※ “Quantum” Doesn’t Solve Anything for Cybersecurity

Posted on by

What security problem is “quantum” trying to solve? Would quantum solve Solarwinds? Heartbleed? Log4Shell? The 2016 DNC compromise? Any number of the social engineering-based attacks we see month after month? No, no, no, no, and no.

“Quantum” is specifically solving the problem of cryptographic primitives: that some of the fancy math problems we use to keep other humans from guessing how to unscramble our data eventually might be solvable by superscale quantum computers.

The argument you’ll often hear from quantum zealots is: “imagine if the primitives that were beneath your feet just vanished.” I don’t have to imagine, bro, that happens in software security every fucking day.

Via Kelly Shortridge.

Quantum falls in that void of things CISOs wave vaguely at when they ask consultants, “What should I do?” Other things that qualify are blockchain, AI, and any number of buzzword bits the CEO or Board members read about in the Wall Street Journal that morning and asked the CISO for the organization’s readiness/position/point of view. Effort is expended, focus changed, and attention redirected to formulate a response.

Meanwhile, and I am hitting my favorite drum again, things that could improve the organization’s current security posture, threat management, and organizational risk are being given short shrift or put off.

Accurate writing matters

Posted on by
Kevin Mitnick died. Several articles have been written and will be. One, by Nick Heer at Pixel Envy, calls him “legendary”.

And while Mitnick was legendary in the sense of his legend, there is no consensus in the info/cyber security industry about his impact and legacy. Quoting from Mitnick’s family-written obituary as though it comes from another less biased source is poor writing on M. Heer’s part.

I met Mr. Mitnick once at a security conference. He was pleasant.

If a software firm sells 4 months before anyone notices, does it make a sound?

Posted on by
Just before I read about the news of Evernote laying off its entire staff I printed and saved a receipt in DevonThink. That I cannot think of the last article I read or person who referenced Evernote (EN) is indicative of the state of that … service? Software? And it changed hands in February yet there was no mention of it in my tech heavy feeds until July.

I was a devoté of EN back in the day. It seemed magical in its ability to save things for later in an on-line world. There were apps for OS X and Windows and other platforms (via API) and a recipe app, an app to log your meals, and Skitch for capturing drawings.

The story was compelling. And it was ahead of its time. Sadly, mismanagement and security issues and EN being sold (& resold & resold) and focus shifts doomed the product.

R.I.P. Evernote, I guess?

The Work One-on-One

Posted on by

Sasha Dichter writes on their blog about one-on-one meetings one has with their supervisor/manager/boss:

… I think the tools only work if we show up with the right mindset to these meetings.

This mindset isn’t: it’s my job to update my boss on what I’m up to.

This mindset is: it’s helpful to have a counterpart who helps me stay on track; helps me ensure that I’m prioritizing the right things; and who can help me troubleshoot when I’m stuck.

https://feeds.feedblitz.com/~/749035490/0/sashadichter~with-Me/

I disagree on a number of counts.

First, it implies that the boss (the term I’ll use from here on in) isn’t doing their job. Bosses should be prioritizing, troubleshooting, and setting the direction. If one has to tell the boss to do that, waiting for a one-on-one is not the way to do it.

Second, it implies the boss knows what one is doing. A good sign of a boss not having a handle on what’s happening is to ask for weekly/every-other-week/monthly one-on-one meetings. That says more about the boss than the employee, unless the employee is on some kind of an action plan.

Third, it places the onus on the employee. The boss should be coaching and advising when appropriate. When the employee is cranking along, one effective way of slowing progress is to ask about the progress.

Forth, it assumes the boss is focused on the right things, has skills and experience to offer, and isn’t checking a box their boss wants checked. In the post, that’s even brought up: “Hopefully, your boss has some perspective and experience that you don’t have …” It’s not a given.

Fifth, it assumes the boss is open to employee feedback. If the boss has a fragile ego, if they’re exhausted, if they’re stressed, and/or if they’re unfocused they may not react as one would hope and expect.

Sasha Dichter ends the post with “The meeting is for you, not for your boss.” I find that rarely to be true. When it has been true, it’s the boss who asks “What do you need from me and how can I help?”

Well meaning posts like that one assume an ideal that doesn’t universally exist. If one is in a bad organization, has a bad boss, is in a bad work situation, or doesn’t buy into the hustle culture narrative then advice like this falls on deaf ears. To be clear, I’ve written similar posts to Dichter’s on this site.

There is no one-size-fits-all approach to one’s relationship with their boss. But falling into the trap of thinking of work as “family”, bosses as confidants and collaborators and counterparts in one’s career, and that anyone who shows the corporation loyalty is safe from “resource action” puts one at a significant disadvantage.

However, when one has to do a one-on-one with their boss, Dichter’s advice about what questions one should consider are a good starting point.

Your mileage may vary.

Presume and profess less

Posted on by
Hyperbole wrecks understanding.

Instead of assigning genius, visionary, peerless, or pioneering to folk lets dial down the rhetoric.

“Genius” is a high bar only measured by history. For example, buying an innovative company does not make one a genius per se.

“Visionary” is marketing.

“Peerless” means one who hasn’t been open to peer review.

“Pioneering” is someone repackaging what is known.