Podcasts – A Critique

This smacks a bit of the complaints about TiVo and the other time shifting apps:

Castro Podcasts – The Brooks Review:

Podcasts are too long, but instead of podcaster doing the hard work to shorten them, listeners use hacks like trimming silence (ruining the tempo, not that there was any) and playing at faster than normal speed playback. Listeners (and this was literally news to me today) also use chapters to jump about in the podcasts to skip over the boring bits.

Isn’t the entire point of a podcast that the entire podcast is relevant and entertaining?

Ben’s not wrong. He minimizes how hard it is to produce a decent podcast, however.

The PVC Security podcast had a veteran podcaster (Timothy DeBlock), one of the hosts had radio & TV experience (me), and Edgar Rojas had his je ne sais quoi. We three went in with the idea of producing a better InfoSec podcast than anyone else was doing at the time,

Our production values would be higher. We would be more fun. I think we were, for the most part. We kept the show under 50 minutes and removed as much useless dead air and vocal ticks as we could without losing pace. But it wasn’t easy. Eventually we three, plus Tracy Maleeff who had by then signed on, called it a day. Fortunately, Tim carried on with his Exploring Information Security podcast.

Back to Ben’s comment — most Security and CyberSecurity podcasts are still unlistenable without the podcast app features of Castro or Overcast. No one in the security podcast space outside of the SANS Internet Security StormCast and the CyberWire are concise. The SANS show often has lofi production but the content is high value and brief.

One year traversed from episode 99 and I know how I would do PVCSec or another show better – tighter, focused, fun, and 30 minutes long once or twice a month. Topical but not a news service. Still not an echo chamber. But … how much singing? Anyway, eh … maybe again someday (a podcast, not the singing).

Meanwhile I am taking a stern look at my podcasts. They don’t demand my attention like social media, but I have too many that make me feel bad with no way for me to do anything to fix what the show tells me. The comedy shows I need to keep for the laughs and the popular media knowledge.

What do you think?

Also on:

The Crack Squad of Librarians Who Track Down Half-Forgotten Books – Atlas Obscura

The Crack Squad of Librarians Who Track Down Half-Forgotten Books – Atlas Obscura:

Before we each had a little, flickering encyclopedia in our hands, we had librarians, and they’re still experts at finding the answers to tricky questions. Through the Ask NYPL portal, a decades-old phone and text service, the staff has triaged everything from queries about the Pope’s sex life to what it means if you dream about being chased by elephants. The library staff are ace researchers with a massive trove at their fingertips. A sense of mystery in their work comes when people approach them with vague questions and patchy details—particularly when they’re looking for books, but they don’t remember the authors or titles.

(Via Atlas Obscura)

My friend used to be employed as a librarian. I think they never stop being a librarian.

My favorite librarian moments: talking Twin Peaks when it was on its initial run; getting called out for not having read the Iliad & the Odyssey when I bragged about doing so (since corrected); the same librarian geeking out with me over the album Nursery Crime by Genesis; doing a fun podcast with one.

Also on:

Some PVC Security maintenance

Dear Friends,

Our dearly departed podcast project is drifting into the dark recesses of the collective mind, so the time arrives for some archiving.

The pvcsec twitter account is disabled & on its way to deletion. I will be going through to make sure all of our other social media bits are similarly retired – Facebook, Google+, and so on.

I am not sure if the web site will move over here as a subsection or if I will let the Internet Archive have its way with it. I’m also considering a plain text archive on gopher, but that might be more work than I want.

Anyway, this will be thought about and done over the next 2 to 4 weeks or so. Stay tuned?

Also on:

(Away from) Home for the Holidays

2016 will be the first time I’m away from the U.S. for Thanksgiving, Christmas, and New Year’s Eve.

Many years ago I spent both Canadian Thanksgiving and U.S. Thanksgiving around Toronto. Another year I think I was in Austria and Germany at the end of November.

Regular readers and PVC Security podcast listeners know I moved to Tokyo this month.

I don’t particularly care I’ll miss Christmas and New Year’s. I could do without both. Christmas to me means traffic jams and hypo-consumerism. New Year’s is mostly an opportunity to screw up one’s sleep schedule. Unless the calendar is forgiving, all too soon one returns to work.

I used to volunteer to work those holidays, I liked them so little. I won’t miss them here.

Thanksgiving? Well, that’s another thing entirely.

I love the weather in New England and Michigan this time of year. I love well cooked turkey, stuffing, potatoes, gravy, rolls, green beans, etc. I love pumpkin beer (though it’s creep earlier and earlier reduces the draw for me). I love watching football.

Most of all, I love spending it with my family. It can be just me and the kids. It can be the whole clan or something inbetween.

I wonder how I’ll do that day here. Some of my colleagues and friends here have already volunteered to take my mind off of it.

Stay tuned!

Also on:

Week ending 092516

Quick hits as I re-ramp up my Week Ending posts.

  • Holidays in Japan while I’m back in the States.
  • Great feedback from the client about our work.
  • Wish I’d attended @Derbycon.
  • I’ve been back in Detroit on my return from Tokyo. Spent time with my kids, fun time talking about Tokyo and getting sushi (their idea) and my impending move.
  • A great guest joined us on @pvcsec – Marcelle Lee.
  • Professionally I connected with some new folk and a bunch of friends & colleagues.
Also on:

My latest Thursday, 20160908

It’s a rainy, hurricane #Tokyo today. Yesterday was earthquake Tokyo.
@edgarr0jas and I recorded @pvcsec #EP78. I edited and uploaded #EP77 but the show notes are slow going. Someone deleted last week’s run sheet. No @timothydeblock or @cmaddalena or @infosecsherpa, sadly.
I’ve been diving into #blockchain and #fintech during breaks working on a client deliverable.
I can’t help but chime in on the @apple announcement: I’m glad I bought my iPhone 6s+ a few weeks ago. I think there might be a run on them (https://apple.news/AtodeT67IQiKYmKB2s3fvvA).
Big security day today, product and provider oriented. @Dell finished their @EMCcorp acquisition ( http://www.wsj.com/articles/dell-closes-60-billion-merger-with-emc-1473252540), @HPE sold their enterprise software to @MicroFocus (whomever they are; http://reut.rs/2ckMx4c), and @Intel spun off @McAfee Security (http://www.wsj.com/articles/intel-nears-deal-to-sell-mcafee-security-unit-to-tpg-1473277803).
Oh, and I’m playing around with http://www.dayoneapp.com.

Also on:


I like busy.

Describing this week as “jam packed” epitomizes the understatement. I shall spare you, Dear Reader, from the run down. Yet I felt energized, more than at any time in recent memory.

I’m mentoring several people, officially and otherwise. I finally made it back on PVC Security Podcast for the first time in weeks (months?). I stepped in last minute to help an account team respond to an Request for proposal, an experience I’ll write in detail once the dust settles. I interviewed prospective IBM employees. I attended training. Of course, I continued supporting my current client engagement with aplomb. I traveled about 6,000 miles.

That is a jam packed week by any account. Home front items require my attention. Perhaps I can parlay this energy into the required action.

My colleague, unofficial mentee, and new friend Andrew and I toured (read: wandered somewhat aimlessly in) Brussels. I’ll write about it over on ESG soon. Tomorrow, Ghent!

Also on:

How To Tell If A Job You Want Is Out Of Reach

Ed Rojas and I discussed interviewing on a couple of recent PVC Security Podcasts. The Muse recently posted an article about how to measure if a job you want is realistically within your ability:

There it is.

Posted on the job board of your dream company.

A job that is totally amazing. A big step up from the job you’ve currently got. And, yes—maybe just ever-so-slightly out of your reach.

Should you apply anyway? Or would it be a total waste of your time—and theirs?

This four-question guide can help you decide whether to go for it or hold back. Grab your pen and get ready for a healthy reality check.

Give the article a read. Let me know your thoughts in the comments.

Also on:

RDRDS, or Five Points of Security Architecture

There’s a concept that gained some traction not too long ago, called anti-fragile. The idea is to make things that can withstand a certain level of abuse without failing. Bend, don’t break is the easy way of thinking about it.

I think the concept of anti-fragile is a good one, but it is too limiting. I prefer RDRDS – Redundancy, Diversity, Resiliency, Depth, and Simplicity – or Five Points of Security Architecture.

We security professionals talk about the CIA triangle – confidentiality, integrity, and availability. Availability is often overlooked. RDRDS addresses that. Integrity is also covered in this scheme, in that the systems that data rely upon need not just make sure the data is available but that it remains unaltered, either intentionally or otherwise. RDRDS helps assure that because it’s built into the concept and the quality of those systems is known in advance of their use.

Operationally, availability is critical. When I was a network manager I mostly lived in the operations world. When systems fail the phone starts ringing. Focusing on operational issues becomes a simple math problem in many organizations, and we should take advantage of it. Is the cost of implementing and maintaining these redundant systems worth it? How many minutes of downtime pays for these systems?

When I talk about RDRDS, what do I mean?


  • Duplication of components or circuits to provide survival of the total system in case of failure of single components.

Firewalls are the canonical examples of security tools deployed in a redundant configuration. In most organizations they are a pair of nodes in a cluster, although 3 or more nodes and multiple clusters are not uncommon.

We want critical systems to be redundant. By redundant, I mean they should keep running in the event of any specific element failing. This is typically handled via clustering, secondary paths, and load balancing among other tools.


  • The quality of being different or unlikeness.
  • A variety.
  • Diverse types or examples.

Diversity basically boils down to not relying on a single thing: vendor; technology; or philosophy. Lacking diversity limits the value of redundancy.

Diversity also means avoiding single points of failure in a system. For example, having a server with two power supplies plugged into the same power circuit is an example of having redundancy (two power supply units) but a lack of diversity (one power circuit). Purchasing two data circuits from different providers when they both come in on the same cable through the same conduit is another example.


  • the physical property of a material that can return to its original shape or position after deformation that does not exceed its elastic limit.
  • an occurrence of rebounding or springing back.

Resiliency deals with the margins, the exceptions, the extremes in a system. How well can the system handle not just peak loads but also a lack thereof and return to a normal state?

It also talks to the ability to get the system back up and running after an event, such as a fire. Resiliency can also be described as scalability, the ability to shrink and grow as needed. Also elasticity, the ability to bend and flex but not break.

The concept of anti-fragile I think mostly touches on resilience, though to an extent it encompasses all of the concepts here.

We want systems that are properly sized and can handle peak loads without falling over. We want them to load balance or calculate the relative cost between possible paths. It should be possible to isolate and route around broken components. A modular and distributed design provides resiliency, plus provides additional benefits when it comes to upgrades and maintenance and the like.


  • Strength held in reserve, especially a supply of skilled or capable replacements.
  • A team with depth at every position.
  • The degree of richness.
  • Complete detail.
  • Thoroughness.

Defense In Depth (DID) is a common mantra in the industry since the 90’s, maybe earlier. What does depth provide us? If we stack all of our assets at the perimeter then how does that help us when something gets inside anyway? Think about the internal malicious actor. Layering security throughout the infrastructure, thereby not placing all of one’s eggs into one basket, provides depth as well as diversity.

Depth can also address third party connections as well as upstream issues from suppliers, partners, vendors, and so on.

Information Sharing and Analysis Centers (ISAC) data and broad threat intelligence adds to depth. CERTs and the Internet Storm Center (ISC) and other third party threat intelligence vectors also enrich depth.

From a personnel perspective, making sure that the one professional with all the institutional knowledge documents it so that she can take an uninterrupted vacation is also part of depth.


  • The quality or state of being not complex, or of consisting of few parts.
  • A freedom from complexity or intricacy.

Modularizing systems, like deploying a log management solution that the Security Incident & Event Monitoring (SIEM), operations monitoring, and other systems tie into. In networks, separating the access, distribution, and core layers.

Gap analysis helps with simplification. Compartmentalization of systems without compartmentalizing data, thereby allowing maintenance and potential component replacement without losing fidelity of data sources is valuable.

Above all, avoid introducing artificial complexity.

What does all of this mean from a security perspective?

There are several basic questions that need answers before you can proceed with RDRDS/the Five Points:

  1. Should security systems fail open or closed? By this we mean in the electrical engineering sense – failing open means that the circuit is broken and traffic stops flowing. Failing closed means that the circuit isn’t broken and traffic continues to flow.
  2. What are the security thresholds?
    1. How long can the IDS/IDP be down?
    2. How long can notifications from the SIEM be down or delayed?
    3. What is the cost per minute of downtime?
    4. What is the sensitivity of the data?
  3. What is the comfort level with F/OSS (Free/Open Source Software) as secondary systems?
  4. What are you trying to protect?

There are other questions, and we will flesh those out as the concept is developed. Your comments and questions are welcome here, at hashtag askpvcsec, or email [email protected].

By the way, these Five Points can apply to any system – servers or databases or IT or applications or personnel or finance or anything.


Due to an error on my part, I lost track of what dictionaries I pulled the various definitions from. I will endeavor to cite them appropriately.

Also on: