Archive for the 'General' Category

Oct 27 2013

Making the right mouth noises, but…

Published by under General

The security team at LinkedIn is stating they’ve done a spanking awesome job of securing Intro and that we should trust in them.  This came out on Saturday in the form of a blog post from LinkedIn’s Cory Scott.  Cory has an impressive background, with time spent at Matasano Security and Symantec.  You can check out his LinkedIn profile for yourself if you want.  And it sounds like they’ve got a pretty good setup.  But his missing the main point: LinkedIn has painted a huge target on themselves by asking for access to data they should never be asking for in the first place.

I could pick apart every single claim he has made in the blog post; I have to explain and defend similar statements every day in my own role and what he’s said is almost meaningless given the level of detail he’s telling us.  What does it mean to have a ‘tight security perimeter’ or ‘the right monitoring in place’?  A tight perimeter only lasts until the marketing team decides they need direct access to data or an admin makes a mistake on a network configuration.  What is ‘the right monitoring’ in this case?  How closely is LinkedIn looking at the data coming into, and more importantly, leaving their network? LinkedIn has had several high profile compromises in the last few years and I’m willing to bet that they thought they had the proper level of monitoring in each of those cases too.  

What’s really the problem is what LinkedIn had to do in order to create Intro.  This isn’t actually much of a program, it’s really a configuration file that you install to LinkedIn permission to insert itself into the traffic between iOS and the IMAP server you’re connecting to.  They’re breaking the communication channel and any security surrounding it in order to be able to insert their own content.  Even if they don’t monitor the emails content itself, the metadata about the emails you send is invaluable when it comes to understanding your network of contacts and friends.  Just looke at how closely this mirrors the current international debate about the NSA.  I can’t see why anyone would be more willing to trust LinkedIn any more than they’d trust a shadowy government agency.  At least the NSA supposedly has our best interest at heart and won’t sell our data in order to meet Wall Street earning numbers.

Then there’s the issue of being able to inject HTML code and a user interface (UI) into your email, one that allows them to push HTML and CSS to your desktop.  How much testing has that really undergone?  How is the system protected from malicious code being injected into the stream?  If these systems are somehow compromised, then the entire user base of LinkedIn could easily be compromised.  Or an attacker could wait until a specific target uses the service, vastly increasing the chances to remain undetected.

I maintain that LinkedIn has made a huge mistake with Intro.  If I was a well funded, adaptive attacker, I’d be quickly sniffing around the edges of Intro, looking at how I can compromise the profiles, if I can intercept the communication between the devices and LinkedIn and how I can compromise the servers and services LinkedIn is offering.  They’ve made themselves the center man in a circle of communication, a role I have a hard time believing they’re ready for and that they have the ability to properly secure.  This isn’t the type of activity and network that standard security practices, even done right 100% of the time, are ready and able to handle.  LinkedIn’s history doesn’t leave me feeling they’ve done even standard security practices to industry leading standards, so why should I feel they’ve done it right this time?

If Intro lasts a year without some sort of class break or system compromise, I’ll be surprised.  I wish them luck, but I maintain this was a bad idea any security professional should have called a halt to early in the planning process.  And I won’t be surprised if Apple calls a halt to this either.

One response so far

Oct 22 2013

Renting isn’t an excuse for spying

Published by under General

I know Rich, Zach and I talked about Aaron’s before on the podcast.  This is a company that rents out many items to customers, including laptops.  A few years ago they thought it was a good idea for some of their franchises to install software on the laptops which allowed administrators at the stores to take screenshots, capture keystrokes and generally spy on the activities of the users of the computer without their knowledge.  And apparently some administrators were using this capability to take pictures of in ‘intimate moments’.  Yeah, I think we all know what that really means.

I’ve always said this level of monitoring by anyone, not just the owner of the computer, of another human being is a horrendous invasion of privacy.  We have so little privacy left right now, to have the computer you rented taking pictures of you is unexcusable.  I fully admit there are legitimate uses of this sort of technology, such as finding a stolen laptop or tracking a deadbeat renter, but this type of usage has to be very narrowly defined and the administrators of the system have to be trained in the allowable uses and ethics of the technology.

This highlights the problem of enabling spying capabilities in a microcosm.  If we don’t very carefully lay out what is and isn’t acceptable usage, the systems are going to be abused.  Some of it will be innocent testing of the limits and finding edge cases.  But a lot of what will happen is that people will do things they know are wrong, simply because it feeds their darker desires.  

Aaron’s took a running leap over the line with their spyware and never even understood that there was a line.  I’m sure the legal battle with their customers and the FTC has made them painfully aware of that line and they’ll be a lot more careful in the future.  But I’m waiting for a car dealership to install something similar in all their rentals.  Oh, wait, they’ve already done that and been slapped down.  Maybe furniture rental places will put motion sensors in their sofas to determine when people are having sex on the couch and charge them extra at the end of the contract next.  It could happen.

No responses yet

Oct 21 2013

RSA EU is all too soon

Published by under General,Public Speaking

Next week is the RSA Europe conference in Amsterdam.  I’m speaking three times at the conference, once as a sponsor, once with my own topic and once in a lightning talk, aka a Pecha Kucha talk.   And at just 6’40″, it’s the PK talk that scares me the most.

The PK talk scares me because it’s such a rigid format.  20 slides set to forward automatically every 20 seconds means you have to have your patter down.  I don’t usually speak in public like that.  I generally use my slides as a template that I can hang talking points off of, but I don’t have a rigid script I’m talking to.  This lets me control the pace and the timing as I want to, rather than needing to go at a set pace.  So, yeah, it scares me.

The other part of giving the lightning talk is that some of the best speakers in security have given them, and I can’t help but compare myself and be found wanting.  Katie Moussouris, Josh Corman, and Rich Mogull, all friends, have given the talks and rave about how much fun it is, but they also talk about how hard the format is.  Any one of them probably have a dozen times the speaking experience I do, and if they found it hard, how is it going to be for me?  

So, if you’re in Amsterdam next week at RSA Europe, whatever you do, don’t come to the lightning talks!  Don’t come see me embarass myself!  I already feel like an idiot abroad, don’t make it any worse.


No responses yet

Oct 15 2013

Don’t ask for my password or PIN, United!

I’ve been a United Airlines customer for years.  I’ve been very loyal to United and the Star Alliance.  I’ve flown over 300k miles with them, I’ll have flown over 100k miles this year alone as of my next trip.  I’m in the top tier of their frequent flyer program and they generally treat me very well, with the kinds of exceptions that plague every airline, like maintenance and weather delays.  But they do one thing that really, really bugs me and they need to change it: When I call in use my mileage or alter a ticket, their customer service representative asks for my PIN!

When you log into the United site, you have two choices; you can use your password or a four digit PIN to log in.  The same PIN or password can be used to login to the mobile application as well.  This login allows access to all aspects of the account’s capabilities, allowing the user to change flights, get updates and spend frequent flier miles.  In other words, total control of the account.  And the customer service reps need this PIN in order to make changes to my account.

This is why I’m extremely annoyed by the way United treats my PIN.  In effect, every time I call in to United, I have to give up total control of my account to a complete stranger.  I have to either trust that they are well vetted by airline, something I’m not entirely sure is true or go through the hoops of changing my PIN every time I call in to United’s customer care services.  Alternatively, I can ignore both of those options and simply hope that nothing happens when I give up my password.  I’ve done all three at various times, but it still makes me angry that I have to choose one of these options.

I’ve complained to United several times when calling in.  I’ve talked to the agent on the phone, I’ve asked to speak to a manager, but as recently as last week they show no sign of understanding that this is a problem or making any changes.  The requirement to give up my password seemed to coincide with the merger of United and Continental and the adoption of the Continental computer systems.  The impression I’ve received from sources inside of United and out is that the Continental system was developed in the mid-70′s and has been largely unchanged since then.  Yes, they slapped some lipstick on the pig in the form of a web interface, but the back end is still a mainframe of some sort with a security model that hasn’t changed since it’s inception.

I have to appeal to United’s security teams:  Please, please, please find some way of changing your system so that I don’t get asked for a sensitive piece of information like my password or PIN every time I need to talk to your agents for a change to my flight!  I realize there is no credit card data directly available from my account, but my flight information is and it opens up the ability to change my flights or spend my mileage.  This really is something that shouldn’t be allowed in the modern age, from a multi-national corporation that really should know something about security and securing customer data.  Between moving to the UK and your poor security, I’m seriously thinking it’s time for a different airline.

One response so far

Oct 07 2013

Explain it to me

Published by under General,Hacking,Humor

I’ve never hidden the fact that I’m a bit of a rebel.  Okay, to be honest, I’m proud of being a stubborn contrarian who’s going to do what he thinks necessary, despite what it might cost in the future.  Part of the reason is that I’ve always been smarter than average and I feel that I see and understand things in ways many others don’t or can’t.  And as long as I’m being honest, I also enjoy the chaos this engenders and the ability to thumb my nose at convention and authority.  I like upsetting people’s preconceived notions and making them think about things they might normally shy away from contemplating.  I want improvement over the present and I despise the status quo.  And I don’t think I’m at all unique amongst security professionals; we’re almost all rebels to one degree or another.

I believe people who love security as a career are similar to me in large part.  We’re people who see a problem that needs to be solved, puzzles that need to be unlocked and mysteries begging to be revealed.  Constant learning is something that is the hallmark of a good security professional.  If you look at the most successful hackers, they got to the top because they can’t pick up a piece of electrical equipment or software without trying to see how it works.  We want to understand, to unlock and hopefully to gain just a little more knowledge about how the world around us works.  And yes, I include ‘hackers’ in the continuum of security professionals, as a subgroup who tends to embrace the chaos more than the more corporate professional.

Let me give you an example.  Over the summer at a small conference in Las Vegas, a select group of us met at a restaurant for dinner, a not uncommon occurrence for that time of year.  What was a little unusual was that when we sat down, the waitress handed the group a set of iPads with the drink and food menus on them.  Apparently we were meant to place our orders through these devices and the waitress would magically bring them out several minutes later.  But you should have seen eyes light up around the table as everyone started considering how to break out of the menu app and make the system do things the restaurant had never meant for their app to do.  It was like Christmas in July!  Needless to say, it was only a few minutes before we had to hand one of the iPads back to the waitress with an explanation of “Umm, we think this one is broken, it shows another restaurant’s menu.”  They’d figured out how the tool worked, unlocked the puzzle and had some fun, all in one fell swoop.  This curiosity is the core of who we are.

This need to understand is one of the things that makes many security professionals hard to work with.  We don’t take orders well, or at least I don’t.  We want to understand the underlying logic of a decision; we want to understand the thought process that went into making the decision and why it’s the best decision.  “Because it’s always been done this way” is the bane of our existence; when was the last time anyone examined why of that way?  Does doing it that way still make sense?  Is there a better way of doing it?  Does doing this actually accomplish our goal, or is it just busy work?  Managers don’t want to explain, they just want to get the task done, despite the fact that the task might not be leading towards the actual goal, but away from it instead.  And sometimes that’s the right thing to do.

We, as security professionals and hackers of the reality around us, have to be aware of this need to understand and unlock within ourselves and take steps to counteract it when appropriate.  Personally, it’s hard for me to accept “this is just the way it needs to be done”, but sometimes that’s the correct path.  Those moments are relatively rare; I prefer to have the people giving me direction to explain what it is they hope to accomplish and let me figure out how to do it best.  In the main, we have the time to discuss, to understand and to come to an optimal solution for the problem, and often if we take the time to do so, we realize the problem we were really trying to solve is not the problem we thought we were trying to solve.

It’s always important to understand your own motivations in decision making.  It’s also important to understand the motivations of the people around you in that same process.  I don’t claim that every security professional is driven by chaos and curiosity, but most of the ones I gravitate towards are.  We see chaos as a method to drive improvement.  But being aware of that motivation and how it influences the decisions we make will help us not only make the right decisions, it will help make those decisions in a way that is less stressful for us and those around us.

So let your coworkers know that you’re not challenging them, you’re challenging the decision making process and seeking to understand why a decision was made.  You want to understand what the goal was and how the decision leads to that goal.  But also understand that sometimes the analysis of a decision is not a luxury that can be afforded at a particular point in time.  There are times where we just have to take orders and shut up.  It seems to go against the grain of who we are, but it’s an unfortunate necessity in some cases.

I’m lucky in that I’m at a point in my career, in my life and in my role that I’m not only accepted as someone who’s supposed to question the decision making processes, it’s expected of me.  You can’t be a ‘thought leader’ if you never question authority, never question the status quo, never  question the reasoning that brought us to this point.  But I also have to be cognizant of the fact that what is generally one of my strengths can also be one of my greatest weaknesses if I’m not careful.  Giving into the desire to understand when things just need to get done leads to frustration for everyone involved, and harmful to the mission when done at the wrong time.

I may be grossly generalizing my own rebellion onto the entire security and hacker community.  I know a lot of people are going to say, “I’m not at all like that”, and they may be right.  Each of us have our own unique set of motivators that push us into the decisions we make.  But this is a set of motivators I see as a commonality in the community I live in.  Understanding your own motivations is one of the best ways to combat the frustration we often feel when dealing with people who don’t see the world as a puzzle like we do.  And knowing they don’t see it the same way might help us communicate in ways that settle some of their frustrations as well.

5 responses so far

Jun 11 2013

Rage against the Machine II

Published by under General

While it was good to maintain a list of the stories coming out about the NSA spying scandal, today I realized we’re starting on the second phase of this event.  Most of what we heard late last week and over the weekend was the initial reaction and often contain speculation and hyperbole.  But now that a few days have passed, we’re starting to see more details emerge and the battle lines being drawn.  Luckily those lines aren’t along familiar party lines, but instead they’re being drawn along the division of people who think the government is worthy of our trust and is protecting us versus those who don’t trust it.  And the discussion is spreading out from just this leak to a greater discussion of what privacy means. I am obviously in the camp that believes any tool of this magnitude is going to be misused massively, if not right now, then some time within our generation.  And given some of what we’ve seen recently, I can’t really see how the people who say “Trust the government” can support that position.

For the first in this series (I hope), read Rage Against the Machine.  I’ll admit it starts off a bit hyperbolic, but I was, and am, pissed at our government.  And I’m reading every one of these stories before posting, so you hopefully don’t have to.

  • U.S. Surveillance Leak in Criminal, Congressional Probes – (Added 20:45, 11 June 13) This is less an actual story and more a collection of the facts, such as who’s calling for probes and special committees.  There’s very little analysis, which is actually a bit refreshing, given how rabid some people on both sides of the argument have been.
  • Defeatism is Premature:  You Better Fight for Your Right to Privacy – (Added 20:55, 11 June 13) I like this article because it has an odd sort of optimism in the midst of all the doom and gloom on both sides.  We can decide what privacy looks like in the future, we don’t have to let the current situation persist.  But We the People have to stand up and start making a difference in how our government treats us and our information.  We can change reality if our will is strong enough!
  • StopWatching.Us: Mozilla launches massive campaign on digital surveillance – (Added 21:00, 11 June 13) Leave it to Mozilla to charge in where angels (and most other businesses) fear to tread.  Get involved with activists, though I’m not sure how much effect online campaigns have on the members of Congress.  Too easy to delete those emails, unless they’re using Gmail (stupid Android update!)
  • FISA Court Has Rejected .03 Percent of all Government Surveillance Requests – (Added 21:10 11 June 13)  Sigh.  I don’t care what those in government call the FISA Court, the rest of us call it a rubber stamp.  11 rejected requests out of 33,900.  I’m surprised we were even allowed to know how many requests there really were.  If we were given the truth at all.
  • First Lawsuit Over NSA Phone Scandal Targets Obama, Verizon – (Added 21:15, 11 June 13) It’ll be interesting to see if this lawsuit goes anywhere, since some of the previous lawsuits have been shot down because the plaintiffs couldn’t prove they were affected by the spying.  But since EVERYONE who’s a Verizon customer was being spied on, that’ll be a weak defense.
  • NSA Leakes Present a Business and Ethics Crisis for Silicon Valley – (Added 05:40, 12 June 13) I don’t think it’s to much of an exaggeration to say this may be one of the events that shapes Silicon Valley for years to come.  All of the CEO’s of the major companies have denied any involvement (using a lot of weasel words, of course) with PRISM, and they need to decide where the line stands in being complicit with this program.  So far, they’re on the side of the government, but that could change.  Who will be the first to cross over?
  • You’re Being Monitored all the Time – Deal With It – (Added 05:50, 12 June 13)  I hate the attitude that it’s too late to do anything about it, so get over being monitored.  It’s not too late, we just have to stand up for our rights and decide what’s right and wrong in the new digital age.
  • It’s Not About Your Cat Photos – (Added 06:00, 12 June 13) You need to read this article for a historical perspective on spying powers in the United States.  It’s not a matter of if the government will abuse their power, it’s a matter of when and how often.  The NSA is filled with bright people willing to do anything to protect the American people.  All it takes is a few who are too zealous to step over that line to make us into a full blown police state.  Hopefully we’re not there quite yet.
  • Lawmakers question legal basis for NSA surveillance – (Added 17:30, 12 June 13) In theory, we still live in a democracy and vigorous discussion of ideas should be a good and proper way to govern.  In reality, we live in a republic that’s mangled the concept of free speech and privacy beyond anything that would be recognizable from 20 years ago.  Whether you believe the NSA is good or evil, we need to have a national debate on what is appropriate.  I’d love to see not only the NSA, but all businesses have their access to our personal data heavily curtailed.
  • Asking the U.S. government to allow Google to publish more national security request data – (Added 17:35, 12 June 13) I still don’t quite understand how allowing any sort of reporting on the statistics around the National Security Letters would curtail the NSA’s ability to do their job.  If the bad guys aren’t utter morons, they already know that their movements are being monitored.  So telling the world how many NSL’s have been sent out wouldn’t do more than …, nothing.  From what I can tell, it would have no effect, unless someone can explain to me otherwise.
  • Former NSA Whistleblower Sheds Light on the Science of Surveillance – (Added 17:45, 12 June 13) Here’s someone who’s already suffered to bring to light the abuses our government has committed, talking to a magazine that understands the scientific issues with monitoring, not just the moral and constitutional angles.  If you’re curious why ‘metadata’ is so important, here’s a good resource for you.
  • WH defends DNI director Clapper after congressional testimony draws fire – (Added 17:55, 12 June 13) “the most truthful, or least untruthful” response he could?  Even in Washington, DC, that’s called ‘lying’.  It’s one thing when the head of the NSA lies to the public, that’s almost expected.  But when he lies under oath to the very people he’s supposedly responsible to, he’s gone too far.
  • CloudFlare, PRISM and Securing SSL Ciphers – (Added 18:05, 12 June 2013) I find Matthew’s logic on this pretty spot on for how attacks against encryption ciphers could happen.  But I find that the simplest solution that answers all of the questions we have indicate that someone handed over cipher keys from each of the companies listed in the PRISM program instead.  Senior management wouldn’t be told if the NSL’s involved were worded in such a way that restricted who could be told.  Best of both worlds for the NSA and the companies involved, thanks to plausible deniability.
  • Why NSA spying scares the world – (Added 18:15, 12 June 2013) I just noticed as I tried the link for this story that it’s title changed since I first opened it.  Makes me wonder what else gets changed in articles when we’re not paying attention.  In either case, we’re scaring the hell out of the rest of the world right now.  We claimed to be this bastion of civil liberties and a functioning democracy, yet now we’re in the process of proving we’re neither.
  • Upcoming revelations speculations – (Added 18:20, 12 June 13) Once again, Robert Graham predictions.  I’m especially taken with his ideas around TOR and how the NSA could be snooping there.  And I’m totally in agreement with his points about the NSA being the biggest ‘fusion center’ for all of the different law enforcement branches.  Rob, they haven’t come for me either.  Yet.
  • Convenient Surveillance is at the Expense of the Constitution and Taxpayers  and Americans Must Call for Independent Counsel and Ouster of Clapper – (Added 18:30, 12 June 13) Both of these stories by Jody Westby are worthy of reading slowly and rereading the important parts.  The idea of Obama as a Constitutional Scholar is laughable, unless you realize he was simply studying how to dismantle it.  Asking for Clapper to step down is a must, since it’s the only way we’re going to get a full investigation into what’s happening.  I mean, we had people step down because they were having an affair!  Why should the idea of stepping down because you lied to Congress be so far fetched?
  • We Should All Have Something to Hide – (Added 18:40, 12 June 13) This is a good story to end tonight’s writing on.  Moxy does an excellent job of explaining why the ability to live unmonitored lives is so vitally important to human beings in general and a democratic society in particular.  Without the ability to have thoughts and ideas that are ‘dissident’ in nature, we stagnate and lose the ability to adapt to new situations.  This is especially important in Silicon Valley, where “disruption” is a way of life and what makes us great.

More in the morning.

 Time for Captain Privacy to fly again!

No responses yet

Feb 01 2013

Send me your geeks, not your marketing department

Published by under General

If you’re reading this post, chances are you’re a security practitioner and you know exactly what’s coming up in February:  RSA.  You know the dates like you know few others in your life and you plan for months to make the pilgrimage to San Francisco and the Moscone Center.  Or maybe you don’t work for a vendor like I do and you realize a week or two before the event you need to get a plane ticket.  But in either case, most security professionals know about the RSA Conference and the tens of thousands of people who will be gathering there to look at all the cool, new blinky lights and attend the parties each night.

Beside security practitioners, there are a couple of other groups who attend RSA:  Press and PR.  Press attends RSA for much the same reason that most security professionals do: they want to see the new shiny and find out what it does.  But rather than figure out how to budget for toys in 2014, the press is there to hear about the toys, then write about it so that the people who can’t (or don’t want to) make it to the conference.  And the PR folks are there to do everything they can to feed that appetite for information, hopefully to the benefit of their particular client. It makes for an interesting interplay, since the people who want the most to be noticed at RSA are not necessarily the people who are actually doing the most interesting things.

I’m lucky, or unlucky, depending on your point of view; thanks to the blog and the podcast, I get to be on both sides of this particular issue.  As part of my day job for a little internet start up, I get to see a lot of the effort that goes into the PR and marketing for an event of this size.  There are literally months of planning, meetings and arguments about where booths will go, what direction they’ll be facing and what the main ‘message’ of the show will be.  Everyone does their best to make the most of an event that can literally cost their company hundreds of thousands of dollars, as they should be.

The other side, for me, is being part of the press corp and doing my own best job of finding my own unique twist on the stories coming out of RSA.  In my case, this takes the form of microcasts, short interviews with other security practitioners and companies. This gives me a lot of access to talk to interesting people during the conference and share those conversations with my audience.  It works, it gains awareness for the companies I interact with and everyone benefits.  Except when the PR folks start wanting me to talk to someone in their marketing department rather than the people who are actually making the product or doing the research.

I’m a security professional, I’ve been doing both the press thing and the security thing for quite a while now.  And as such, I want to talk to someone who speaks the same language as I do, has the same mindset as I do and is more interested in the cool, geeky stuff that makes their product work than spinning exactly the right message in order to get that honey of a quote in an article.  I want to talk to someone who’s as excited about information sharing and the latest attacks as I am; I don’t want to talk to a VP of Marketing who has two or three bullet points he has to work into a conversation no matter what questions are asked.  I want to talk to someone who’s willing to go off on a tangent, even if it doesn’t directly relate to his or her company.  In other words, I want to talk to another geek!

Nothing against Marketing Directors or VP’s, but I have yet to meet one that’s as excited or as knowledgeable about a product as the girl who built it.  Marketing has a purpose, it’s to create and craft a message so that as many people as possible will hear it.  I understand and support that.  But that’s not the person I want to talk to!  Throw your ‘message’ in the corner with the hundreds of others that will be thrown at us this February.  We’re all inundated with messages, when what we really want is a live person to talk to, not a talking head who’s going to do everything possible to get the three bullet points about his company into an article. 

Your marketing department’s job should be 99% done when the doors open at Moscone Center.  Get the technologists, the scientist and the uber-geeks in front of people like me and let them run with it.  The people who attend RSA, the people who read about RSA and the people listening to my podcast want to hear what they have to say, even if it isn’t neat and tidy and might ramble a little off topic once in a while.  If you really want to differentiate your company from the other 350 odd companies at RSA, this is going to be one of the best ways to do it.  At least in my case.

So let’s gird our loins and continue preparing for this year’s RSA.  Send someone who’s as passionate about security as I am to talk to me.  Let out your researchers, who you might not normally be comfortable having in front of the press.  Have a little fun after all the stress of planning this one week in February.

One final thought:  I’m not all that interested in hearing about anti-virus, firewalls or authentication technologies.  I don’t want to hear about a tweak on a technology that’s decades old.  What I, personally, want to hear about this year at RSA is information gathering, information sharing and new, unique ways of doing security.  Tell me how your company is contributing to the knowledge of security as a whole or about a new way of doing security that’s actually effective.  Don’t tell me about your new blinky light technology that I can just bolt on to my network in order to have all my problems solved.  There are no silver bullets, even Gartner knows that.

6 responses so far

Jan 07 2013

Rambling on writing

Published by under General

One of the main reasons I started blogging was to work on my writing skills.  Similarly, one of the main reasons I’m forcing myself to start blogging regularly again is also to work on my writing skills.  Yes, I learned to write well in high school and college, but those were both a long time ago and writing is definitely one of those skills that gets rusty when not used.  If there’s one skill that we, as security professionals, can’t afford to get get rusty, it’s the ability to communicate with the people who don’t share the same passion for risk, analysis and vulnerabilities we do.

I think the whole ‘learn to write’ meme is one we circle around to at least once a year, and there’s a good reason for it.  If you talk to people who frequently review RFP’s and other sorts of open calls for papers, you’ll find that many of them cringe when thinking of the quality of writing they encounter in the process.  I don’t know the exact percentages, but I’m led to believe that as high as 50% of the papers submitted get culled in the first round just for being poorly written and full of grammatical errors.  If you can beat 50% of your competition by simply using complete sentences and proper punctuation, why not at least start by giving yourself that much of a edge?

Another place where lack of English (or whatever your primary language is) skills show up is in email.  How often have you read an email, only to have to call the person just to find out what they really meant to say?  Think of the last time you had to go through a long email exchange only to find that the thing was a miscommunication that could have been clarified with one or two sentences early in the process.  So often we’re in such a hurry to simply answer an email and get it off our own plate that we sacrifice clarity in order to simply get stuff done.  How many times have you spent time trying to decipher a coworker’s rambling only to find out he or she actually wanted something totally different than they wrote in the email?  It’s easy to have happen when you’re more interested in getting the email out than you are in getting the right email out.

A few months ago a friend asked me about writing and one book I recommended him was ‘On Writing’ by Stephen King.  The book really is about half autobiography, but it makes for a good counterpoint to the why’s of his editing and usage of words.  If you’re a King fan, learning about his life and the roads he’s traveled makes for a good read, but even if you aren’t, it’s still a good in any case.  “Eat’s, Shoots and Leaves” is another good book if you’re just looking for something to remind you of all those annoying rules that teachers tried to force into your head all those years ago.  The rules are still annoying, but at least you can be slightly amused while remembering them.

One final thing to remember is what you write about isn’t as important as the fact that you’re writing.  I’ve written over 2000 posts for the blog, and I’d say 90% of them, including this one, are rambling diatribes that probably weren’t worth repeating (or retweeting).  But the 10% of them that actually came out clear, concise and with a few good points in them are worth the time.  And I never would have written that 10% (or 5% or 1%, depending on your point of view) if I hadn’t written all the drivel that came before and after the few gems in the rough.  So, rather than wait for the perfect moment of inspiration to catch fire in your brain, start writing now with the understanding that you’ll produce a lot of crap before you have the one good thought that you’ve been trying to uncover for months.

One response so far

Jan 03 2013

Morning reading 010313

Published by under General

In the spirit of my only ‘resolution’ for the new year, here’s a quick post on some of what I’m reading this week.  Like many security professionals, I read dozens of posts and articles each week, but only a few of them are worth retweeting or blogging about.  This week is the first of the year, so it’s likely many of the stories I read and rejected were about the way people looked back at the old year or looked forward to the new year.  Very few ‘prediction’ articles made it into my stream, though I did use a few of the stories to decide which sites to stop reading.  Hint:  Your ’2013 Security Predictions’ are worth the paper they’re printed on.

  • DEFCON: The Documentary (a preview) – In his copious amounts of spare time (okay, maybe it’s what he does for a living) Jason Scott and a crew of videographers taped over 280 hours of video at DEFCON for it’s 20th anniversary.  He’s released a preview of the documentary, and it’s fun for me to see some of the people and places that are essential for this event to happen every year.  If you’ve never been, don’t be intimidated by some of the strange antics you see in the preview; people let lose at DEFCON in ways they won’t most of the rest of the year.
  • how the pci standards will really die – I was initially a fan of PCI when I started working in that portion of the field six or so years ago.  I was hopeful that it would spark change and force businesses to spend more energy (and money) on security.  It did, but the standards stagnated and really haven’t changed in any significant way since those early days.  PCI Guru points out a number of the fatal flaws with PCI and why it will be the card brands themselves that eventually kill it.  Which can’t come soon enough for me.
  • My 2013 Resolutions – Unlike me, SecJitsu believes in New Year’s resolutions and this is a pretty good list of them.  We have a habit of getting a bit insular in the security community and it’s important to remember from time to time that we’re part of a larger corporate culture.  I know I need to do a better job of this myself.

And some non-security reading for you as well.  

  • To my 13-year-old, an iPhone contract from your Mom, with love – I have two geek spawn who got phones for Christmas this year, so this resonated with me.  I especially like the end, “You’ll make mistakes, we’ll work through them.”  I don’t think my offspring exactly appreciated me sending this to them via Skype IM though.
  • Best of 2012:  Raspberry Pi Projects – I love my RPi’s.  I just haven’t quite figured out any long term projects for them yet.  This article has given me some ideas though.

No responses yet

Jan 01 2013

Welcome to 2013

Published by under Blogging,General

I don’t generally do New Year’s resolutions.  The fact is, if I can’t work up the will power needed to do something the other 364 days a year, there’s no reason to think an arbitrary date of January 1 is going to make me any more likely to develop the needed internal strength needed to follow through on my commitments.  That being said, when you’re doing something public, like blogging, January 1 is as good a date as any to restart efforts.  Which brings me to this post, which is basically my New Year’s resolution to blog more. 

2012 was a very interesting year for me.  I stepped off of planes on four different continents during the year and flew nearly 140,000 miles on United alone.  I took on the role of Security Evangelist in 2011 and got to a point in 2012 that I feel comfortable in the role.  I can actually answer most of the questions people ask me about the inner workings of the Akamai platform, rather than having to say “I’ll find out” and asking our engineers.  I wrote several security sections for Akamai’s State of the Internet Report.  I presented at half a dozen conferences during the year and learned a lot about what I need to do to become a better presenter.  All in all, it was a very good year from a professional perspective and looking forward to 2013, things will continue to get better if how we closed out 2012 is any indication. And I’ve been told I need to cut back on the travel this year, which may make the year even better.

From a personal perspective, 2012 was a ‘more of the same’ year. The Spawn (as I call my children publicly) continue to grow at an alarming rate and my grocery grows at a similar rate.  Spawn0 is already as tall as Wife0 and Spawn1 is threatening to catch up to him before too long.  They both continue to expand their horizons and give me at least a little faith that maybe the next generation isn’t as completely hopeless as the current generation.  It’s that hope that keeps us from strangling them at birth, I suppose.  Neither Wife0 nor I changed much, other than gaining a little more weight and losing a little more hair.  Wait, that was just me, Wife0 is still the same beautiful woman I married 20 years ago.

What I really didn’t like about 2012 though was my blogging and podcasting schedule.  I resolved several times to write more, but didn’t follow through on it as much as I really should.  The podcast recording schedule with Rich and Zach was severely compromised much of the year, with all three of us being on the road more than we probably should have been.  We’ll be recording episode 300 of the Network Security Podcast in a couple of weeks and there’s a good possibility that we’ll be making some changes in order to make the podcast something that we can continue doing despite our travel.  It was either make some changes or quit podcasting, and all three of us have committed to another year of recordings, so plan on listening to us at least a little longer.  I wonder if we have it in us to make it to episode 500?

But it’s the lack of consistent blogging that really makes me annoyed with myself.   When I started writing in 2003, I could write about any story or just spew my thoughts on to the page randomly.  Everything was new and shiny and I had opinions on it all.  Now it’s over 9 years later and I’ve written well over 2000 blog posts; I’ve read and written on almost every aspect of security at some point.  It’s hard to think of anything that I haven’t already seen or been involved with previously that I want to write on, and so much of my thinking last year was based on just learning how to do my job the best I can, with little time left over for contemplation.  And what I do have time to contemplate creates more questions in my own mind about how we do security in the corporate world with few answers being obvious. 

So my resolution for 2013 is to write at least one blog post a week this year.  I’m not going to promise that the content of any of these posts will be spectacular or insightful, but one thing I learned from my early efforts is that sometimes it’s more important to write than to write the perfect post.  If you write enough crud, someone out there will sift through it to find the one or two kernels of wisdom that make it through the system.  Usually those kernels aren’t even what the writer was trying to express, but as long as they resonate with someone, it’s a positive.  Which is all I really want to do, create a positive impact on the security community one rambling post at a time.

With that said, this is my first blog post of 2013.  In August I will have completed 10 years of blogging.  Hopefully I’ll also have completed at least 40 or so posts by that time as well.  Maybe one or two of them will contain something you, the reader, find useful.  If not, I’ll keep writing anyway.  There are still too many ideas in my head aching to get out.

No responses yet

« Prev - Next »