Hustle -vs- Health

Reddit co-founder Alexis Ohanian is taking a stand against “hustle porn”

“This idea that unless you are suffering, grinding, working every hour of every day, you’re not working hard enough … this is one of the most toxic, dangerous things in tech right now,” Ohanian said, according to Say’s report. “It’s such bullshit, such utter bullshit. It has deleterious effects not just on your business but on your wellbeing.”

Ohanian’s frustration is supported by psychological and scientific research, which repeatedly proves that getting insufficient sleep and exercise is among the worst things you can do for your memory, heart health, and general health. Alternatively, when entrepreneurs do make time for sleep, they’re calmer and more focused at work.

Ohanian also noted that the “hustle” ethos discourages entrepreneurs from reaching out for help when they’re struggling, for fear of looking weak or unsuccessful in the eyes of investors. The key to entrepreneurial success, he said at Web Summit, is overcoming this anxiety and engaging in hard conversations with co-workers. “When you’re struggling, talk to someone. It can be a professional, a family member, or even a stranger can be helpful in getting you into a better headspace.”

And remember: like most porn, hustle porn is not a valid representation of reality.

(Via Qz.com)

I’m tired of the “X porn” labeling of things, but there is a definite fetishism of the “hustle” ethos. Here in Japan, it is culture.

I know and accept that I am not my best when I’m run down. I just got off a four week stretch where my days were crazy long and stressful. Two of the weeks are when I hosted my son in Tokyo and I would not trade those for the world. Add two weeks of colleagues from overseas, some financial stress, too much drinking and eating, and not enough sleep; the I-almost-visited-the-hospital migraine I got is not surprising in the least.

That is an extreme example. More routine for me is when insomnia impacts my cognitive abilities or when I don’t exercise. Then my energy is low.

The Japanese Salaryman ethos is no help either. Twelve hour office days isn’t conducive to creative endeavors, or even much in the way of productivity. When I exercise and sleep well I can produce well in that environment, but that doesn’t leave time for anything resembling a personal life. At 19:00, 20:00, or later colleagues will go out drinking, nap as they take their hour plus train ride home, sleep for a spell in their own bed, nap on their morning train ride back, and start all over again. Some people do that six days a week.

How anything gets done of value is miraculous. That the Japanese have such long life spans is remarkable.

As for me, not having been indoctrinated into such a lifestyle in grade school (minus the drinking, obviously) I am also not bound by the social norms. I can work a shorter day in the office, be available on-line of needed, and get a good night’s sleep (let’s not talk about my social life) because I can generate good to great stuff for longer in a given day … in theory, anyway. YMMV.

35° 40.305 N 139° 42.254 E

Also on:

Why NIST is so popular in Japan

Why NIST is so popular in Japan:

Written by
Nov 8, 2018 | CYBERSCOOP

While all organizations around the globe continue to grapple with chronic shortages of qualified cybersecurity workers, Japan is tackling the problem in a significant way by turning to two U.S. government technology frameworks to help manage its own information security manpower shortages.

Japanese industry has turned to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and National Initiative for Cybersecurity Education (NICE) Workforce Framework in an effort to fill the unique cybersecurity skills gap characteristic of Japanese companies.

Speaking at NIST’s Cybersecurity Risk Management Conference in Baltimore, Maryland, Masato Kimura, a manager in the cybersecurity R&D planning department at Japanese telecom giant NTT, said that the NIST workforce framework in particular plays a pivotal role in Japan due to the high level of reliance by Japanese companies on outsourced IT and cybersecurity personnel.

In the U.S., around 71.5 percent of IT professionals work in-house, but in Japan, only 24.8 percent are company employees, according to Kimura.

Yet even in-house IT professionals in Japan fall short of achieving the required cybersecurity expertise.

Employment in Japan is a lifetime proposition, with workers typically rotating into new jobs every two to three years, making it difficult for employees to develop strong cybersecurity skills. Compounding the problem, Japan will be facing a shortage of 193,010 cybersecurity professionals by 2020, prompting the Japanese Business Federation to declare that it is urgent and crucial to increase the pool of skilled in-house cybersecurity workers.

“Japanese critical infrastructure needs talents who are able to understand what the IT vendors are doing and [serve] as a bridge between C-suites and engineers,” Kimura said.

Kimura is also Secretariat of Japan’s Cross Sectors Forum, a group of 44 Japanese companies from the chemical, financial, manufacturing, media and transportation sectors. These companies decided in 2015 to band together to establish an ecosystem to educate, recruit, retain and train cybersecurity professionals in collaboration with academia and the government.

Toyota, Mitsubishi, Sony, Panasonic, NTT, NEC, Hitachi, Fujitsu and Toshiba are among the Forum’s members.

Additionally, NIST’s Cybersecurity Framework helped provide a means for the forum members to communicate about cybersecurity across their diverse business sets.

“A common language is needed to apply to all the sectors,” Kimura said.

“Cybersecurity is difficult to implement unless you have common terms,” Lauri Korts-Pärn, Senior Security Architect at NEC said, noting that the NIST Framework, which is independent of any industry, serves that purpose.

The Forum hosts monthly plenary meetings as well as four monthly working groups that focus on workforce definition, workforce development, information sharing and collaboration with academia.

The Forum also hosts an annual conference for C-suite executives and invites government into cybersecurity discussions. Among the tools produced by these efforts are talent definitions, outsourcing guidelines and a CISO calendar.

The Forum developed a draft mission list and mapped it to the cybersecurity and workforce frameworks to develop outsourcing guidelines and CISO calendars. Because NIST has mapped the Cybersecurity Framework to the most commonly used information security standard used in Japan, the ISO/IEC 27001, it’s far easier for Japan to embrace the framework’s recommendations.

The appeal of NIST’s Cybersecurity Framework was so strong in Japan that the country’s Information Technology-Promotion Agency, or IPA, became the first foreign entity to translate the Framework fully from its English language version into another language in 2014.

Because of the framework, the forum was able to define and understand what kinds of cybersecurity talents member companies need and even prompted some members to sponsor cybersecurity courses to fill those needs.

“We can now show the reality of Japanese industry to Japanese universities,” Kimura said. The NIST framework also spurred the Japanese government to incorporate the Forum’s insights into the country’s national cybersecurity strategy and sparked a number of public, private and academic collaborations.

The forum has already created a database of cybersecurity training programs available for its members, cross-referenced by the talent definitions it devised. The next steps for the forum including even more innovations, including producing a guidebook for its members outlining the cybersecurity talent definitions it has devised and laying out CISO calendar and outsourcing requirements.

Cynthia Brumfield is a veteran communications and technology analyst who is now focused on cybersecurity. She runs a cybersecurity news and information site, Metacurity.com.

(Via Cyberscoop)

I had an interesting discussion on this topic with some colleagues on this very topic last week. I can’t go into details, but the level of knowledge around NIST Framework here in Japan is greater than in most of the rest of Asia, South America, and parts of Europe.

Also on:

The three traits Microsoft CEO Satya Nadella looks for in leaders

The three traits Microsoft CEO Satya Nadella looks for in leaders:

When Satya Nadella joined Microsoft in 1992 at the age of 25, the future CEO, an engineer by training, did not yet hold a business degree. He would complete his MBA at the University of Chicago five years later, without taking time off from his full-time job. Every Friday night, Nadella would board a plane from Seattle to Chicago, and return by Monday morning.

“It used to blow me away, how hard he used to work,” former Microsoft executive Sanjay Parthasarathy, now CEO of Indix, told Business Insider.

Last month, Nadella, who succeeded Steve Ballmer as head of Microsoft in 2014, visited his alma mater, where he was interviewed on stage by Madhav Rajan, dean of the University of Chicago’s Booth School of Business.

In a talk before MBA students, he said that a lot of business school students were, like him, fairly experienced and knowledgeable before they had even started their studies. What he said school could offer them, among other things, is an opportunity to cultivate leadership traits, including the three attributes he said Microsoft looks for in job candidates.

As it happens, much of his guidance serves as decent life advice, too.

Attribute #1: The ability to create clarity when none exists

This is “the most important attribute that any leader needs to have—and it is often underestimated,” said Nadella. “You don’t need a leader when everything is well defined and it’s easy, and all you have got to do is follow a well-written plan. But in an ambiguous situation, where there cannot be complete information, that is when leadership will matter.”

He continued: “The people who are capable of getting into a situation where there is in some sense panic, and who can bring first clarity on what to do next—that is invaluable.”

Attribute #2: A knack for sparking energy

Along with clarity, a leader needs to bring sincere enthusiasm, Nadella argued. “One of the classic things you face as a leader is, you will have someone walk into your office and say, ‘Hey you know what, I’m very good, my team is very good, but everything around me is terrible,’” he said. “That’s not creating energy.”

This is a theme Nadella also visits in his recent memoir, Hit Refresh: The Quest to Rediscover Microsoft’s Soul and Imagine a Better Future for Everyone (Harper Collins, 2017). “Leaders generate energy, not only on their own teams but across the company,” he writes. “It’s insufficient to focus exclusively on your own unit. Leaders need to inspire optimism, creativity, shared commitment and growth through times good and bad.”

To be a leader, he told Booth students, “you have got to be at your evangelical best. You have got to have followership all around you.”

Attribute #3: An ability to succeed in “an over-constrained space”

His advice for cultivating a third trait feels applicable to anyone, not only those who are ambitious in business. “When leaders come in and say, ‘I’m not able to do this or I’m not able to drive success or achieve success because of all these exogenous factors.’ Guess what? Everything is exogenous,” he said. “Life is an over-constraint problem. So you can’t say, ‘You know what, I’m just waiting for you to remove all the constraints, and I’ll be perfect.’

(Via Quartz)

This article speaks to me in ways I want some more time to reflect on.

However, attribute #3 is Stoic to me. It’s another way of saying “The obstacle is the way”.

Also on:

Google, Here To Save^h^h^hell You

In the coming future, Skelker says that Google won’t allow users to sign into accounts if they disabled JavaScript in their browser.

(Via ZDNet)

I’ve started to see this in YouTube and Google Translate. They won’t even load if cookies or scripts are blocked.

We won’t even address the “In the coming future” editorial misfire, as much as I would like a deep dive.

That Google no longer supports non-JavaScript browsers and tools like links, lynx, w3, w3m, curl, wget, and so on should disturb everyone.

Why does an internet search engine need to run scripts on my machine to deliver internet search results?

The answer is not geared toward me or any user.

Also on:

Old Strategies

Thursday, November 1, 2018 at 05:24

Old Strategies Don’t Work

In his keynote speech at the Securing the Enterprise 2018 conference in Cambridge, MA, BT Security president Mark Hughes said that when it comes to the threats enterprises and government are facing, the global network is telling us that old strategies don’t work.

In the face of ongoing cyber-attacks, mounting privacy concerns and daily data breach announcements, the current cybersecurity technologies fall short, according to Howard Shrobe, associate director, cybersecurity at MIT Computer Science & Artificial Intelligence Lab (CSAIL), and principal research scientist, MIT CSAIL. In order to effectively move forward in the direction of “where we need to go,” the industry needs to develop a more formalized approach that combines design and analysis methods.

“Our approach is based on three key elements,” Shrobe said. “Collaborating closely with industry for input to shape real-world applications and drive impact. Leveraging the breadth and depth of CSAIL security researchers to approach the problem from a multi-disciplinary perspective. And creating a test-bed for our industry partners to implement and test our tools, as well as have our researchers test tools developed by our partners.”

To enable security transformation, enterprises should first assess their structure, said Hughes. “Put the team responsible for delivering change at the forefront of your strategy.” Given that there are lots of threats, those threats turn into risks, which have a very tangible bottom-line impact.

“Those risks are changing rapidly, so much so that in a matter of weeks, the risk profile changes. Using known, well-understood risks and putting those into a cyber context is extremely useful,” Hughes said.

Given that the risks are changing all the time, one key to building an effective security strategy is adaptability. “Prepare to constantly evolve,” Hughes said, but it’s also important to realize that there is no endpoint or perfect solution. When organizations realize that protecting everything all the time is ineffective, many turn to red teaming, which Hughes said yields interesting outcomes that allow organizations to assess and then prepare to evolve.

The next step in enabling security transformation requires internal engagement so that you are building knowledge and advocacy of security at all levels of your organization, said Hughes. From there, the company is well positioned to understand its risk and take the necessary steps to fully assess its security landscape and prioritize and protect the areas that would be most impactful in the event of a security incident.

I get where this comes from: the landscape is dynamic.

But the problem with the “old strategies” isn’t in the strategies … it’s in the people who failed to implement them well if at all, which presupposes that the strategy was well defined and communicated to those expected to execute. Too many managers chase “shiny objects” and the “next big thing” and any number of magic bullets based off of information provided by sales people, consultants, and think tanks.

Organizations who implemented the “old strategies” well, from governance to people to technology, got to focus their limited expensive security resources on higher value security issues earlier and overall matured faster than their counterparts.

Organizations ahead of the curve and those ready to improve embrace the fact that security is a program, not a project. There is no finite end date. There’s no banner on an aircraft carrier to let you know that the mission is accomplished. It’s on going, just like a business – your business – competing in the marketplace.

Also on:

China Telecom has been using poisoned internet routes to suck up massive amounts of US and Canadian internet traffic

China Telecom has been using poisoned internet routes to suck up massive amounts of US and Canadian internet traffic:

In a new paper published in the journal Military Cyber Affairs researchers from the US Naval War College and Tel Aviv University document the use of BGP spoofing by China Telecom to redirect massive swathes of internet traffic through the company’s routers as part of state military and commercial espionage efforts.

BGP is a notoriously insecure protocol used to route internet traffic; by design it is dynamic and responsive, moving traffic away from congested routes and onto those with more capacity: this flexibility can be exploited to force traffic to route through surveillance chokepoints, as well as for censorship (publishing BGP routes to censorsed services that dead-end in nonexistent addresses are a common technique in repressive regimes).

The researchers logged global BGP route announcements and discovered China Telecom publishing bogus routes that sucked up massive amounts of Canadian and US traffic and pushed it through Chinese listening posts. Much of today’s internet traffic is still unencrypted, meaning that the entities monitoring these listening posts would have been able to read massive amounts of emails, instant messages and web-sessions.

China Telecom’s BGP attacks were also used to black-hole traffic in some instances (for example, traffic from an “Anglo-American bank’s” branch in Milan was diverted wholesale to China, never arriving at its intended destination).

(Via Boing Boing)

Back in my network manager days we monitored our BGP routes. We had our own ASNs and managed our own connectivity, so we could easily keep tabs when an errant telco would make a mistake. That solution, which I think was a perl script run in each of our regions, would have detected this kind of maliciousness as well.

However, in the current XaaS and cloud-based world we live in, it becomes incumbent upon the cloud and service providers as well as the few remaining Internet backbone providers to police this. How effective they will be is debatable. What punishment would work? No one in their right mind will stop peering with CT.

Also on:

For the first time Japanese commission ordered Facebook to improve security

For the first time Japanese commission ordered Facebook to improve security:

The Japanese government ordered Facebook to improve the protection of users’ personal information following the recent data breaches that exposed data from millions of people.

… On Monday, Japan’s Personal Information Protection Commission ordered a further investigation of the data breach and asked the company to implement preventive security measures.

This is the first time that the commission has issued warnings to the social network giant after it has conducted an investigation along with British authorities.

According to government spokesman Yoshihide Suga, Facebook told Japanese authorities that the recent data breach also included Japanese users.

The commission also ordered the company to improve communication with users being more transparent of the way it manages their data and promptly responding to request for deleting accounts.

… “It is the first time that the commission, which investigated the data leak with British authorities, has issued warnings to Facebook,” an official told AFP.

Facebook added to be committed to “promptly inform users if the platform was inappropriately used and cooperate with the commission and other countries’ regulators” on its website.

Pierluigi Paganini

(Security Affairs – social network, cybersecurity)

The post For the first time Japanese commission ordered Facebook to improve security appeared first on Security Affairs.

(Via Security Affairs)

I wonder if this will translate into actual change.

Also on:

The fix for IT supply chain attacks

The fix for IT supply chain attacks:

As I’ve written previously, I’m very skeptical of Bloomberg’s report about the Chinese placing hardware spy chips on server motherboards used by U.S. companies. China is actively spying on U.S. businesses all the time, I believe, and has already stolen most of the intellectual property secrets they are interested in. The Chinese are on their way to becoming the world’s leading economic power, and manufacturing computer chips is a big part of that equation. I don’t think they would jeopardize that business so blatantly.

If any good is to come out of the Bloomberg article, it is bringing the problem of the supply chain to the forefront. If nearly every computer device and chip is made by potential adversaries, how can you ever be assured that what you are buying doesn’t have intentional bugs or even spying chips?

The supply chain is the aggregation of all entities that provide the products and services needed for other entities to provide their products and services to their customers. Theoretically, any entity can knowingly or unknowingly introduce insecurity that impacts the final product. This is the exact issue that the Bloomberg authors and their anonymous sources allude to: that a spy chip can be placed on motherboards that eventually get placed into servers used by foreign companies.

IT supply chain risk has always existed

This is not a new issue. …

Keeping the supply chain status quo is not an option

So, one solution is no solution: Keep things as-is. As far as we know, incidents of nations using supply-chain malicious inducements are rare. If a nation-state compromised the supply chain too routinely, none of the other nations would buy its chips. It would be a self-solving solution. We’ve made it so far, so good, using this “strategy.”

When do you use a detect-and-regulate supply chain strategy?

… Well, for one, the military already has programs to prevent supply chain issues for its most critical infrastructure. Many levels of the U.S. government have programs that look for malicious supply chain issues. That’s precisely why I don’t believe that we have a widespread issue of Chinese spying chips all over the U.S.

The question is at what level of the supply chain do we start requiring stricter oversight and monitoring? …

The opposite school of thought to the “keep the status quo” argument is that we need to check all computer devices for spying hardware, software and firmware. This can be done by government or industry groups (like the Underwriter’s Laboratories [UL] or Consumer Reports). The problem is that all governments want to spy on people — its own people, and those in other countries. Asking the government to make sure everything is secure and not spying is asking for the fox to guard the henhouse. At the same time, I’m not sure we can do what needs to be done without governmental involvement.

The supply chain security solution needs to be global

… Every nation needs a nationally created and funded regulatory group that can look for supply chain issues but isn’t directly governed by the government. It’s not perfect. It’s like asking the foxes to pay for the shepherds who protect the henhouse, but I don’t see any other realistic way for a supply chain security solution to actually work. Or we can keep the status quo and hope for the best.

(Via CSO Online)

I agree with the article in large part. I disagree that government action and international agreements are the way to address supply chain risks. It is vulnerable in a multitude of ways independent of hardware hacking like the Bloomberg report claims. Compromising hardware not only requires physical access but its own reliance on a supply chain.

I tend toward industry and market forces addressing all aspects of supply chain insecurity. Redundancy, resiliency, supplier diversity, quality assurance, and monitoring are best done by those with the most at risk. Governments are too mercurial, international agreements and treaties often are not worth the paper they are printed on, and special interests can introduce new risks into the equation through self interest and a lack of vision.

Also on:

Pentagon Defense Department travel records data breach

Pentagon – Defense Department travel records suffered a data breach that compromised the PI and credit card data of U.S. military and civilian personnel.
— Read on securityaffairs.co/wordpress/77097/data-breach/pentagon-travel-records-data-breach.html

Twenty some odd years ago I worked on a proposal team to win this very contract. As a security practitioner in the 90’s, the level of security that the DoD wanted was refreshing. This was the first example of a potential client understanding the risk of metadata – that someone could potentially deduce what the DoD planned by watching non-military travel records without necessarily having access to the detail.

No one was thinking specifically about payment or personal information. It was probably assumed that other threat scenarios would cover this data, but my recollection is hazy at best.

By the way, my employer and deal partners did not win the contract.

Also on:

On the Law of Diminishing Specialization

On the Law of Diminishing Specialization:

Deploying a technique called work value analysis, Sassone measured not only the amount of work conducted by his subjects, but also the skill level required for the work. He found that managers and other skilled professionals were spending surprisingly large percentages of their time working on tasks that could be completed by comparably lower-level employees.

An important lesson lurks in these results that’s just as relevant now as it was then, back in the early days of the front office IT revolution: optimizing people’s ability to create value using their brains is complicated. Just because a given technology makes things easier doesn’t mean that it makes an organization more effective, you have to keep returning to the foundational question of what best supports the challenge of thinking hard about valuable things.

(Via Blog – Cal Newport)

Also on: