Where’s the SOX inverse for cybersecurity?

Cast your mind back to the late ‘90s: WorldCom & Enron imploded due to financial impropriety; government reacted; & IT was left holding the bag.

Cut to now: President Biden signed an executive order to improve government cybersecurity.

Bruce Schneier:

I’m a big fan of these sorts of measures. The US government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software.

Adam Bobrow from Just Security:

The executive order is a good first step, but it won’t stop the constant barrage of cyber incidents that has overwhelmed the United States over the last six months. Unfortunately, the insecurity of networked computer systems is simply too great for any single effort to solve the problem. Instead, the solutions lie on a distant horizon. It is not too soon to start charting a course, and Congress can help.

Both are right, but I’m not sure in what proportion. My thoughts are … drafts.

As I see it, the private sector takes one of four basic approaches to cybersecurity:

  1. Accept cybersecurity is key to doing business, and plans and funds accordingly
  2. Knows cybersecurity is important and spends with no planning (blinking lights or shotgun approach)
  3. Knows cybersecurity is important and plans for it but gets no funding (MacGuyver approach)
  4. Hopes nothing bad happens because they think that they’re not a target (magical thinking approach)

While many companies rely on US government contracts, not all do. I’d be curious to see the breakdown, if such a thing exists. Companies that fall into #4 probably aren’t dealing with government contracts at all, and #2-3 might be in varying amounts.

Back in the day the US government passed something awkwardly but accurately called Sarbaines-Oxley Act (a.k.a. SOX, “Public Company Accounting Reform and Investor Protection Act” [in the Senate] and “Corporate and Auditing Accountability, Responsibility, and Transparency Act” [in the House]). The crux of the bill IMNSHO was defining IT measures for making sure companies have it harder to commit financial fraud.

Every IT and InfoSec (it wasn’t called cybersecurity back then) manager worth their salt ran to Finance & the CFO with a budget for all sorts of things to nominally help comply with SOX. The recipients were eager to appear to embrace enforcement.

Most were pet projects that wouldn’t actually help either with SOX compliance or overall security. I saw a request for a tool for a manager to spy on his own desktop support team, one from another manager to increase the storage capacity for audit purposes (but really for his team to be able to share pirated media among themselves), another to set up shadow IT to get around SOX and other oversight (described a parallel production environment for testing purposes which would, in no way, reflect the production environment, of which we had many), and a lot of small stuff that was tangentially related to SOX compliance. There were also purchases of things that would help, but see #2 above.

BTW, the people IT was supposed to reign in were the same people who would approve their SOX budget. And the Big F accounting firms that went along with Enron and Worldcom and the others got to rebrand, keep selling their services, and add a new line of business – SOX auditor.

This was a massive amount of effort and money put into the wrong area with maybe ok intentions. And remember, the stuff that triggered SOC wasn’t impacting most companies bottom line.

Maybe it’s time for a reverse SOX that places the onus on CEOs and CFOs to take responsibility for cybersecurity since it is impacting the bottom line. I’m thinking:

  • Security reports to a CSO equal to the CIO and COO, never reporting through the CIO or CFO
  • Legal and Risk are executive sponsors

Big think for sure, but such a requirement by the US or EU government would mean that security wouldn’t be limited by the conflicts of interest these other entities have in an organization.

Keen observers will note that I do not describe where money should go or even how much. It will vary by any number of variables for each company. Those that do not know what to do or how to do it should seek out consulting to help.

※ I worked on Enron and WorldCom when I was employed at EDS in the 90’s.

Seoul Dispatch, week 11

It’s raining in Seoul. The forecast said the accumulation this weekend would be slight. It has not been slight yet.

I’ve been bouncing around between my two main customers, working a bunch of extra hours to keep both sides happy. They’re either both happy as they say and keep asking for more, or they are not happy and want me to do more to fix it. I’ll assume the positive. 

Last weekend was fun. I got out and adventurekateered!

IMG 3459IMG 3395IMG 3365IMG 3361IMG 3352IMG 3410IMG 3428IMG 3430IMG 3451IMG 3458

He pulls a Pokémon card, you pull a gun! That’s the Target way!

Pokemon Overboard:

“US retail giant Target will stop selling Pokémon playing cards out of an ‘abundance of caution’ for its staff and other shoppers. The re-sale value of the cards has increased dramatically during the coronavirus pandemic, prompting chaos and threats to staff.” The dramatic rise in the re-sale value of the cards prompted a fight in Wisconsin during which a man pulled a gun. (It’s gonna be pretty hard to come off as tough when telling his cellmate what he got arrested for…)

You know what they say: if you ban Pokémon cards from right thinking people the only ones who will get Pokémon cards are the criminals. How will right thinking people defend themselves against the criminals who have the Pokémon cards?

Such a slippery slope! Thank goodness we’re spending time and resources on limiting the spread of Pokémon cards into the hands of criminals. The only way the situation will change is if we have serious, comprehensive Pokémon card control.

Categorized as I84D

Dances with Clubhouse

Clubhouse does not solve a problem or spark joy for me. It’s is a fun experiment that maybe destined for that nice farm out in the country. I waited a long time for access (h/t Ahmed for hooking me up), yet I stopped using Clubhouse about 3 days in. YMMV, but for me it was like listening to a frustratingly poorly produced, engineered, and edited podcast.

Start Up No.1545: Covid vs climate change, China used iPhone contest hack against Uyghurs, Clubhouse hits Android, and more | The Overspill: when there’s more that I want to say:

That 10-to-1 collapse in downloads suggests to me at least that Clubhouse isn’t going to thrive. If a growing userbase doesn’t lead to a growing number of would-be users, your troubles are just beginning. As people emerge from lockdowns, as everything returns to some semblance of normality, we’ll find out just where not-a-podcast stuff fits in to our lives. Meanwhile, the people at Clubhouse are very positive about everything. Naturally. To me, though, it feels like the wave has passed.

I’m happy for Clubhouse that they finally got an Android app out and wish them all the best, but it might be too little, too late. I deleted the iOS app a few weeks ago (but just reinstalled it to deactivate my account). I hold no interest in the competing products from Twitter, Facebook, and their ilk.

Categorized as I84D, tech

Dear HR, please don’t ask me to celebrate my boss

My new boss must be coming up on his 5 year anniversary. I got an email inviting me to:

“Make this milestone memorable – and contribute today!”

By contribute, I’m encouraged to click a link that takes me to a website (authenticated: I’m greeted by name) where I can do …  performative things.

“Don’t know what to write? Share a photo, a quick story or favorite memory about [manager]. Or just write a few words that best describe them. It doesn’t have to be long—thoughtfulness is what counts.”

Thank goodness length isn’t required but how thoughtful I am is.

My new boss came into being for me about 14 days ago. While we traveled in some of the same work circles we did not meet until recently – when he became my boss. Thus I have zero to submit to his anniversary fete. He seems like a good guy, but seems is the operative word. I don’t know, and he was told I might not be working for him very long.

Interesting that this is the first time in over 6 years with this employer that I’ve been asked to provide glowing words for the person in whose hands my future with the company resides. Apparently, I should not worry about it:

Your colleague’s network (manager, peers and direct
reports) have already been invited to contribute. But you can invite
other [employees] who are close to the honoree and non-[employees] (clients,
former colleagues, family and friends) to contribute—the more the
merrier! Just send them an invite from the contribution page. (Please do
not forward this personalized e-mail to them because it is linked to
your contribution.)

Wait … what?!?!?! If I understand this dynamic properly, I can:

  1. Submit something nice so my manager sees I submitted something nice; or
  2. Submit something not nice so my manager sees I submitted something not nice; or
  3. I don’t submit anything and my manager gets to deduce that I submitted nothing.

HR can’t be this …  stupid (I don’t know how else to describe it), can they?

p.s. – I will not submit anything.

p.p.s. – I have a whole rant about corporate anniversary celebrations like this one. Tl;dr: I’m not a fan.

p.p.p.s. – I tried to raise this with corporate HR and their internal website is down. Coincidence? Ehh, probably totally unrelated.

p.p.p.p.s. – This stuff is managed by an outside firm. It’s been outsourced. Got a problem with it? Go talk with the outsourcer.

Removing the digital record for fun, profit

Is this corporate embraced digital news rot?

Axios Capital Newsletter:

Also dead: All of the blog posts ever published at Reuters were vaporized this week, including thousands of my own. “As we moved to a new Reuters.com site last month, some blog pages were removed because the legacy infrastructure is no longer supported,” says a spokesperson.

Reuters has retained the (unsearchable) blog archives, and says they “will be migrated to the new website in the coming months” — where, presumably, they will live on behind the forthcoming $35/month paywall.

I’m curious what about text posts – remember, Reuters is a news agency that largely deals in text — couldn’t move from one platform to another. I’m also curious about the apparent shoulder shrug by Reuters. Reuters, along with the AP, The NY Times, and a lot of other news agencies in the US are also agencies of record.

It’s not a good look to blame IT that content can’t be maintained. But apparently it will be available to paying clients?

Which reminds me, is microfiche still a thing?

p.s. this was a subitem in the newsletter. That depresses me.

The US military’s privacy pearl clutching

The Ease of Tracking Mobile Phones of U.S. Soldiers in Hot Spots – WSJ:


In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.

…  The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.


A bunch of thoughts:

I can’t help but immediately think about the push in many political quarters to weaken security by breaking encryption. I’ll get back to that.

Why did this get attention in 2016? And no, this was not “an early look”.

The government has known for decades that cell phones are trackable if they have power and their transceiver is on. It’s how cell phones work. Anyone who’s watched any incarnation of Law & Order in this century or the last also knows this. The government could have mandated a phone system that would have afforded protections but the carriers resisted, I expect.

And don’t forget cell phones aren’t always phones – laptops and tablets and watches and Kindles and a bunch of other things might – and eventually will – have cell connectivity. With 5G, the distinction might go away if the media (cell, wired, wifi, &c.) converge as advertised. Imagine golf gloves that report your stats back to the cloud.

By the way, all that additional social media data is gravy to the buyer, but someone specifically wanting to track the movement of US military personnel around the globe don’t need it … from military personnel.

Take this scenario:

  • They script a tool like the McDonalds Ice Cream Machine tracker to scrape airline seat assignments to see if open seat availability suddenly drops on certain routes;
  • They scrape social media for hub airport and airline workers who are talking about increases in military personnel coming through; and
  • They watch counts for private Facebook groups for military families to see if their memberships increase.

Based off of that trivial-to-collect data (It’s free or for sale), and we assume they just generally monitor social media and the news, it’s not hard to get an idea of what’s happening. And before anyone complains that my loose lips are sinking ships, this is a simple scenario that is well understood and the plot of several books, movies, and TV shows.

Note, my above scenario assumes all the military personnel are disconnected and analog.

Also note that the above scenario works for advertisers as well as it does for bad actors and for industrial espionage …  and other use cases..

That things would evolve into what the Wall Street Journal article describes was predictable:

buried in the data was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.

The U.S. military’s clutching of pearls and muttering, “Well, I do declare that I never …  ,” about this situation is perhaps disingenuous. ※

The U.S. government has built robust programs to track terrorists and criminals through warrantless access to commercial data. Many vendors now provide global location information from mobile phones to intelligence, military and law-enforcement organizations.

But those same capabilities are available to U.S. adversaries, and the U.S.—having prioritized a free and open internet paid for largely through digital advertising with minimal regulation of privacy—has struggled to effectively monitor what software service members are installing on devices and whether that software is secure.

Which brings us back to encryption – strong, uncompromized encryption –  is one of the tools that the government could bring to bear to help protect troop movements. There are innumerable ways they could, and do, leverage encryption. By the way, we need strong encryption for e-commerce, on-line banking, and a ton of other critical things.

There’s some reflection on the tech industry welding batteries into their phones (and devices) and adopting eSIMs, predicating an always on-line but always trackable society, that needs considering.

Solving this problem, the consolidation of anyone’s/everyone’s/each-of-our on-line and off-line life into a revenue stream for the advertising companies that are Facebook and Google, one that is very much the government’s own creation yet needs to be solved by the government, is a complex undertaking that will require the private sector to forgo some profits for the greater good. Oh, it could fix some of the military troop movement leak issue as a byproduct.

※ There is a American trope about the White southern belle or matriarch who, when faced with realities with which she does not want to deal, does what I describe.