Here I go again.

I’m back in Seoul, South Korea for work.

I was slated to return for months. My repeated delays and cancellations were due to combinations of bureaucracy, incompetence, miscommunication (in English), inability to communicate (in Korean), apathy (mine), and a lack of urgency (not mine).

I shall spare you, Dear Friends, of the trials of the earlier travel attempts. At least, I shall spare you of them for now.

This final, ultimately successful journey came out of the last failed try. We shifted the Korean consulate handling my paperwork from Atlanta (I’m still not sure if anyone actually works there except for one woman who spoke no English) to San Francisco. This bit of rehoming required me to fly on 2 distinct itineraries: CHA – ATL – SFO on Wednesday morning, and SFO – ICN at 23:55 Wednesday.

Aside: the late night flight to Korea had me leave on Wednesday and arrive on Friday! Thank you, International Date Line!

For my itinerary to work I needed my COVID-19 quarantine exemption certificate from the San Francisco Consulate. The idea was that it would be ready for me when I landed in SFO. I would saunter to the lounge, print it off, and be ready when I could check into my flight some 8 hours later.

There was no COVID-19 quarantine exemption certificate from the San Francisco Consulate waiting for me in my inbox when I landed. Word was that it had not made its way yet from the Ministry in Seoul.

Two options presented themselves to me: return home and try again with a brand new submission; or lay up in SF and hope the paperwork arrives before the next day’s flight. I went with option 2.

Which brings us to my packing for this trip.

I wanted to bring only carry-on bags this time. The new 2 itinerary approach made it important to not check a bag. To do so would mean having to leave security, claim the bag, check it in again under the second itinerary, and again claim it at Incheon Airport.

I got very close to achieving this goal.

On my last trip I worked on a second customer. I was supposed to continue to support them from the US. That didn’t pan out, but the 2.2KG (about 5 lbs) laptop and charger I was given for the support still made it home with me. I have to return it on this trip, and that extra bulk was the tipping point.

Not that I didn’t try to carry on/gate check the suitcase I used. Sadly it is the biggest of my suitcases and Delta made me check it through to San Francisco. See below for the things I brought for my 5-ish week stay.

Another complicating factor was that I booked my flights through Delta but the SFO – ICN leg was on Korean Airlines, a Delta codeshare partner. Korean only flies the one flight out of SFO, so their ticketing desk does not open until about 3 hours before boarding with no on-line check-in option.

 

The suitcase contained:

  • 4 sets of socks, underwear, t-shirts, and handkerchiefs
  • 2 sweaters
  • 3 button down shirts
  • 2 trousers
  • workout shorts/swimsuit and shirt
  • lightweight trainers
  • puffer coat, gloves, hat, and cap
  • 2 Raspberry Pis
  • camera tripod
  • 2 camera lenses
  • 2 Roost laptop stands
  • Tom Bihn Freudian Slip for my Synik 30 backpack with carious pens, cables, and power adaptors
  • set of collapsable plates and bowls
  • 50 packs of instant Starbucks coffee in a plastic bag
  • toiletries
  • belt and neck tie
  • electric beard trimmer

The Synik 30 backpack had, among other things:

  • work MacBook Air
  • personal MacBook Pro 15
  • afore mentioned heavy laptop
  • camera with lens
  • Beats pro headphones
  • power cords, adaptors, and cables
  • emergency food stash
  • business cards and ID badges
  • water bottle
  • coffee travel container
  • 3-1-1 bag of liquids and meds
  • Logitech Anywhere MX mouse
  • copies of my COVID vaccination, quarantine exemption certificate, COVID test results
  • Apple Watch, series 2 (work) and 5 (personal)
  • travel towel
  • shemaug 

Tom Bihn Le Grande Derrière had:

  • wallet with cash, credit cards
  • flashlight
  • notebook
  • pen
  • Apple Magic Keyboard (JIS)
  • Apple Magic Trackpad
  • Apple iPad Mini 5
  • battery pack
  • Onyx Boox ereader
  • various cables and adaptor
  • emergency med kit (sanitizer, bandages, aspirin, &c.)
  • COVID-19 vaccination card (in a rugged clear plastic bag)

Tom Bihn Handy Little Thing had:

  • playing cards and dice
  • eye mask
  • Apple headphones
  • crystalized lime and lemon packets
  • wipes
  • beverage holders
  • pens
  • hot sauce

On me:

  • Clothes: shoes, socks, trousers, underwear, t-shirt, button-down, travel vest, travel blazer
  • travel wallet: passport with visa, receipts, cash, business cards
  • phones, iPhone SE 2020 (work) and XS Max (personal)
  • Garmin Instinct Tactical watch
  • sunglasses

What did I leave out that I should have had?

  • HDMI cable
  • Raspberry Pi power adaptor
  • powered USB hub power cord
  • Logitech K810 keyboard
  • beard trimmer power cord
  • nail clippers
  • drain stopper

I’m back in Korea. I do not want to be here.

I retuned to Seoul for work, to finish off a project I started in April on my last trip. It took 5.5 months to get me back, and the clock on the 5.5 months started before I left the last time. Had I been successful earlier, I would be on my way home by now, forced to return because of the magic 180 day threshold over which tax implications become expensive.

I don’t believe in this project even though it will succeed, but that’s not all of why I don’t want to be here.

The COVID numbers here are 4-10 times what they were when I left. The country says they’re about to reach 70% vaccination and about to enter their “living with COVID” phase. The 70% are of people with at least one dose, and that is adults. The government will change their reporting to focus on hospitalizations and deaths instead of positive tests. Restrictions will relax.

South Korea is a great example of hygiene theatre being hand waiving – the mandate on hand sanitization is all for show, for example – but that is not all of why I do not want to be here.

I’m working face-to-face with colleagues from all over. They are smart, capable people. In the before times I would enjoy hanging out with them, getting to know them, and establishing relationships.

I’m reluctant to do that kind of hanging out in these times, but that isn’t all of why I don’t want to be here.

For the first time in longer than I can remember, I am homesick. My illness began before I left. I’ve put down roots, you see, and I’m not happy to leave them. I definitely do not want to rip them up.

UPDATE: this was a post I meant to send a week ago.

How to Actually Build a Better Boss:

What mistakes or missteps are you seeing managers and organizations make over and over again right now — and what changes make you hopeful?

Melissa: Failing to train managers. I mean, perhaps we would say that. But holy shit does it keep happening. We promote people into management and we just hope that they figure it out. And then we stand, mouth agape, when things go sideways. And this isn’t just a problem for our new managers. We are 40 years into this strategy and now the overwhelming majority of the workforce came up through this same form of occupational hazing. Here’s a new job. It’s very high stakes. It’s totally different from what you’ve done to date. And the skill set isn’t intuitive at all. You’re smart. You’ll figure it out. And if not, you’re fired. Good luck. 

That’s the summary version of how most of North America’s leaders stepped into the seat. And that they are now propagating that out is a huge problem, especially for a modern workforce that anticipates and demands competent management. That’s part of where you see generational strife in the workforce. Where folks who have been at it for a long time say, “Well, this is how it’s always been. Why are you complaining?” But when you ask them, “Were there downsides to that approach? Can you point to ways that it failed, both people and organizations? Oh yes, absolutely.” 

OK then, let’s stop pretending we’ve got a working system for people stepping into leadership. Cause we don’t. And let’s get to work building something better. … 

Johnathan: … Most managers want to do a good job for their people.

This isn’t obvious to everyone, right? The popular writing about management is always a caricature: either a genius and perfect visionary, or a pointy-haired, micromanaging dictator. In our work, we have met very few of either. You can tell me that’s selection bias — that we only meet the leaders who work for companies that invest in management training — that’s fair. But we’ve worked with thousands of leaders now and we have seen a lot of bad management. We have seen “under-equipped”, we have seen “got some pithy-but-terrible advice”, and we have seen “hated a past manager and ran to the other side of the boat, making all the opposite mistakes.” I’m not giving those people a pass — that still sucks.

When you give those people some objectivity and some skill, though. When you pull them out of the worst of their Dunning-Kruger effect, they listen. They make connections, and ask vulnerable questions. The number of leaders we’ve had say, in one of our programs, “Shit. I’m realizing now how I screwed some things up.” That’s hopeful for me.

You can subscribe to Melissa and Johnathan’s newsletter here — and follow them on Twitter here and here.

If you’re reading this in your inbox, you can find a shareable version online here. You can follow me on Twitter here, and Instagram here — and you can always reach me at [email protected]

The entire article is great. I included how to follow Johnathan and Mellisa and Anne at the bottom on the citation. Follow them.

I worked with a customer in the waning days of a significant security breech. The customer vocally committed to making cyber security a top priority. *

This commitment included efforts I worked on.

Another item this commitment included was an updated security policy.

The two came into conflict — the new policy, written during the breech and approved immediately upon recovery, was absolute. Part of its strictness was a lack of a clear policy exception process.

The other problem is that the policy enacted while in reaction-mode was not time limited.

Fast forward 6 months and my team and I are ready to implement a bunch of positive security changes to the customer environment, measurable and demonstrative positive changes to the customer environment. Other actions by others are also in process.

We can’t make the changes needed because of the policy. There is no clear exemption path, no clear exemption requirements, and fear about what happens to whomever allows an exception to go forward.

In the calmer, reflective time of the better part of a year between the initial breech and our exception discussions, the customer agreed that the new policy is poorly written, misunderstood, and should be revised.

The policy is so absolute in its wording there is no clear path to doing anything about it until the next general policy review in something like 2023.

Meanwhile, multiple security tracks to improve the security posture effectively stop for eighteen months. The customer is still on the hook to pay for the contracted services in the interim.

Takeaway: anything done in the immediate aftermath of a security breech should be time limited. Some things will be through the nature of subscription or contract. Those that aren’t, like new policies crafted during or immediately after a breech, should have a time limit.

  • The customer did not mention what existing priority would get demoted, a mistake. If everything — or too many things — is a priority, then nothing is a priority.

A writer practicing the craft

A friend and colleague asked me to review a section of an already sent customer deliverable. The customer expressed strong negative views about the content and how it was communicated in one specific section. “The customer is always right,” and the customer also happens to be correct in their assessment.

I’m not throwing the person who wrote this material “under the bus”. Most people in IT and cybersecurity are not strong communicators. Maybe this person is usually a strong communicator but had an off day. Maybe sunspots interfered or Mercury was in retrograde or the U.S. tax filing deadline directed focus elsewhere.

Hello, peer review! Peer review should help level out the various stimuli and bias the original writer brings to the table. The message should be clarified, if the peer reviewers are worth their salt. That was not done here.

Hello, editor! Editing should take the technical skill expressed in the writing and translate it into art (a non-technical artifact with technical components) a customer will understand and hopefully embrace. That also was not done here.

A creative, visual expression of complex technical issues requires more than a good template and the liberal application of industry buzz words.

Cast your mind back to the late ‘90s: WorldCom & Enron imploded due to financial impropriety; government reacted; & IT was left holding the bag.

Cut to now: President Biden signed an executive order to improve government cybersecurity.

Bruce Schneier:

I’m a big fan of these sorts of measures. The US government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software.

Adam Bobrow from Just Security:

The executive order is a good first step, but it won’t stop the constant barrage of cyber incidents that has overwhelmed the United States over the last six months. Unfortunately, the insecurity of networked computer systems is simply too great for any single effort to solve the problem. Instead, the solutions lie on a distant horizon. It is not too soon to start charting a course, and Congress can help.

Both are right, but I’m not sure in what proportion. My thoughts are … drafts.

As I see it, the private sector takes one of four basic approaches to cybersecurity:

  1. Accept cybersecurity is key to doing business, and plans and funds accordingly
  2. Knows cybersecurity is important and spends with no planning (blinking lights or shotgun approach)
  3. Knows cybersecurity is important and plans for it but gets no funding (MacGuyver approach)
  4. Hopes nothing bad happens because they think that they’re not a target (magical thinking approach)

While many companies rely on US government contracts, not all do. I’d be curious to see the breakdown, if such a thing exists. Companies that fall into #4 probably aren’t dealing with government contracts at all, and #2-3 might be in varying amounts.

Back in the day the US government passed something awkwardly but accurately called Sarbaines-Oxley Act (a.k.a. SOX, “Public Company Accounting Reform and Investor Protection Act” [in the Senate] and “Corporate and Auditing Accountability, Responsibility, and Transparency Act” [in the House]). The crux of the bill IMNSHO was defining IT measures for making sure companies have it harder to commit financial fraud.

Every IT and InfoSec (it wasn’t called cybersecurity back then) manager worth their salt ran to Finance & the CFO with a budget for all sorts of things to nominally help comply with SOX. The recipients were eager to appear to embrace enforcement.

Most were pet projects that wouldn’t actually help either with SOX compliance or overall security. I saw a request for a tool for a manager to spy on his own desktop support team, one from another manager to increase the storage capacity for audit purposes (but really for his team to be able to share pirated media among themselves), another to set up shadow IT to get around SOX and other oversight (described a parallel production environment for testing purposes which would, in no way, reflect the production environment, of which we had many), and a lot of small stuff that was tangentially related to SOX compliance. There were also purchases of things that would help, but see #2 above.

BTW, the people IT was supposed to reign in were the same people who would approve their SOX budget. And the Big F accounting firms that went along with Enron and Worldcom and the others got to rebrand, keep selling their services, and add a new line of business – SOX auditor.

This was a massive amount of effort and money put into the wrong area with maybe ok intentions. And remember, the stuff that triggered SOC wasn’t impacting most companies bottom line.

Maybe it’s time for a reverse SOX that places the onus on CEOs and CFOs to take responsibility for cybersecurity since it is impacting the bottom line. I’m thinking:

  • Security reports to a CSO equal to the CIO and COO, never reporting through the CIO or CFO
  • Legal and Risk are executive sponsors

Big think for sure, but such a requirement by the US or EU government would mean that security wouldn’t be limited by the conflicts of interest these other entities have in an organization.

Keen observers will note that I do not describe where money should go or even how much. It will vary by any number of variables for each company. Those that do not know what to do or how to do it should seek out consulting to help.

※ I worked on Enron and WorldCom when I was employed at EDS in the 90’s.

Oustian Bargain:

“The cyberattack disabled computer systems responsible for fuel production from Texas to the Northeast, and now gas stations in the Southeast are seeing panicked motorists lining up in droves to fill their tanks … Drivers are being turned away from now-empty gas pumps.” Panic Drives Gas Shortages After Colonial Pipeline Ransomware Attack.

+ WaPo: Gas shortages intensify in Southeast, with 28 percent of North Carolina stations now dry. (The frenzied gas buying is one more example of citizens not trusting government officials who are telling them not to panic. This mistrust is a bigger threat than hackers.) [emphasis mine]

That last sentence is killer. Feel free to replace ‘hackers’ with your favorite threat du jour.

Don’t weep for Colonial … 

naked capitalism:

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed Reuters. Oddly, Colonial’s enormous leak hasn’t generated the same level of coverage.

If you’re not hip to the ransomware story, ZDNet has a decent writeup.

As to more on the pipeline leak that started August 2020 in Huntersville, North Carolina: WCNC MSN Charlotte Observer

And CNBC has a fascinating eye-opening timeline about the company’s travails. Wow. If it wasn’t for back luck, Colonial wouldn’t have no luck at all. (h/t Cream)

At least the profit seekers behind the ransomware apologized. Right?

My new boss must be coming up on his 5 year anniversary. I got an email inviting me to:

“Make this milestone memorable – and contribute today!”

By contribute, I’m encouraged to click a link that takes me to a website (authenticated: I’m greeted by name) where I can do …  performative things.

“Don’t know what to write? Share a photo, a quick story or favorite memory about [manager]. Or just write a few words that best describe them. It doesn’t have to be long—thoughtfulness is what counts.”

Thank goodness length isn’t required but how thoughtful I am is.

My new boss came into being for me about 14 days ago. While we traveled in some of the same work circles we did not meet until recently – when he became my boss. Thus I have zero to submit to his anniversary fete. He seems like a good guy, but seems is the operative word. I don’t know, and he was told I might not be working for him very long.

Interesting that this is the first time in over 6 years with this employer that I’ve been asked to provide glowing words for the person in whose hands my future with the company resides. Apparently, I should not worry about it:

Your colleague’s network (manager, peers and direct
reports) have already been invited to contribute. But you can invite
other [employees] who are close to the honoree and non-[employees] (clients,
former colleagues, family and friends) to contribute—the more the
merrier! Just send them an invite from the contribution page. (Please do
not forward this personalized e-mail to them because it is linked to
your contribution.)

Wait … what?!?!?! If I understand this dynamic properly, I can:

  1. Submit something nice so my manager sees I submitted something nice; or
  2. Submit something not nice so my manager sees I submitted something not nice; or
  3. I don’t submit anything and my manager gets to deduce that I submitted nothing.

HR can’t be this …  stupid (I don’t know how else to describe it), can they?

p.s. – I will not submit anything.

p.p.s. – I have a whole rant about corporate anniversary celebrations like this one. Tl;dr: I’m not a fan.

p.p.p.s. – I tried to raise this with corporate HR and their internal website is down. Coincidence? Ehh, probably totally unrelated.

p.p.p.p.s. – This stuff is managed by an outside firm. It’s been outsourced. Got a problem with it? Go talk with the outsourcer.