I enjoyed and learned from 100 Years of Feynman, which starts from his eponymous formula and evolves into these tips for solving physics problems:

  1. Read the question! Some students give solutions to problems other than that which is posed. Make sure you read the question carefully. A good habit to get into is first to translate everything given in the question into mathematical form and define any variables you need right at the outset. Also drawing a diagram helps a lot in visualizing the situation, especially helping to elucidate any relevant symmetries.
  2. Remember to explain your reasoning when doing a mathematical solution. Sometimes it is very difficult to understand what students are trying to do from the maths alone, which makes it difficult to give partial credit if they are trying to the right thing but just make, e.g., a sign error.
  3. Finish your solution appropriately by stating the answer clearly (and, where relevant, in correct units). Do not let your solution fizzle out – make sure the marker knows you have reached the end and that you have done what was requested. In other words, finish with a flourish!

(Via In The Dark)

For InfoSec we can extrapolate three similar tips for engaging with clients, either our internal ones or with external:

  1. Read the RFP/RFI! Listen to the customer! Write down, in your own simple words, your understanding of the client’s request. Communicate it back to them to make sure the understanding is as complete as possible.
  2. When delivering the response/proposal/etc. make sure you “connect the dots” between the client’s request and your solution. Make sure you account for and document assumptions. Explain why the proposal is the way it is.
  3. Finish your response appropriately by stating the answer clearly. Do not let your solution fizzle out – make sure the marker knows you have reached the end and that you have done what was requested. In other words, finish with a flourish!

Item 1 reminds me of a recent almost bad event at work. A potential client reached out about a RFP. They were looking for a security solution with a specific scope and desired outcome. We had a meeting with the client about their goals and objectives. They were clear and precise.

Skip ahead less than one week and suddenly a few leaders in my organization decided to make our RFP response something completely different. My vocal dissents were vetoed. The proposal proceeded with this alternate option. It was as if the client came to our restaurant to eat dinner and we decided to sell them recipe books instead.

Worse, there was nothing in this new approach that was truly new – every piece was obviously recycled generic sales material.

The client was not amused. When we met again the client shut down all extraneous-to-their-request discussions and materials. Since some of the team had not abandoned answering the RFP directly, we were able to pivot and still make a strong proposal.

Another recent proposal I worked on illustrates doing all three items well. The client clearly stated their goals in conversation but their RFP was mostly untethered to the goals, almost as if two different teams drafted each independently. Subsequent client conversations gave us what we needed to form a more complete understanding of the business needs.

The proposal was large compared to the RFP, but the space was needed to completely connect the dots between the client’s broad & disconnected needs and how we would deliver them for the desired business outcome. The response included all of the Who-What-Where-When-Why-How structures to clearly communicate our solution.

There is no shortage of experts in this field. By and large we all think we are one, so we rush to solution without always listening and understanding. Taking a page out of Richard Feynman’s approach to solving physics problems can help address such failings.

Also on:

Appliance Companies Are Lobbying to Protect Their DRM-Fueled Repair Monopolies

The bill (HB 4747) would require electronics manufacturers to sell replacement parts and tools, to allow independent repair professionals and consumers to bypass software locks that are strictly put in place to prevent “unauthorized” repair, and would require manufacturers to make available the same repair diagnostic tools and diagrams to the general public that it makes available to authorized repair professionals. Similar legislation has been proposed in 17 other states, though Illinois has advanced it the furthest so far.

Companies such as Apple and John Deere have fought vehemently against such legislation in several states, but the letters, sent to bill sponsor David Harris and six other lawmakers and obtained by Motherboard, show that other companies are fighting against right to repair as well.

(Via Motherboard)

The right to repair used to be assumed. I remember working on my grandfather’s car with my Dad. I remember changing oil and tires and brakes and head units and shocks and mufflers, &t for that and other cars.And I wasn’t (and still am not) a car guy.

I built and fixed computers when replaceable parts were the norm.

My Dad, members of my family, and people with whom I went to university worked on farms and ranches & regularly repaired the heavy equipment.These were the real instances of duct tape and baling wire.

How about early the early telephone system, which sometimes used barbed wire stretched along fences in rural communities?

We’re not in the early telephone days. We’re in a world where companies can prevent their customers from having agency over products they purchase. Companies can put their customers at risk and not allow the very same customers to protect themselves or even be able to figure out if they’re at risk in the first place.

Also on:

Yahoo gets $35 million slap on wrist for failing to disclose colossal 2014 data breach

The SEC forced Yahoo to pay $35 million in penalties to settle charges that it misled investors. The breach has been widely publicized and is considered one of the largest data breaches on record.

Yahoo’s operating business, now known as Altaba, was acquired last year by Verizon for $4 billion.

What would have been paid under GDPR? $198M if this article is correct.

Calling this a “slap on the wrist” is an insult to wrist slaps everywhere.

Also on:

With a few exceptions, InfoSec podcasts sound the same to me as they did in 2014, both in production quality and in content.

There are two daily shows: SANS ISC Storm Cast and the Cyberwire. They run the gamut – SANS has a brief unpolished production sense and the Cyberwire is perhaps overproduced and over sponsored. Both provide solid daily content. I’m happy to skip both show’s “research” component.

And then there’s the rest.

Most non-vendor podcasts fall into two general categories: echo chambers and interviews.

The “echo chambers”, essentially panel shows full of inside jokes, are mostly gone from my pod catcher. Their production quality is close to zero and they’re mostly op-ed (opinion & editorial) with no counter argument. On PVCSec we tried and mostly failed to counter the standard InfoSec podcast.

The interview shows can be better. The production quality tends to be higher. Several make the interview more about the show host/interviewer and less about the interviewee. Sponsored shows are just that.

There is a third category: “NPR”-style free podcasts. These are the ones that talk about topics most other typical security podcasts miss – legal, governmental, and diplomatic.

Here’s what I’m catching:

If your InfoSec podcast is not on my list and you want it on there, let me know why I should include it.

Also on:


This is a review of Lucas Kello’s The Virtual Weapon and International Order (Yale University Press, 2017):

The questions that Kello’s proposals raise simply prove his point about the need for interdisciplinary discussions to tackle the multifaceted challenges that cybersecurity poses. The book’s three-part typology of technological revolution will be particularly helpful in framing future discussions of cybersecurity both within and outside of international relations. And it can also be deployed to assess future technological developments. As Kello notes, “the distinguishing feature of security affairs in the current epoch is not the existence of a revolution condition but the prospect that it may never end” (257). Cyberweapons are today’s revolution, but tomorrow will surely bring another.

More of a political science perspective.

From Hacker News:

A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer’s components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage.

Fascinating research for sure. If you happen to be one of the few working in an environment where air-gapping and Faraday cages are common, this highlights that they are not 100% effective in isolation (no pun intended). This is a reminder of the value of good security hygiene, physical and analog and digital, and occasional validation of assumptions.

For the other 99.999% of security professionals, there are more practical and pragmatic risks requiring addressing with a higher return on investment. This is a reminder of the value of good security hygiene, physical and analog and digital, and occasional validation of assumptions.

See what I did there?

See Also:



Social Engineering for the Blue Team:

After I read, Chris Hadnagy’s book, Social Engineering: The Art of Human Hacking I realized that it’s more than just a red team activity. In fact Wikipedia has multiple entries on the topic. It’s not just security focused. It’s also political. Reading the book it’s even more than that. Sales and marketing people use social engineering. In fact, we all do it, to varying degrees. Some better than others. The book is focused on red teaming for social engineering. A lot of those concepts, though, I could easily apply and even provide examples of doing on a day-to-day basis.

(Via Timothy De Block)

This is the gist of Tim’s upcoming workshop, Social Engineering for the Blue Team, at Converge & Bsides Detroit May 10-12 2018. Give his post a read and provide him with your feedback. Tim’s a great presenter and speaker, so it is worth your time.

From Quartz:

Here’s how much time a single American spends on social media and TV in a year:
608 hours on social media
1642 hours on TV
Wow. That’s 2250 hours a year spent on TRASH. If those hours were spent reading instead, you could be reading over 1,000 books a year!

The numbers are compelling. Arguably, even if one reads within one’s own bubble they will be exposed to thoughts and ideas outside of their preconceived notions simply because no one is 100% dogmatic in exactly the same way.

The impetus for the article is this quote from Warren Buffet, very much de rigueur:

Read 500 pages like this every day. That’s how knowledge works. It builds up, like compound interest. All of you can do it, but I guarantee not many of you will…

I’m on board. While it may seem obvious I will say it anyway: You don’t have to read. Audio books are just as good though harder to underline meaningful passages.

My path and recommendation to you, Dear Reader, is a bit different: Reduce the number of books per year but add in reading the capital-N News daily.

I subscribe to and read the New York Times, the Washington Post (JP), the Japan Times (with which I get the New York Times), and the Guardian (JP Weekly). I also read the Atlantic Monthly (JP) and am thinking about picking up the Economist again, which I used to always look forward to reading each week. Yes, I am that cool.

My big change is moving my news consumption to the evening once I arrive home. I find I get too wound up/depressed/angry when I read the News in the morning, thus ruining my day. Tech news, security news, and bits I need for work I read anytime.

Also I make use of podcasts: NPR hourly news update & Up First, NHK English news, the various APM Marketplaces, The CyberWire, the SANS Internet Storm Center Stormcast, The Daily from the New York Times, and the BBC World Service Newshour. I play these at 1.5 speed or faster with the two security podcasts, NPR hourly update, and the NHK news at the top. I start playing it as I leave the office. By the time home and finished with dinner the podcasts have updated me nicely.

I’m in the process of reevaluating my news feeds. The method is much the same as evaluating Cyber Security threat intelligence feeds. Is it:

  • Timely?
  • Accurate?
  • Actionable?
  • Updated?
  • Adding value?

I categorize my information intake in several ways:

  • News
  • Analysis, Editorial & Opinion (most blogs, podcasts, and personal social media feeds)
  • Technical
  • Press releases

With all of this, I find myself overwhelmed with data. Much is redundant and not adding value. Some adds value but isn’t timely. Some opinion is fopped of as news. Branded content permeates.

What sources do you use? How to you consume them? How do you value them?

The Strange WannaCry Attribution:

I’ve been trying to figure out why the U.S. government thought it was useful to attribute the “WannaCry” attack to North Korea …

… I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly. Perhaps the answer to the delay question, and another thing I am missing, is that the public attribution is part of larger plan related to a planned attack on North Korea because of its nuclear threat. Bossert’s unconvincing op-ed and incoherent press conference wouldn’t support either interpretation; and if either interpretation is right, it still comes at a cost to general deterrence. But perhaps, surely, hopefully, there is more here than meets the eye.

(Via Lawfare – Hard National Security Choices)

This WannaCry Attribution was a head scratcher for me, too. Listeners of the late lamented PVC Security podcast know that I am generally not a fan of attribution, or more specifically see only limited real life usefulness for 97% of companies’ and individuals’ security. For governments, intelligence agencies, the military, and law enforcement there is more value, but how much value so far after the fact?

This piece by Jack Goldsmith lays out pretty much every issue I have with this plus provides something of a timeline for those for whom this is ancient history (in security terms, anyway).

Got a theory or opinion on this?