Farbod Saraf on Twitter:

The bosses we remember:

1 provided safe space to grow

2 opened career doors

3 defended us when we needed it

4 recognized and rewarded us

5 developed us as leaders

6 inspired us to stretch higher

7 led by example

8 told us our worked mattered

9 forgave us when we made mistakes

(Via swissmiss)

This citation probably trite by now. That’s too bad.

One of my first managers in the ‘90s basically said the same thing but somehow more tersely. I’ve tried, sometimes more successfully than others, to do these things regardless of my title.

And that’s the difference: being a Leader means you do these things. I’ve seen many a manager (or “boss”) to whom I would never assign such traits. And I’ve seen many a Leader who held no title.

Which are you?

Also on:

Why Democracy Doesn’t Deliver

At the root of the problem is a predilection for short-​termism that has become embedded in the political and business culture of modern democracies. By design, Western politicians have relatively short political horizons; they are often in office for terms of less than five years. So they find their duties regularly interrupted by elections that distract from the job of addressing long-​term policy challenges. As a result, politicians are naturally and rationally drawn to focus their efforts on seducing their electorates with short-​term sweeteners — including economic policies designed to quickly produce favorable monthly inflation, unemployment, and GDP numbers.

Voters generally favor policies that enhance their own well-​being with little consideration for that of future generations or for long-​term outcomes. Politicians are rewarded for pandering to voters’ immediate demands and desires, to the detriment of growth over the long term. Because democratic systems encourage such short-​termism, it will be difficult to solve many of the seemingly intractable structural problems slowing global growth without an overhaul of democracy.

(Via Foreign Policy)

Regardless where you fall on the political spectrum and/or are a foreign observer of the U.S. democratic circus, this is a thought provoking read.

Who is playing the “long game” anymore? And if they are, can they? I’m no fan of term limits – I think they are “managing to the edge”, meaning dealing with elements outside of the norm, and hurt the “long game” view. But I see value in certain limits.

Curtailing the election cycle, and the periods in which politicians and PACs and such can collect finds and spend them, should also be part of the mix. I REALLY like the idea of PACs & SuperPACs & committees & the candidates only being allowed to solicit campaign funds for 45 days before the campaign of 90 days (or some well defined term) before the election. For the House of Representatives, and any other body that is similarly short termed, I would make it 30 days for fund raising and 30 days for campaigning.

I also think the U.S. Election Day should be a national holiday with mandatory voting.

Your mileage may vary.

Also on:

Appliance Companies Are Lobbying to Protect Their DRM-Fueled Repair Monopolies

The bill (HB 4747) would require electronics manufacturers to sell replacement parts and tools, to allow independent repair professionals and consumers to bypass software locks that are strictly put in place to prevent “unauthorized” repair, and would require manufacturers to make available the same repair diagnostic tools and diagrams to the general public that it makes available to authorized repair professionals. Similar legislation has been proposed in 17 other states, though Illinois has advanced it the furthest so far.

Companies such as Apple and John Deere have fought vehemently against such legislation in several states, but the letters, sent to bill sponsor David Harris and six other lawmakers and obtained by Motherboard, show that other companies are fighting against right to repair as well.

(Via Motherboard)

The right to repair used to be assumed. I remember working on my grandfather’s car with my Dad. I remember changing oil and tires and brakes and head units and shocks and mufflers, &t for that and other cars.And I wasn’t (and still am not) a car guy.

I built and fixed computers when replaceable parts were the norm.

My Dad, members of my family, and people with whom I went to university worked on farms and ranches & regularly repaired the heavy equipment.These were the real instances of duct tape and baling wire.

How about early the early telephone system, which sometimes used barbed wire stretched along fences in rural communities?

We’re not in the early telephone days. We’re in a world where companies can prevent their customers from having agency over products they purchase. Companies can put their customers at risk and not allow the very same customers to protect themselves or even be able to figure out if they’re at risk in the first place.

Also on:

The Daily Grind

One thing I can say about Japanese customers after living in the country for 30 years is this: Japanese customers are quiet, fair, possess a dry, critical but practical way of dealing with things and are hard-nosed, some of the most hard nosed customers in the world I think. They like what is good, dislike what is bad, and simply stop using something that doesn’t work for them. But once they feel betrayed by a product, they silently drop it and never come back.

iOS 11.4 Beta 3 Does Not Fix The iPhone X Apple Pay Suica Error Problem

Just a public service message that iOS 11.4 beta 3 (15F5061e) does not fix the iPhone X Suica Problem.

Meanwhile, in other news mentioned by atadistance.net, Generalissimo Francisco Franco is still dead.

Also on:

Yahoo gets $35 million slap on wrist for failing to disclose colossal 2014 data breach

The SEC forced Yahoo to pay $35 million in penalties to settle charges that it misled investors. The breach has been widely publicized and is considered one of the largest data breaches on record.

Yahoo’s operating business, now known as Altaba, was acquired last year by Verizon for $4 billion.

What would have been paid under GDPR? $198M if this article is correct.

Calling this a “slap on the wrist” is an insult to wrist slaps everywhere.

Also on:

Chinese Cyberspies Appear to be Preparing Supply-Chain Attacks

First and foremost, attackers appear to favor spear-phishing individual targets, preferring to collect credentials and then entering accounts without utilizing malware for establishing an initial foothold.

We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective,” 401TRG experts said about the 2017 campaigns.

Hackers focus on collecting network credentials and then spreading laterally inside a company.

Attackers then use a technique known as “living off the land,” which refers to the use of locally installed apps for malicious purposes. Tools often used in these intrusions include standard Windows utilities, but also penetration testing utilities such as Metasploit and Cobalt Strike. Malware is only deployed if necessary, attackers fearing detection, which often implies losing their foothold on a target’s network.

(Via BleepingComputer.com)

First, don’t forget the ‘supply chain’ isn’t just raw materials or parts or assemblies or their ilk. It’s the HVAC and fish tank maintenance companies, too.

I like the phrase LotL (“Living off the Land”). I think, tho need to check, it translates well.

Tl;dr: Orgs with strong security & defense-in-depth can still harbor blind spots & inaccurate assumptions.

Continue reading

Shinjuku, Tokyo, Japan

Also on:

For the last month or so I’ve listened to The Cars fairly regularly. I think it’s the change of the season as I’ve always associated them with summer.

When I was a young pup, knee high to a garden snake, my Californian brothers brought many an otherwise unknown band to our midwestern home. Van Halen, Rush, Scorpions, Iron Maiden, and others were in the mix. The more heavy metal of the bunch I discarded.

Rush was the first of those bands I embraced. One of my friends in my Connecticut high school was a big Rush fan. When I started working many years later for a Canadian company Rush again entered my listening life.

Van Halen, and later Van Hagar, became frozen in that late 80’s to 90 moment when they were everywhere.

And then there was The Cars.

The Cars was like a less overplayed and better version of what Journey was doing at the time (also part of my brothers’ music mix). Journey stayed ever present on US radio from the Rock to Classic Rock to the oldies station where they live today.

I recall having one of their tapes, Heartbeat City, when the family road tripped across the western US on holiday in the mid 80’s. Then they dropped off my radar.

I’m caught a bit off guard by the high regard in which I hold The Cars today.

Who cares. It’s summer (in the Northern Hemisphere)!

Also on:

With a few exceptions, InfoSec podcasts sound the same to me as they did in 2014, both in production quality and in content.

There are two daily shows: SANS ISC Storm Cast and the Cyberwire. They run the gamut – SANS has a brief unpolished production sense and the Cyberwire is perhaps overproduced and over sponsored. Both provide solid daily content. I’m happy to skip both show’s “research” component.

And then there’s the rest.

Most non-vendor podcasts fall into two general categories: echo chambers and interviews.

The “echo chambers”, essentially panel shows full of inside jokes, are mostly gone from my pod catcher. Their production quality is close to zero and they’re mostly op-ed (opinion & editorial) with no counter argument. On PVCSec we tried and mostly failed to counter the standard InfoSec podcast.

The interview shows can be better. The production quality tends to be higher. Several make the interview more about the show host/interviewer and less about the interviewee. Sponsored shows are just that.

There is a third category: “NPR”-style free podcasts. These are the ones that talk about topics most other typical security podcasts miss – legal, governmental, and diplomatic.

Here’s what I’m catching:

If your InfoSec podcast is not on my list and you want it on there, let me know why I should include it.

Also on:

A new acquaintance suggested I put on more weight to look like the current US President.

That’s a hell of a thing for someone to say in the middle of a holiday. True, but a hell of a thing to say.

The last time I received such an unflattering comment (and the above was a bit of good natured ribbing) was when I was about 40lbs (18kg) heavier than I am now and six years younger. Work required some Saturday office visit and the security guard mentioned that, in my hoodie and Detroit Tigers cap, I looked like Michael Moore.


I vastly prefer the people, usually women of a certain age, who flatteringly compare me to actor and director Sir Kenneth Branagh. I welcome and embrace that comparison – as inaccurate as I know it to be if for no other reason than he is older than me by a lot.

Also on: