely on the Domain Name System, which seems like a reasonable decision, because without the DNS you probably aren't able to understand email addresses anyway. But with the full 'commercial' or 'criminal' value of email being established by the amount of spam there is in the world, you need to make sure that the data in your DNS entry is secure against tampering, and for that you need DNSSEC. But uptake of DNSSEC over the past 6 years hasn't been terribly widespread, so you can't take a position to reject email that doesn't rely on it being present ...

And they're all basically forms of content analysis, so they're out-of-scope for this blog post, which is long enough already!

Conclusions so far ...

Because there is so much spam being sent, an email server needs low-cost techniques to reduce as much of the load as possible. Rejecting a connection to your email server before you have to process the content is valuable.

IP reputation lists are mostly commercial now, but only available if you use the associated product to handle your email.

IP Greylisting is still reasonably effective, but burdens the end-user with unpredictable delays to inbound messages.

Effectiveness – based on my observations running two large email sites over the last 10 years or so, both techniques are broadly 80% effective, but it is difficult combining anything with a commercial product without increasing complexity.

There seems to be some increasing push against CAPS-LOCK in the mainstream, on all those default keyboards it takes up so much real-estate for so little return.

On my WhiteFox keyboard, I've removed CAPS-LOCK completely, and returned to the old Sun3 keyboard use of Control in that position. I've used the keyboard to remap right-fn/control to toggle the lock, but I was interested to try the same mechanism as iOS/Android have for on-screen keyboards, where double-tapping SHIFT locks it in place (and here you can start the discussion about the differences between SHIFT-LOCK and CAPS-LOCK if you want!)

I couldn't find any mechanism in Kiibohd to do what I wanted; I can set a macro for "[ LS+LS ] => [ CAPSLK ]" which works if I hold the left-SHIFT down long enough for key repeat to kick in, but not for "[ [LS] , [LS] ] => [ CAPSLK ]" – its a valid macro but doesn't seem to trigger.

So I ended up looking at Karabiner-Elements (free software, public domain using https://unlicense.org) (https://pqrs.org/osx/karabiner/index.html) as yet another helper program to run at startup :–) This does allow a “complex modification”, but doesn't help you with the UI to create your own, instead offering a “download examples from our website” process. However, the long and short of it is that this program will read $HOME/.config/karabiner/assets/complex_modifications/ at startup, and any valid json file in there is available for use (not automatically enabled).

So I did the decent thing and copied someone else's script first; “Double tab left_command to become left_control”, (https://pqrs.org/osx/karabiner/complex_modifications/json/double_tap_cmd_to_ctrl.json), and then replaced left_command with left_shift and left_control with caps_lock ... reformatted the file for clarity, restarted Karabiner, enabled the new rule, and enjoyed the results!

{
  "title": "Double left_shift toggles caps_lock",
  "rules": [
    {
      "description": "Double tapping left_shift toggles the caps_lock function. Useful for keyboards without an original caps_lock, or people who are more used to the touchscreen/iOS keyboard paradigm.",
      "manipulators": [
        {
          "conditions": [ { "name": "left_shift pressed", "type": "variable_if", "value": 1 } ],
          "from": { "key_code": "left_shift", "modifiers": { "optional": [ "any" ] } },
          "to": [ { "key_code": "caps_lock" } ],
          "type": "basic"
        },
        {
          "from": { "key_code": "left_shift", "modifiers": { "optional": [ "any" ] } },
          "to": [ { "set_variable": { "name": "left_shift pressed", "value": 1 } }, { "key_code": "left_shift" } ],
          "to_delayed_action": {
            "to_if_canceled": [ { "set_variable": { "name": "left_shift pressed", "value": 0 } } ],
            "to_if_invoked":  [ { "set_variable": { "name": "left_shift pressed", "value": 0 } } ]
          },
          "type": "basic"
        } ]
    } ] }

Purplecon 2019 laura bell, security confessions of a small country, https://purplecon.nz/talks#laura-bell, https://www.youtube.com/watch?v=k-cM5tBkwwk&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=10&t=0s

we live in a small country. while geographically we're not a pip squeek, in terms of population we're really rather adorable. so how does being a small country affect our approach to security and how can we learn to love our little island thinking and use it as a superpower.

  • Not a fan of large USian frameworks like NIST, because most of NZ is too small & generalist to fit, and has different targets/adversaries
  • figure.nz is good for interesting data
  • most of our businesses don't have a traditional “polite” white collar office environment, they literally work in the field
  • we have more inherent trust, and less defensive responses
  • go to https://opensecurity.nz/ to share NZ-sized solutions

Purplecon 2019 brendan shaklovitz, face your fearful foes to dodge a dark and dreary phishy fate, https://purplecon.nz/talks#brendan-shaklovitz, https://www.youtube.com/watch?v=yNEnlcTgfnQ&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=11&t=0s

after a short stint with the malicious masterminds of our red team, i've seen the terrifying tactics that real attackers could use against you. it's dirty, underhanded, and quite brilliant, and it's only fair that we level the playing field a bit by sharing some of our secrets. in this talk we'll skip past basic tech-support scams and talk about lovingly hand-crafted “spear phishing” campaigns specifically targeting individuals based on publicly available information. who knew your gaming habits would be your downfall? and finally we'll talk about some things you can do to really ruin a fledgeling evil mastermind's day, and repurposing some strategies learned from a career in site reliability engineering to help create a psychologically safe environment where people aren't afraid to tell you when they make mistakes.

  • (Atlassian SREs rotate into red/blue teams)
  • Recon via social (LI, photos) can reveal a lot more than you thought, including hw/sw
  • osquery is good at endpoint monitoring
  • build a security culture
    • give rewards – even just stickers, but also internal store 'credits' if applicable, etc

Purplecon 2019 tom eastman, protecting people from social media harassment, https://purplecon.nz/talks#tom-eastman, https://www.youtube.com/watch?v=b1bTKHdvGjo&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=16&t=0s

in some ways, twitter seems like it was designed from the ground up to be the perfect tool for harassment. twitter’s own mechanisms that are supposed to protect users sometimes seem to be pretty inadequate to the task. so i decided to make a few of my own. along the way, i got to grapple with some interesting challenges, including and especially how to build a tool safe enough for use by people who have been threatened online. in this talk i explore risks you have to consider, how you mitigate them, and the ethics of the decisions you end up making.

  • Tom wrote Secateur, which tries to restrict dogpiling on twitter by blocking a blocked users' followers; but only for a period of time
    • Therefore the app has to hold an OAuth token on behalf of its user
    • Therefore it must be open source and able to be run by the user, because why should they trust Tom while they're being attacked?
    • threat model the app server assuming the dogpilers will attack it as well

Purplecon 2019 helen, an introduction to ghidra, https://purplecon.nz/talks#helen

so the nsa made its internal reverse engineering toolkit open source in early 2019, which means everyone now has access to a thing for free. sure... it has dark mode. a five minute overview on getting started for the overwhelmed and/or the lazy.

  • Shared projects are hosted on a server (there are public non-NSA ones) to share a job between multiple researchers
    • Decompiler + function graphs looks like IDA
    • Has an API for automating goodness
    • Had no backdoors, guaranteed!

Purplecon 2019 kirk, incident response drills: how to play games and get good, https://purplecon.nz/talks#kirk, https://www.youtube.com/watch?v=-8BeooqxuAo&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=7&t=0s

computers are exceptionally good at taking instructions and making very fast, very precise mistakes very reliably. humans are conceptually similar but interpret their inputs and decide on courses of action based on experience. preperation and rehearsal for messy, no-notice events that are definitely (hopefuly) not business as usual makes us more chill for when something (production) does go down due to novel (gremlins) issues. incident responders should practice for sensitive and time-critical events before they happen so they are able to return things to a safe and stable state with grace and aplomb. this talk is for team leaders or security program owners interested in the craft of using incident response exercises to develop their people. we will learn how these synthetic experiences can be devised against specific environments and standards with measurable outcomes. finally we will cover ways to easily scale difficulty and iteratively improve your exercise program.

  • How to get from a bad place to a good place
    • think about it in advance, perhaps?
    • like fire drills, earthquake drills etc
  • practice, because real events add real stress on top of the job
  • Check Maslow's learning hierarchy
  • Telling war stories explicitly passes knowledge on to juniors
  • mentoring/coaching is a better structure though
  • making exercises “engaging” helps
    • “Zombie Preparedness” programme worked
  • Being an RPG DM is great preparation
    • qv Cathy/TradeMe's similar RPG talk

Purplecon 2019 mikala easte, risk management without slowing down, https://purplecon.nz/talks#mikala-easte, https://www.youtube.com/watch?v=2S6acN_QY_Y&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=13&t=0s

most organisations start out relying on people and their expertise when making decisions, but this doesn't scale well and leads to bottlenecks and pain. larger corporates rely on processes, controls and systems, but these can overwhelm smaller companies. i'd like to share some thoughts on how to set up lightweight risk management processes to empower teams to make informed decisions and not just rely on what the security person thinks of it.

  • halfassing the job is better than not doing it
  • just keep a risk register, write everything in it
  • review it – even accepted risks, because the world outside might have changed
  • involve multiple people in the risk-setting process