Security by pity

We’ve heard of “security by obscurity”, the idea that if one doesn’t tell anyone about anything security related they are more secure (they’re not). We’ve heard of “security theatre”, the idea that waving hands and making a show of being security conscience makes them more secure (they’re not).

Welcome to “security by pity” I guess:

What’s worse?

Being hit by ransomware attack that sees criminals steal information about your staff and passengers…


Being hit by ransomware attack that sees criminals steal information about your staff and passengers, AND then have the gang tell the world that your firm’s IT infrastructure is so chaotic, poorly-secured, and downright irritating that it refuses to repeat the attack.

(via Graham Cluley)

I don’t have another source to verify the story, but even if it’s fake it still is a lesson.

I don’t post much about security these days, be it information or “cyber” or physical. Why?

  1. There’s not much new under the sun;
  2. Few learn from what’s come before;
  3. As such, the same mistakes are made over and over again, because
  4. Magical thinking (It can’t happen to me).

This story breaks #1, at least for me, and thus warrants a post.

※ Do not copy AirAsia’s approach.

Throwing up one’s arms and giving up on security while staying in business is not valid. If unconvinced, look at the public school systems, hospitals, and charities criminals are happy to raid.

But also, do not be the CISO/CIO/CRO who’s organization is not attacked through pity for weak security hygiene.

※ Axios Login: Tech layoffs’ toll

Let’s be clear – layoffs is a euphemism for the mass firing of people. The difference is that when one is “laid off” it’s not necessarily because anyone “let go” did anything wrong or damaging in their job. That’s being fired for cause, and that’s not often an “innocent until proven guilty” situation, but that’s another post for another day.

Note that layoffs impact middle management down. Upper management and up do not suffer such indignities.

Layoffs don’t only impact the person formerly employed. It ripples out to their family, their community, their social circle, and so on. That some organizations treat it flippantly casual is beyond reprehensible.

I have some works on surviving layoffs: Preparing for the Pink (Slip) based on my experience and research, though it is a bit long in the tooth. And Cate over at Accidentally In Code has some great stuff, too, about taking hold of your career.

Axios Login: Tech layoffs’ toll:

1 big thing: What to expect when your tech firm is downsizing

As Silicon Valley and the broader tech industry face a season of layoffs, workers are unprepared for the ordeal and management has little experience with the wrenching process, Axios’ Scott Rosenberg reports.

Driving the news: Meta is expected to announce large-scale job cuts as soon as Wednesday, the first ever in its history. That comes on the heels of major layoffs at Twitter and many other flagship tech firms.

Why it matters: At most companies, layoffs are a business decision for top execs but a deeply personal experience for everyone else.

The big picture: The industry’s phenomenal 20-year run of largely unimpeded growth means that most of its workforce doesn’t have much idea of what to expect from widespread layoffs. Here’s a brief guide.

1. For those laid off, the pain is personal.

  • Even in the best cases, where a company has carefully selected who gets the axe and applied sensitivity to the process, people who are let go can feel a sense of failure — even though, typically, the actual failure belonged to the company and its management.

Having been laid off myself once, I know that in my case it was entirely due to mismanagement, a lack of leadership, and weak governance.

  • The worst cases — as with Twitter’s reportedly 50% cuts last week, made by a new ownership team with little preparation or apparent care — create a broader kind of sorrow among a workforce as well.

I’ll not waste more electrons on EMu’s clusterfuck, at least for the moment.

2. While no one should shed tears for the managers, they’re having a hard time too.

  • Middle managers often find themselves having to select winners and losers from groups of people they handpicked to join their teams not that long ago.
  • Then, they have to face the people who are left and help them through what can be extended bouts of anger, depression and survivor’s guilt.
  • Workers and managers both face bigger workloads under post-layoff do-more-with-less mandates.

When I was a manager I never had to do large scale layoffs. I’m thankful of that but also I did a lot to make sure I did not find myself in that position. It didn’t help me retain my job, disappointingly.

Also, if I had to fire a large part of my team I would have not done well. While I received “leadership” training, very little of that was about the nuts and bolts of how managing people works and none of it covered firing people.

3. For companies, layoffs leave slow-healing psychic wounds.

  • Tech companies often aim to inspire workers with mission statements and caring rhetoric. But once a firm has gone through a round of layoffs, it becomes effectively impossible to persuade employees that anything matters beyond the bottom line.

Never trust in a founder/CEO/evangelist, especially if they’re charismatic &| inconsistent.

  • After big rounds of layoffs, tech leaders can’t just move on as if nothing happened. They also have to try to rekindle workers’ belief that the organization can do big things.

See above.

Between the lines: Layoffs that are tied to the shutdown of a specific product line or division can be written off as strategic in nature. Broader layoffs are a sign that a company grew too fast, took too many risky bets, or just never hit overly ambitious goals.

  • Many tech companies overhired during the pandemic and now face tougher times.
  • The people responsible for such choices are rarely the people who lose their jobs — though sometimes, as in Twitter’s case, layoffs are made by a new management with a belt-tightening agenda.

All of the above cop-outs – rapid growth, risky bets, ambitious goals – are tell-take signs of a lack of basic business fundamentals, starting with a business plan and governance. Sadly, there’s no Sarbaines-Oxley legislation for a lack of planning and competence.

Not to say that these tech companies don’t have good people in key roles, but if Operations and Finance and Marketing aren’t all aligned and operating with enlightened self-interest (a rare commodity, to be sure) in the absence of business fundamentals, this is the shit that happens, IMHO.

To be sure, many tech workers have been generously paid and are relatively well-off compared with other industries. But losing your job is still losing your job.


Scott’s thought bubble: I’m a veteran of a dotcom era startup that went public and then laid off half its staff more than two decades ago, and I still get flashbacks.

  • You never forget these experiences, and this year’s cuts could reshape how a generation in tech thinks about their careers.

I was laid off from my management role almost 10 years ago and I’m still reluctant to go back into a similar role. And I still plan my finances with the possibility I’ll be laid-off again.

Yes, but: When laid-off developers filled the coffeeshops of San Francisco and other tech hubs after the bust in 2000-2001, they used their newfound don’t-give-a-damn state to hatch passion-project ideas.

  • Some of them took off and sparked the next boom. That could happen again.

We’ve seen this before and we will see it again. If I were a tech-reliant business I’d be taking advantage of the talent suddenly on the market – but not to grow things too fast.

Unnecessary meetings are a $100 million mistake ($) at big companies, according to a new survey that shows workers probably don’t need to be in nearly a third of the appointments they attend.

Via Bloomberg

Work calendar trust, or the lack thereof

I no longer trust my work calendar.

First, colleagues reschedule meetings when we need to meet on a topic again. For example, a meeting held this morning at 10:00 ET had an outcome of meeting again tomorrow. Instead of scheduling a new meeting, the organizer rescheduled it to tomorrow.

Second, corporate migrated/is migrating to a new email system. Everything in the old system is still there in the old system. None of it transferred.

Third, the desktop, web browser, and mobile calendars loose synchronization. For example, last week I saw the same meeting scheduled for 2 different times depending on the platform. Luckily I noticed the difference and was able to confirm with colleagues about the actual start time.

Lastly, the work calendar relies on multiple internal corporate systems. Which internal corporate systems seems to depend on how the work calendar is accessed. Some of this might help explain #3, but right now a outage on another system impacts my ability to get at my schedule.

What does all this mean?

Keeping with the idea that “Plain Text Rulz!”, I am using my iOS Shortcut and the Beorg app to dump the next & current day’s schedule into org files so I will have a more reliable record of my comings, goings, and doings.

I will back it up with my analog daily journal. I used to keep my work schedule this way back when I worked in Japan but dropped the habit.

※ I do not share my iOS shortcut as is but might share a sanitized version if requested.

Is this government helping or hindering?

The U.S. Senate unanimously passed the “Strengthening American Cybersecurity Act” on Tuesday in an attempt to bolster the cybersecurity of critical infrastructure owners in the country.

The new bipartisan legislation, among other things, stipulates entities that experience a cyber incident to report the attacks within 72 hours to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in addition to alerting the agency about ransomware payments within 24 hours.

(Via Hacker News)

I’m keen to read up on this legislation and seeing the analysis. At first blush I see it as benefiting government more than the businesses and organizations that would be bound by the law, if passed.

The US government doesn’t have the best track record on legislation around security. See Sarbanes-Oxley (SOX) that was meant for financial oversight but stuck most of the responsibility with IT & security teams.


Newsletters are the new podcasts – everyone seems to have one.

The difference is the cost – the podcasts to which I subscribe are free and ask you to contribute; most of the newsletters I read are behind a paywall some or most of the time. As mentioned elsewhere, I do not subscribe to Spotify or whatever corporate matryoshka doll Earwolf is now under.

To what non-tech non-sec newsletters do I subscribe, what do they cover, and why do I subscribe? I subscribe to many, but these are some of the standouts:

  • Money Stuff by Matt Levine via Bloomberg. :finance:business:
  • The Honest Broker by Ted Gioia via Substack. :music:culture:
  • NextDraft by Dave Pell :news:
  • The Overspill by Charles Arthur :news:
  • The Poynter Report by Tom Jones via Poynter :journalism:news:
  • What’s in my … via Revue :edc:tools: “Each week, one interesting person shares four favorite things in their bag or in their desk or fridge or closet or wherever they keep things.”
  • Weekly Musings by Scott Nesbitt :misc: “a published-every-seven-days (or so) letter from the keyboard of writer Scott Nesbitt. Each Wednesday, this letter shares my thoughts about something that’s caught my interest. Those thoughts will inform, infuriate, amuse, and I hope enlighten you. Even if just a little bit.”
  • Culture Study by Anne Helen Petersen via Substack :culture: “Think more about the culture that surrounds you”
  • Axios Nashville & a bunch of other Axios newsletters
  • Austin Kleon via Substack :art:culture: “Weekly art, writing, and creative inspiration from the author of Steal Like an Artist and other bestsellers”

This list will continue to evolve as I narrow, whittle, and refine. I get various newsletters from the periodicals to which I subscribe. To be clear, the only newsletters I “pay” for are part of a periodical subscription. That may change.

Korea Dispatch: Back and there again; or, a consultant’s long non-holiday in Seoul

Here I go again.

I’m back in Seoul, South Korea for work.

I was slated to return for months. My repeated delays and cancellations were due to combinations of bureaucracy, incompetence, miscommunication (in English), inability to communicate (in Korean), apathy (mine), and a lack of urgency (not mine).

I shall spare you, Dear Friends, of the trials of the earlier travel attempts. At least, I shall spare you of them for now.

This final, ultimately successful journey came out of the last failed try. We shifted the Korean consulate handling my paperwork from Atlanta (I’m still not sure if anyone actually works there except for one woman who spoke no English) to San Francisco. This bit of rehoming required me to fly on 2 distinct itineraries: CHA – ATL – SFO on Wednesday morning, and SFO – ICN at 23:55 Wednesday.

Aside: the late night flight to Korea had me leave on Wednesday and arrive on Friday! Thank you, International Date Line!

For my itinerary to work I needed my COVID-19 quarantine exemption certificate from the San Francisco Consulate. The idea was that it would be ready for me when I landed in SFO. I would saunter to the lounge, print it off, and be ready when I could check into my flight some 8 hours later.

There was no COVID-19 quarantine exemption certificate from the San Francisco Consulate waiting for me in my inbox when I landed. Word was that it had not made its way yet from the Ministry in Seoul.

Two options presented themselves to me: return home and try again with a brand new submission; or lay up in SF and hope the paperwork arrives before the next day’s flight. I went with option 2.

Which brings us to my packing for this trip.

I wanted to bring only carry-on bags this time. The new 2 itinerary approach made it important to not check a bag. To do so would mean having to leave security, claim the bag, check it in again under the second itinerary, and again claim it at Incheon Airport.

I got very close to achieving this goal.

On my last trip I worked on a second customer. I was supposed to continue to support them from the US. That didn’t pan out, but the 2.2KG (about 5 lbs) laptop and charger I was given for the support still made it home with me. I have to return it on this trip, and that extra bulk was the tipping point.

Not that I didn’t try to carry on/gate check the suitcase I used. Sadly it is the biggest of my suitcases and Delta made me check it through to San Francisco. See below for the things I brought for my 5-ish week stay.

Another complicating factor was that I booked my flights through Delta but the SFO – ICN leg was on Korean Airlines, a Delta codeshare partner. Korean only flies the one flight out of SFO, so their ticketing desk does not open until about 3 hours before boarding with no on-line check-in option.


The suitcase contained:

  • 4 sets of socks, underwear, t-shirts, and handkerchiefs
  • 2 sweaters
  • 3 button down shirts
  • 2 trousers
  • workout shorts/swimsuit and shirt
  • lightweight trainers
  • puffer coat, gloves, hat, and cap
  • 2 Raspberry Pis
  • camera tripod
  • 2 camera lenses
  • 2 Roost laptop stands
  • Tom Bihn Freudian Slip for my Synik 30 backpack with carious pens, cables, and power adaptors
  • set of collapsable plates and bowls
  • 50 packs of instant Starbucks coffee in a plastic bag
  • toiletries
  • belt and neck tie
  • electric beard trimmer

The Synik 30 backpack had, among other things:

  • work MacBook Air
  • personal MacBook Pro 15
  • afore mentioned heavy laptop
  • camera with lens
  • Beats pro headphones
  • power cords, adaptors, and cables
  • emergency food stash
  • business cards and ID badges
  • water bottle
  • coffee travel container
  • 3-1-1 bag of liquids and meds
  • Logitech Anywhere MX mouse
  • copies of my COVID vaccination, quarantine exemption certificate, COVID test results
  • Apple Watch, series 2 (work) and 5 (personal)
  • travel towel
  • shemaug 

Tom Bihn Le Grande Derrière had:

  • wallet with cash, credit cards
  • flashlight
  • notebook
  • pen
  • Apple Magic Keyboard (JIS)
  • Apple Magic Trackpad
  • Apple iPad Mini 5
  • battery pack
  • Onyx Boox ereader
  • various cables and adaptor
  • emergency med kit (sanitizer, bandages, aspirin, &c.)
  • COVID-19 vaccination card (in a rugged clear plastic bag)

Tom Bihn Handy Little Thing had:

  • playing cards and dice
  • eye mask
  • Apple headphones
  • crystalized lime and lemon packets
  • wipes
  • beverage holders
  • pens
  • hot sauce

On me:

  • Clothes: shoes, socks, trousers, underwear, t-shirt, button-down, travel vest, travel blazer
  • travel wallet: passport with visa, receipts, cash, business cards
  • phones, iPhone SE 2020 (work) and XS Max (personal)
  • Garmin Instinct Tactical watch
  • sunglasses

What did I leave out that I should have had?

  • HDMI cable
  • Raspberry Pi power adaptor
  • powered USB hub power cord
  • Logitech K810 keyboard
  • beard trimmer power cord
  • nail clippers
  • drain stopper

Korea Dispatch: week 0

I’m back in Korea. I do not want to be here.

I retuned to Seoul for work, to finish off a project I started in April on my last trip. It took 5.5 months to get me back, and the clock on the 5.5 months started before I left the last time. Had I been successful earlier, I would be on my way home by now, forced to return because of the magic 180 day threshold over which tax implications become expensive.

I don’t believe in this project even though it will succeed, but that’s not all of why I don’t want to be here.

The COVID numbers here are 4-10 times what they were when I left. The country says they’re about to reach 70% vaccination and about to enter their “living with COVID” phase. The 70% are of people with at least one dose, and that is adults. The government will change their reporting to focus on hospitalizations and deaths instead of positive tests. Restrictions will relax.

South Korea is a great example of hygiene theatre being hand waiving – the mandate on hand sanitization is all for show, for example – but that is not all of why I do not want to be here.

I’m working face-to-face with colleagues from all over. They are smart, capable people. In the before times I would enjoy hanging out with them, getting to know them, and establishing relationships.

I’m reluctant to do that kind of hanging out in these times, but that isn’t all of why I don’t want to be here.

For the first time in longer than I can remember, I am homesick. My illness began before I left. I’ve put down roots, you see, and I’m not happy to leave them. I definitely do not want to rip them up.

UPDATE: this was a post I meant to send a week ago.

How to Actually Build a Better Boss

How to Actually Build a Better Boss:

What mistakes or missteps are you seeing managers and organizations make over and over again right now — and what changes make you hopeful?

Melissa: Failing to train managers. I mean, perhaps we would say that. But holy shit does it keep happening. We promote people into management and we just hope that they figure it out. And then we stand, mouth agape, when things go sideways. And this isn’t just a problem for our new managers. We are 40 years into this strategy and now the overwhelming majority of the workforce came up through this same form of occupational hazing. Here’s a new job. It’s very high stakes. It’s totally different from what you’ve done to date. And the skill set isn’t intuitive at all. You’re smart. You’ll figure it out. And if not, you’re fired. Good luck. 

That’s the summary version of how most of North America’s leaders stepped into the seat. And that they are now propagating that out is a huge problem, especially for a modern workforce that anticipates and demands competent management. That’s part of where you see generational strife in the workforce. Where folks who have been at it for a long time say, “Well, this is how it’s always been. Why are you complaining?” But when you ask them, “Were there downsides to that approach? Can you point to ways that it failed, both people and organizations? Oh yes, absolutely.” 

OK then, let’s stop pretending we’ve got a working system for people stepping into leadership. Cause we don’t. And let’s get to work building something better. … 

Johnathan: … Most managers want to do a good job for their people.

This isn’t obvious to everyone, right? The popular writing about management is always a caricature: either a genius and perfect visionary, or a pointy-haired, micromanaging dictator. In our work, we have met very few of either. You can tell me that’s selection bias — that we only meet the leaders who work for companies that invest in management training — that’s fair. But we’ve worked with thousands of leaders now and we have seen a lot of bad management. We have seen “under-equipped”, we have seen “got some pithy-but-terrible advice”, and we have seen “hated a past manager and ran to the other side of the boat, making all the opposite mistakes.” I’m not giving those people a pass — that still sucks.

When you give those people some objectivity and some skill, though. When you pull them out of the worst of their Dunning-Kruger effect, they listen. They make connections, and ask vulnerable questions. The number of leaders we’ve had say, in one of our programs, “Shit. I’m realizing now how I screwed some things up.” That’s hopeful for me.

You can subscribe to Melissa and Johnathan’s newsletter here — and follow them on Twitter here and here.

If you’re reading this in your inbox, you can find a shareable version online here. You can follow me on Twitter here, and Instagram here — and you can always reach me at [email protected]

The entire article is great. I included how to follow Johnathan and Mellisa and Anne at the bottom on the citation. Follow them.