Work calendar trust, or the lack thereof

I no longer trust my work calendar.

First, colleagues reschedule meetings when we need to meet on a topic again. For example, a meeting held this morning at 10:00 ET had an outcome of meeting again tomorrow. Instead of scheduling a new meeting, the organizer rescheduled it to tomorrow.

Second, corporate migrated/is migrating to a new email system. Everything in the old system is still there in the old system. None of it transferred.

Third, the desktop, web browser, and mobile calendars loose synchronization. For example, last week I saw the same meeting scheduled for 2 different times depending on the platform. Luckily I noticed the difference and was able to confirm with colleagues about the actual start time.

Lastly, the work calendar relies on multiple internal corporate systems. Which internal corporate systems seems to depend on how the work calendar is accessed. Some of this might help explain #3, but right now a outage on another system impacts my ability to get at my schedule.

What does all this mean?

Keeping with the idea that “Plain Text Rulz!”, I am using my iOS Shortcut and the Beorg app to dump the next & current day’s schedule into org files so I will have a more reliable record of my comings, goings, and doings.

I will back it up with my analog daily journal. I used to keep my work schedule this way back when I worked in Japan but dropped the habit.

※ I do not share my iOS shortcut as is but might share a sanitized version if requested.

Is this government helping or hindering?

The U.S. Senate unanimously passed the “Strengthening American Cybersecurity Act” on Tuesday in an attempt to bolster the cybersecurity of critical infrastructure owners in the country.

The new bipartisan legislation, among other things, stipulates entities that experience a cyber incident to report the attacks within 72 hours to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in addition to alerting the agency about ransomware payments within 24 hours.

(Via Hacker News)

I’m keen to read up on this legislation and seeing the analysis. At first blush I see it as benefiting government more than the businesses and organizations that would be bound by the law, if passed.

The US government doesn’t have the best track record on legislation around security. See Sarbanes-Oxley (SOX) that was meant for financial oversight but stuck most of the responsibility with IT & security teams.


Newsletters are the new podcasts – everyone seems to have one.

The difference is the cost – the podcasts to which I subscribe are free and ask you to contribute; most of the newsletters I read are behind a paywall some or most of the time. As mentioned elsewhere, I do not subscribe to Spotify or whatever corporate matryoshka doll Earwolf is now under.

To what non-tech non-sec newsletters do I subscribe, what do they cover, and why do I subscribe? I subscribe to many, but these are some of the standouts:

  • Money Stuff by Matt Levine via Bloomberg. :finance:business:
  • The Honest Broker by Ted Gioia via Substack. :music:culture:
  • NextDraft by Dave Pell :news:
  • The Overspill by Charles Arthur :news:
  • The Poynter Report by Tom Jones via Poynter :journalism:news:
  • What’s in my … via Revue :edc:tools: “Each week, one interesting person shares four favorite things in their bag or in their desk or fridge or closet or wherever they keep things.”
  • Weekly Musings by Scott Nesbitt :misc: “a published-every-seven-days (or so) letter from the keyboard of writer Scott Nesbitt. Each Wednesday, this letter shares my thoughts about something that’s caught my interest. Those thoughts will inform, infuriate, amuse, and I hope enlighten you. Even if just a little bit.”
  • Culture Study by Anne Helen Petersen via Substack :culture: “Think more about the culture that surrounds you”
  • Axios Nashville & a bunch of other Axios newsletters
  • Austin Kleon via Substack :art:culture: “Weekly art, writing, and creative inspiration from the author of Steal Like an Artist and other bestsellers”

This list will continue to evolve as I narrow, whittle, and refine. I get various newsletters from the periodicals to which I subscribe. To be clear, the only newsletters I “pay” for are part of a periodical subscription. That may change.

Korea Dispatch: Back and there again; or, a consultant’s long non-holiday in Seoul

Here I go again.

I’m back in Seoul, South Korea for work.

I was slated to return for months. My repeated delays and cancellations were due to combinations of bureaucracy, incompetence, miscommunication (in English), inability to communicate (in Korean), apathy (mine), and a lack of urgency (not mine).

I shall spare you, Dear Friends, of the trials of the earlier travel attempts. At least, I shall spare you of them for now.

This final, ultimately successful journey came out of the last failed try. We shifted the Korean consulate handling my paperwork from Atlanta (I’m still not sure if anyone actually works there except for one woman who spoke no English) to San Francisco. This bit of rehoming required me to fly on 2 distinct itineraries: CHA – ATL – SFO on Wednesday morning, and SFO – ICN at 23:55 Wednesday.

Aside: the late night flight to Korea had me leave on Wednesday and arrive on Friday! Thank you, International Date Line!

For my itinerary to work I needed my COVID-19 quarantine exemption certificate from the San Francisco Consulate. The idea was that it would be ready for me when I landed in SFO. I would saunter to the lounge, print it off, and be ready when I could check into my flight some 8 hours later.

There was no COVID-19 quarantine exemption certificate from the San Francisco Consulate waiting for me in my inbox when I landed. Word was that it had not made its way yet from the Ministry in Seoul.

Two options presented themselves to me: return home and try again with a brand new submission; or lay up in SF and hope the paperwork arrives before the next day’s flight. I went with option 2.

Which brings us to my packing for this trip.

I wanted to bring only carry-on bags this time. The new 2 itinerary approach made it important to not check a bag. To do so would mean having to leave security, claim the bag, check it in again under the second itinerary, and again claim it at Incheon Airport.

I got very close to achieving this goal.

On my last trip I worked on a second customer. I was supposed to continue to support them from the US. That didn’t pan out, but the 2.2KG (about 5 lbs) laptop and charger I was given for the support still made it home with me. I have to return it on this trip, and that extra bulk was the tipping point.

Not that I didn’t try to carry on/gate check the suitcase I used. Sadly it is the biggest of my suitcases and Delta made me check it through to San Francisco. See below for the things I brought for my 5-ish week stay.

Another complicating factor was that I booked my flights through Delta but the SFO – ICN leg was on Korean Airlines, a Delta codeshare partner. Korean only flies the one flight out of SFO, so their ticketing desk does not open until about 3 hours before boarding with no on-line check-in option.


The suitcase contained:

  • 4 sets of socks, underwear, t-shirts, and handkerchiefs
  • 2 sweaters
  • 3 button down shirts
  • 2 trousers
  • workout shorts/swimsuit and shirt
  • lightweight trainers
  • puffer coat, gloves, hat, and cap
  • 2 Raspberry Pis
  • camera tripod
  • 2 camera lenses
  • 2 Roost laptop stands
  • Tom Bihn Freudian Slip for my Synik 30 backpack with carious pens, cables, and power adaptors
  • set of collapsable plates and bowls
  • 50 packs of instant Starbucks coffee in a plastic bag
  • toiletries
  • belt and neck tie
  • electric beard trimmer

The Synik 30 backpack had, among other things:

  • work MacBook Air
  • personal MacBook Pro 15
  • afore mentioned heavy laptop
  • camera with lens
  • Beats pro headphones
  • power cords, adaptors, and cables
  • emergency food stash
  • business cards and ID badges
  • water bottle
  • coffee travel container
  • 3-1-1 bag of liquids and meds
  • Logitech Anywhere MX mouse
  • copies of my COVID vaccination, quarantine exemption certificate, COVID test results
  • Apple Watch, series 2 (work) and 5 (personal)
  • travel towel
  • shemaug 

Tom Bihn Le Grande Derrière had:

  • wallet with cash, credit cards
  • flashlight
  • notebook
  • pen
  • Apple Magic Keyboard (JIS)
  • Apple Magic Trackpad
  • Apple iPad Mini 5
  • battery pack
  • Onyx Boox ereader
  • various cables and adaptor
  • emergency med kit (sanitizer, bandages, aspirin, &c.)
  • COVID-19 vaccination card (in a rugged clear plastic bag)

Tom Bihn Handy Little Thing had:

  • playing cards and dice
  • eye mask
  • Apple headphones
  • crystalized lime and lemon packets
  • wipes
  • beverage holders
  • pens
  • hot sauce

On me:

  • Clothes: shoes, socks, trousers, underwear, t-shirt, button-down, travel vest, travel blazer
  • travel wallet: passport with visa, receipts, cash, business cards
  • phones, iPhone SE 2020 (work) and XS Max (personal)
  • Garmin Instinct Tactical watch
  • sunglasses

What did I leave out that I should have had?

  • HDMI cable
  • Raspberry Pi power adaptor
  • powered USB hub power cord
  • Logitech K810 keyboard
  • beard trimmer power cord
  • nail clippers
  • drain stopper

Korea Dispatch: week 0

I’m back in Korea. I do not want to be here.

I retuned to Seoul for work, to finish off a project I started in April on my last trip. It took 5.5 months to get me back, and the clock on the 5.5 months started before I left the last time. Had I been successful earlier, I would be on my way home by now, forced to return because of the magic 180 day threshold over which tax implications become expensive.

I don’t believe in this project even though it will succeed, but that’s not all of why I don’t want to be here.

The COVID numbers here are 4-10 times what they were when I left. The country says they’re about to reach 70% vaccination and about to enter their “living with COVID” phase. The 70% are of people with at least one dose, and that is adults. The government will change their reporting to focus on hospitalizations and deaths instead of positive tests. Restrictions will relax.

South Korea is a great example of hygiene theatre being hand waiving – the mandate on hand sanitization is all for show, for example – but that is not all of why I do not want to be here.

I’m working face-to-face with colleagues from all over. They are smart, capable people. In the before times I would enjoy hanging out with them, getting to know them, and establishing relationships.

I’m reluctant to do that kind of hanging out in these times, but that isn’t all of why I don’t want to be here.

For the first time in longer than I can remember, I am homesick. My illness began before I left. I’ve put down roots, you see, and I’m not happy to leave them. I definitely do not want to rip them up.

UPDATE: this was a post I meant to send a week ago.

How to Actually Build a Better Boss

How to Actually Build a Better Boss:

What mistakes or missteps are you seeing managers and organizations make over and over again right now — and what changes make you hopeful?

Melissa: Failing to train managers. I mean, perhaps we would say that. But holy shit does it keep happening. We promote people into management and we just hope that they figure it out. And then we stand, mouth agape, when things go sideways. And this isn’t just a problem for our new managers. We are 40 years into this strategy and now the overwhelming majority of the workforce came up through this same form of occupational hazing. Here’s a new job. It’s very high stakes. It’s totally different from what you’ve done to date. And the skill set isn’t intuitive at all. You’re smart. You’ll figure it out. And if not, you’re fired. Good luck. 

That’s the summary version of how most of North America’s leaders stepped into the seat. And that they are now propagating that out is a huge problem, especially for a modern workforce that anticipates and demands competent management. That’s part of where you see generational strife in the workforce. Where folks who have been at it for a long time say, “Well, this is how it’s always been. Why are you complaining?” But when you ask them, “Were there downsides to that approach? Can you point to ways that it failed, both people and organizations? Oh yes, absolutely.” 

OK then, let’s stop pretending we’ve got a working system for people stepping into leadership. Cause we don’t. And let’s get to work building something better. … 

Johnathan: … Most managers want to do a good job for their people.

This isn’t obvious to everyone, right? The popular writing about management is always a caricature: either a genius and perfect visionary, or a pointy-haired, micromanaging dictator. In our work, we have met very few of either. You can tell me that’s selection bias — that we only meet the leaders who work for companies that invest in management training — that’s fair. But we’ve worked with thousands of leaders now and we have seen a lot of bad management. We have seen “under-equipped”, we have seen “got some pithy-but-terrible advice”, and we have seen “hated a past manager and ran to the other side of the boat, making all the opposite mistakes.” I’m not giving those people a pass — that still sucks.

When you give those people some objectivity and some skill, though. When you pull them out of the worst of their Dunning-Kruger effect, they listen. They make connections, and ask vulnerable questions. The number of leaders we’ve had say, in one of our programs, “Shit. I’m realizing now how I screwed some things up.” That’s hopeful for me.

You can subscribe to Melissa and Johnathan’s newsletter here — and follow them on Twitter here and here.

If you’re reading this in your inbox, you can find a shareable version online here. You can follow me on Twitter here, and Instagram here — and you can always reach me at [email protected]

The entire article is great. I included how to follow Johnathan and Mellisa and Anne at the bottom on the citation. Follow them.

Security policy as death contract

I worked with a customer in the waning days of a significant security breech. The customer vocally committed to making cyber security a top priority. *

This commitment included efforts I worked on.

Another item this commitment included was an updated security policy.

The two came into conflict — the new policy, written during the breech and approved immediately upon recovery, was absolute. Part of its strictness was a lack of a clear policy exception process.

The other problem is that the policy enacted while in reaction-mode was not time limited.

Fast forward 6 months and my team and I are ready to implement a bunch of positive security changes to the customer environment, measurable and demonstrative positive changes to the customer environment. Other actions by others are also in process.

We can’t make the changes needed because of the policy. There is no clear exemption path, no clear exemption requirements, and fear about what happens to whomever allows an exception to go forward.

In the calmer, reflective time of the better part of a year between the initial breech and our exception discussions, the customer agreed that the new policy is poorly written, misunderstood, and should be revised.

The policy is so absolute in its wording there is no clear path to doing anything about it until the next general policy review in something like 2023.

Meanwhile, multiple security tracks to improve the security posture effectively stop for eighteen months. The customer is still on the hook to pay for the contracted services in the interim.

Takeaway: anything done in the immediate aftermath of a security breech should be time limited. Some things will be through the nature of subscription or contract. Those that aren’t, like new policies crafted during or immediately after a breech, should have a time limit.

  • The customer did not mention what existing priority would get demoted, a mistake. If everything — or too many things — is a priority, then nothing is a priority.

Skill as art, peer review as expression

A friend and colleague asked me to review a section of an already sent customer deliverable. The customer expressed strong negative views about the content and how it was communicated in one specific section. “The customer is always right,” and the customer also happens to be correct in their assessment.

I’m not throwing the person who wrote this material “under the bus”. Most people in IT and cybersecurity are not strong communicators. Maybe this person is usually a strong communicator but had an off day. Maybe sunspots interfered or Mercury was in retrograde or the U.S. tax filing deadline directed focus elsewhere.

Hello, peer review! Peer review should help level out the various stimuli and bias the original writer brings to the table. The message should be clarified, if the peer reviewers are worth their salt. That was not done here.

Hello, editor! Editing should take the technical skill expressed in the writing and translate it into art (a non-technical artifact with technical components) a customer will understand and hopefully embrace. That also was not done here.

A creative, visual expression of complex technical issues requires more than a good template and the liberal application of industry buzz words.

Where’s the SOX inverse for cybersecurity?


Cast your mind back to the late ‘90s: WorldCom & Enron imploded due to financial impropriety; government reacted; & IT was left holding the bag.

Cut to now: President Biden signed an executive order to improve government cybersecurity.

Bruce Schneier:

I’m a big fan of these sorts of measures. The US government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software.

Adam Bobrow from Just Security:

The executive order is a good first step, but it won’t stop the constant barrage of cyber incidents that has overwhelmed the United States over the last six months. Unfortunately, the insecurity of networked computer systems is simply too great for any single effort to solve the problem. Instead, the solutions lie on a distant horizon. It is not too soon to start charting a course, and Congress can help.

Both are right, but I’m not sure in what proportion. My thoughts are … drafts.

As I see it, the private sector takes one of four basic approaches to cybersecurity:

  1. Accept cybersecurity is key to doing business, and plans and funds accordingly
  2. Knows cybersecurity is important and spends with no planning (blinking lights or shotgun approach)
  3. Knows cybersecurity is important and plans for it but gets no funding (MacGuyver approach)
  4. Hopes nothing bad happens because they think that they’re not a target (magical thinking approach)

While many companies rely on US government contracts, not all do. I’d be curious to see the breakdown, if such a thing exists. Companies that fall into #4 probably aren’t dealing with government contracts at all, and #2-3 might be in varying amounts.

Back in the day the US government passed something awkwardly but accurately called Sarbaines-Oxley Act (a.k.a. SOX, “Public Company Accounting Reform and Investor Protection Act” [in the Senate] and “Corporate and Auditing Accountability, Responsibility, and Transparency Act” [in the House]). The crux of the bill IMNSHO was defining IT measures for making sure companies have it harder to commit financial fraud.

Every IT and InfoSec (it wasn’t called cybersecurity back then) manager worth their salt ran to Finance & the CFO with a budget for all sorts of things to nominally help comply with SOX. The recipients were eager to appear to embrace enforcement.

Most were pet projects that wouldn’t actually help either with SOX compliance or overall security. I saw a request for a tool for a manager to spy on his own desktop support team, one from another manager to increase the storage capacity for audit purposes (but really for his team to be able to share pirated media among themselves), another to set up shadow IT to get around SOX and other oversight (described a parallel production environment for testing purposes which would, in no way, reflect the production environment, of which we had many), and a lot of small stuff that was tangentially related to SOX compliance. There were also purchases of things that would help, but see #2 above.

BTW, the people IT was supposed to reign in were the same people who would approve their SOX budget. And the Big F accounting firms that went along with Enron and Worldcom and the others got to rebrand, keep selling their services, and add a new line of business – SOX auditor.

This was a massive amount of effort and money put into the wrong area with maybe ok intentions. And remember, the stuff that triggered SOC wasn’t impacting most companies bottom line.

Maybe it’s time for a reverse SOX that places the onus on CEOs and CFOs to take responsibility for cybersecurity since it is impacting the bottom line. I’m thinking:

  • Security reports to a CSO equal to the CIO and COO, never reporting through the CIO or CFO
  • Legal and Risk are executive sponsors

Big think for sure, but such a requirement by the US or EU government would mean that security wouldn’t be limited by the conflicts of interest these other entities have in an organization.

Keen observers will note that I do not describe where money should go or even how much. It will vary by any number of variables for each company. Those that do not know what to do or how to do it should seek out consulting to help.

※ I worked on Enron and WorldCom when I was employed at EDS in the 90’s.