I enjoyed and learned from 100 Years of Feynman, which starts from his eponymous formula and evolves into these tips for solving physics problems:

  1. Read the question! Some students give solutions to problems other than that which is posed. Make sure you read the question carefully. A good habit to get into is first to translate everything given in the question into mathematical form and define any variables you need right at the outset. Also drawing a diagram helps a lot in visualizing the situation, especially helping to elucidate any relevant symmetries.
  2. Remember to explain your reasoning when doing a mathematical solution. Sometimes it is very difficult to understand what students are trying to do from the maths alone, which makes it difficult to give partial credit if they are trying to the right thing but just make, e.g., a sign error.
  3. Finish your solution appropriately by stating the answer clearly (and, where relevant, in correct units). Do not let your solution fizzle out – make sure the marker knows you have reached the end and that you have done what was requested. In other words, finish with a flourish!

(Via In The Dark)

For InfoSec we can extrapolate three similar tips for engaging with clients, either our internal ones or with external:

  1. Read the RFP/RFI! Listen to the customer! Write down, in your own simple words, your understanding of the client’s request. Communicate it back to them to make sure the understanding is as complete as possible.
  2. When delivering the response/proposal/etc. make sure you “connect the dots” between the client’s request and your solution. Make sure you account for and document assumptions. Explain why the proposal is the way it is.
  3. Finish your response appropriately by stating the answer clearly. Do not let your solution fizzle out – make sure the marker knows you have reached the end and that you have done what was requested. In other words, finish with a flourish!

Item 1 reminds me of a recent almost bad event at work. A potential client reached out about a RFP. They were looking for a security solution with a specific scope and desired outcome. We had a meeting with the client about their goals and objectives. They were clear and precise.

Skip ahead less than one week and suddenly a few leaders in my organization decided to make our RFP response something completely different. My vocal dissents were vetoed. The proposal proceeded with this alternate option. It was as if the client came to our restaurant to eat dinner and we decided to sell them recipe books instead.

Worse, there was nothing in this new approach that was truly new – every piece was obviously recycled generic sales material.

The client was not amused. When we met again the client shut down all extraneous-to-their-request discussions and materials. Since some of the team had not abandoned answering the RFP directly, we were able to pivot and still make a strong proposal.

Another recent proposal I worked on illustrates doing all three items well. The client clearly stated their goals in conversation but their RFP was mostly untethered to the goals, almost as if two different teams drafted each independently. Subsequent client conversations gave us what we needed to form a more complete understanding of the business needs.

The proposal was large compared to the RFP, but the space was needed to completely connect the dots between the client’s broad & disconnected needs and how we would deliver them for the desired business outcome. The response included all of the Who-What-Where-When-Why-How structures to clearly communicate our solution.

There is no shortage of experts in this field. By and large we all think we are one, so we rush to solution without always listening and understanding. Taking a page out of Richard Feynman’s approach to solving physics problems can help address such failings.

Also on:

Farbod Saraf on Twitter:

The bosses we remember:

1 provided safe space to grow

2 opened career doors

3 defended us when we needed it

4 recognized and rewarded us

5 developed us as leaders

6 inspired us to stretch higher

7 led by example

8 told us our worked mattered

9 forgave us when we made mistakes

(Via swissmiss)

This citation probably trite by now. That’s too bad.

One of my first managers in the ‘90s basically said the same thing but somehow more tersely. I’ve tried, sometimes more successfully than others, to do these things regardless of my title.

And that’s the difference: being a Leader means you do these things. I’ve seen many a manager (or “boss”) to whom I would never assign such traits. And I’ve seen many a Leader who held no title.

Which are you?

Also on:

Appliance Companies Are Lobbying to Protect Their DRM-Fueled Repair Monopolies

The bill (HB 4747) would require electronics manufacturers to sell replacement parts and tools, to allow independent repair professionals and consumers to bypass software locks that are strictly put in place to prevent “unauthorized” repair, and would require manufacturers to make available the same repair diagnostic tools and diagrams to the general public that it makes available to authorized repair professionals. Similar legislation has been proposed in 17 other states, though Illinois has advanced it the furthest so far.

Companies such as Apple and John Deere have fought vehemently against such legislation in several states, but the letters, sent to bill sponsor David Harris and six other lawmakers and obtained by Motherboard, show that other companies are fighting against right to repair as well.

(Via Motherboard)

The right to repair used to be assumed. I remember working on my grandfather’s car with my Dad. I remember changing oil and tires and brakes and head units and shocks and mufflers, &t for that and other cars.And I wasn’t (and still am not) a car guy.

I built and fixed computers when replaceable parts were the norm.

My Dad, members of my family, and people with whom I went to university worked on farms and ranches & regularly repaired the heavy equipment.These were the real instances of duct tape and baling wire.

How about early the early telephone system, which sometimes used barbed wire stretched along fences in rural communities?

We’re not in the early telephone days. We’re in a world where companies can prevent their customers from having agency over products they purchase. Companies can put their customers at risk and not allow the very same customers to protect themselves or even be able to figure out if they’re at risk in the first place.

Also on:

Yahoo gets $35 million slap on wrist for failing to disclose colossal 2014 data breach

The SEC forced Yahoo to pay $35 million in penalties to settle charges that it misled investors. The breach has been widely publicized and is considered one of the largest data breaches on record.

Yahoo’s operating business, now known as Altaba, was acquired last year by Verizon for $4 billion.

What would have been paid under GDPR? $198M if this article is correct.

Calling this a “slap on the wrist” is an insult to wrist slaps everywhere.

Also on:

Chinese Cyberspies Appear to be Preparing Supply-Chain Attacks

First and foremost, attackers appear to favor spear-phishing individual targets, preferring to collect credentials and then entering accounts without utilizing malware for establishing an initial foothold.

We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective,” 401TRG experts said about the 2017 campaigns.

Hackers focus on collecting network credentials and then spreading laterally inside a company.

Attackers then use a technique known as “living off the land,” which refers to the use of locally installed apps for malicious purposes. Tools often used in these intrusions include standard Windows utilities, but also penetration testing utilities such as Metasploit and Cobalt Strike. Malware is only deployed if necessary, attackers fearing detection, which often implies losing their foothold on a target’s network.

(Via BleepingComputer.com)

First, don’t forget the ‘supply chain’ isn’t just raw materials or parts or assemblies or their ilk. It’s the HVAC and fish tank maintenance companies, too.

I like the phrase LotL (“Living off the Land”). I think, tho need to check, it translates well.

Tl;dr: Orgs with strong security & defense-in-depth can still harbor blind spots & inaccurate assumptions.

Continue reading

Shinjuku, Tokyo, Japan

Also on:

With a few exceptions, InfoSec podcasts sound the same to me as they did in 2014, both in production quality and in content.

There are two daily shows: SANS ISC Storm Cast and the Cyberwire. They run the gamut – SANS has a brief unpolished production sense and the Cyberwire is perhaps overproduced and over sponsored. Both provide solid daily content. I’m happy to skip both show’s “research” component.

And then there’s the rest.

Most non-vendor podcasts fall into two general categories: echo chambers and interviews.

The “echo chambers”, essentially panel shows full of inside jokes, are mostly gone from my pod catcher. Their production quality is close to zero and they’re mostly op-ed (opinion & editorial) with no counter argument. On PVCSec we tried and mostly failed to counter the standard InfoSec podcast.

The interview shows can be better. The production quality tends to be higher. Several make the interview more about the show host/interviewer and less about the interviewee. Sponsored shows are just that.

There is a third category: “NPR”-style free podcasts. These are the ones that talk about topics most other typical security podcasts miss – legal, governmental, and diplomatic.

Here’s what I’m catching:

If your InfoSec podcast is not on my list and you want it on there, let me know why I should include it.

Also on:

When I first managed people, just as I’d taken over a troubled retail sales department and had to do performance evaluations, I got a great piece of advice from my then mentor:

> If all your reviews are a 5 you are doing it wrong. You may have reasons to rationalize such scores, but you do no one – especially yourself – any favors by doing so.

We, my new team, turned the department around quickly. I ignored my mentor’s advice and went ahead with my “All 5” reviews (the best possible) and … they were rejected. I had to do them all over again, this time with supervision.

My mentor rightly chastised me for ignoring his guidance and then gave me the next nugget:

> If your team is all 5s, they’re all 2s.

Meaning if your baseline is so high and everyone gets the highest level, normalize the baseline. And it’s probably still too high.

> If people don’t have a challenge to overcome they will tend toward complacency.

I was lucky to have smart leaders. They saw my naïveté as an advantage. My short sighted management style was converted into a galvanizing experience for the team. Meanwhile, I reassessed.

Fast forward to today. We rank all kinds of things: Amazon purchases and podcasts and Lyft drivers and restaurants and beers and so on. How many of us default to 5 stars or equivalents? What about vapid or useless “me, too” comments? And how about the essay review? My approach is evolving, but in short:

> Am I adding value and what value am I adding?

If I experience something enjoyable but otherwise unremarkable, am I doing anyone any favors by assigning a 5? Better to make 2.5 the baseline.

What about the skew toward high scoring? Am I not making it worse for some things?

I try to add content to the review. A 3 beer, for example, is better than the average mass produced brew. If I give a beer such a score I will add the context to the score. Maybe it’s dry or fruity or hoppy or has some other attribute placing it above the norm.

Until this becomes normal I do not rely on straight up scored reviews for anything substantial. Again with beer or food I will trend toward the high scores with high review counts.

I suggest all embrace circumspection in scoring of things, services & people.

Let me know if you can identify the post’s title reference.

Also on:

You had an ubrupt conversation with your boss (or someone else, depending on the scope) and an HR representative, hopefully in person but maybe remote. You learned you are no longer part of the organization.

Maybe you didn’t expect it. Maybe you had an inclining. Maybe you saw it coming. It doesn’t matter.

You might be one of tens or hundreds or thousands. It doesn’t matter.

When you get “The News”, Douglas Adams said it best: Don’t Panic. Take a deep breath.

  • Don’t accept or concede anything
  • Don’t sign anything (you, of course, want a lawyer to review it first)
  • Collect data, preferably on paper or a personal device
  • Tell the HR representative you’ll respond later, at least 5 days after & including a weekend.

Emotionally YOU ARE NOT PREPARED for the news. Everyone takes it differently. Accept the fact that you will be emotional and don’t fight it. Go Home! You want to leave as soon as you can. I made the mistake of trying to take things from my office. Tell Your Family and Friends as soon as you can. Don’t go through this alone even if you’d prefer to handle it yourself.

Note: If you were terminated for cause this post isn’t for you. While some of these tips may apply, you are best served by legal representation.

Note: This is a Western take on such events, but I think it holds true in other geographies.

Also on:

The CSO typically represents physical security. The CISO typically represents non-physical security.

Which is subordinate to the other?

Many organizations defer the question. They see the two as separate regardless of the evidence. Perhaps it’s because of the easily understood physical versus the harder to grasp non-physical.

My opinion for most organizations is that the CSO is subordinate to the CISO. The ratio used to go the other way. Physical security is important. It can’t be diminished. Yet Information Security & CyberSecurity ascends. Appreciating and dealing with physical security is a part of Information/Cyber Security.

Also on:

Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer

Nicole Eagan, the CEO of cybersecurity company Darktrace, told attendees at an event in London on Thursday how cybercriminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino.

According to what Eagan claimed, the hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and “then pulled it back across the network, out the thermostat, and up to the cloud.”
(Via Hacker News)

I didn’t get a chance to write about this when it came out, but it’s dissemination came at an opportune moment. About 1 hour earlier I was using the Target breach as an example of third-party risks.

This story made an excellent follow-up.

Also on: