Tuesday, April 4, 2017

Doing it wrong, or “us and them”

I was arguing with the wiring in a little RV over the weekend and it was the typical RV  mix of automotive wiring, household wiring, and What The Expletive wiring. I fell back to my auto mechanic days and set about chasing the demons through the wires. Basic diagnostics: separate, isolate, test, reconnect, retest, repeat, until a path becomes clear. In this quest I used an old trick of mine (although I assume many other have used it) in using crimp connectors the “wrong” way. This made me think of being called out for it many years ago, “you’re doing it wrong you idiot!” or something like that. I tried  to explain that I was just using the common butt connectors in a different way for a different situation, but he wouldn’t hear of it. “That’s not how you use them” was the answer.

This was long before my computer and hacker days, but the mindset is there in many car guys. “You’re not supposed to do that” is a warning to most, but an invitation to many of us.

I hate to say we can’t teach that, but with a lot of folks you either have that curiosity or you don’t. I do think a lot more folks have that kind of innate curiosity and desire to test boundaries, but sadly our modern education systems can’t handle those characteristics in kids- “do it our way or you are wrong” is great for standardized testing, but terrible for education. And in our little world of cyberthings we really need curious people, people who ask questions like

Why?

Why not?

What if?

Hold my beer…

OK, the last wasn’t a question, but a statement of willingness to try.

I don’t have the answer, but I have seen a lot of little things which help- hackerspaces, makerspaces, good STEM/STEAM programs, and youth programs at hacker/security cons are great steps, but I fear that these only serve to minimize the damage done by the state of education in the US lately.

So yeah, I guess I’m just complaining. Again.

Oh, and about using the connectors wrong, normally you put one stripped end of a wire in each end of the connector and create an inline splice. For problem situations I connect wires as shown in the image. This provides a good connection, arguably better than the inline method since the wires are directly touching, but more importantly the open ends of the connectors are shielded to prevent accidental contact, but open to provide handy test points as you chase the demons through the wires. Which reminds me of another story, but that’s one for the barstool…

Wrong

Jack

Friday, March 24, 2017

I thought everyone knew this by now

But apparently not. I just saw some “Security Awareness Training” that gave the bad old advice of “look for the padlock” in your web browser. Here’s my answer to that:

image

In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn’t that easy, we need to teach better. Also, “don’t click stuff” really defeats the point of the web, so while I understand the sentiment, it is not practical advice.

The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn’t assure you that the traffic isn’t being decrypted, inspected, and re-encrypted. Or maybe it isn’t encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn’t prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock” we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn’t entirely true if we are going to oversimplify this I think we’re better off telling folks that the padlock doesn’t mean a damn thing anymore, if it ever did.

While we’re on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you want”. I did find a few things which made me think of typical browser warnings:

BrowserWarning

This means it’s OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean.

And this, you know what it means, but what does it say?

image

That’s right, it says don’t P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me.

Jack

Thursday, March 23, 2017

Where’s Jack?

As I mentioned in a post earlier this year I am traveling extensively this year, connecting and reconnecting with a lot of people. And thanks to a lot of wonderful people inside and out of the hacker and security communities I am doing very well after a rough few months. So, it’s time to share my plans and encourage folks to come and chat with me if our paths cross. I know I have a reputation of being a cranky old bastard, one which is well deserved, but I’m really not a miserable person- truly, seek me out and tell me stories, ask questions, whatever. If I can help you I will, or maybe I’ll point you to someone who can help if I can’t. I meant what I said in my recent post about the loss of Becky Bace and others, they set an example for those of us who knew them and I’m not about to let InfoMom down.

So, here’s my schedule as it looks from here:

Tomorrow, Friday March 24 I’ll be speaking at BSidesOK in Tulsa. Yeah, short notice, but there it is.

I’ll be speaking at the North Florida ISSA meeting in Jacksonville on April 6.

I’ll also be speaking at BSides Boston on April 15th.

BSides Nashville on April 22, I’ll be there, not speaking, so I’ll have more time to chat.

May 2 in Denver I’ll be speaking at the EDUCAUSE annual conference.

Later that week I’ll be attending Thotcon (May 4-5) and probably BurbSecCon (May 6) in Chicago.

Then things calm down a little before spending most of June in Europe, but more on that later.

See you on the road

Jack

Sunday, March 19, 2017

On loss and responsibility

We have lost more great figures in our world of InfoSec, and we are diminished by their loss.

Spaf has written eloquently on the passing of Kevin Ziese, Howard Schmidt, and Becky Bace. I never met Kevin, and I only met Howard a couple of times, but I know of them and their impact on our industry and people in our field.

Becky had become a friend over the past several years, and her loss has hit me hard. Becky has a long and storied history in InfoSec and cybersecurity (and damn, could she tell great stories). Becky was instrumental in nurturing the fledgling fields of network analysis and IDS when she was at NSA, but more importantly than her technical work she was  a great friend and mentor to so many in our field that it is hard to overstate how many people she touched in her life and career. For a glimpse into what Becky was like, check out Avi’s very personal and touching remembrance of meeting Becky.

Once again, we take time to remember lost friends. While natural to mourn their passing we must remember that there are still many in our communities who need the kind of friends and mentors that Kevin, Howard, and Becky were to those of us who knew them. It is our responsibility to them and many others we’ve lost in our young field to remember them, but more importantly to fill those roles of friends and mentors to those who never knew them.

 

Jack

Wednesday, February 1, 2017

What upsets Troy Hunt about conferences

Getting back to my normal territory here-

In case you missed it, in late December Troy Hunt posted 10 Ways for a conference to Upset their speakers on his blog. I mostly agree with Troy’s list and it adds to my series of rants about conferences from last fall. It’s worth a read if you are interested in conferences and speaking and you haven’t  already read it.

 

Jack

A few words about ovarian cancer

Cancer sucks. The number of people who are touched by cancer is terrifying, it is rare to find someone who hasn’t had friends or family attacked by cancer if they’ve avoided it themselves. Sometimes, as with my bladder cancer, it’s not that bad- for me I get a rather uncomfortable exam regularly, and sometimes get a small tumor or two removed, no big deal. That makes me lucky, few who face cancer get to shrug it off as a mere annoyance.

Since I’ve recently learned a lot more about ovarian cancer than I ever expected to know, I’d like to share a few things with everyone. Remember, I’m not a medical professional, these are my observations and ideas formed over the two and a half years of my late wife’s struggle with clear cell ovarian cancer.

First, routine tests and doctor visits are unlikely to detect it early.

Second, it’s insidious- many women develop ovarian cancer around the time of menopause, and many of the symptoms of the cancer are also expected conditions that accompany menopause.

There is a blood test which looks for a marker, CA 125, which may help detect ovarian cancer but the test is far from perfect. Many people have suggested it should be a regular test, others think it may lead to a false sense of security. Gilda Radner talked about the test in her autobiography before we lost her to ovarian cancer. Here’s my take- and keep in mind that I’m not a doctor of anything and this isn’t medical advice- I think that CA 125 screening and the symptoms of ovarian cancer are things women should be aware of. I think that routine CA 125 screening probably makes sense for women with a family history of cancer, maybe for a broader population- but only if the test is considered a weak indicator, and is done as part of comprehensive medical care (a low reading does not mean there’s no cancer). If you have a healthy relationship with your doctor it should be part of a conversation, as with most tests. I don’t think much about my prostate, but I do think about symptoms of prostate problems every time my doctor sends me off for a PSA test. Awareness of symptoms, thinking about them honestly, and having real conversations with your doctors is key to minimizing Bad Things.

Note: I was going to prefix this with a note saying this is another personal post with nothing to do with InfoSec, then I realized I’m talking about using weak indicators as component in a comprehensive detection plan, and that sounds pretty familiar.

I don’t want to watch any more people die of cancer, and neither do you. But we will, so let’s try to spread the word and minimize the suffering.

Finally, I am not a doctor, psychologist, or anyone else who can provide real help- but if you or a loved one are facing ovarian cancer and want someone to talk to, yell at, or commiserate with- reach out to me. There’s email info in the upper right corner of the page.

Jack

Monday, January 30, 2017

“Thank you” is not enough

A few weeks ago I made a very personal, and very public announcement- that I had lost my wife to cancer a few days before Christmas. I debated how to share the news, especially since we had largely kept it quiet- she was as private a person as I am public. I decided to share the news on Twitter and Facebook, and the response was overwhelming. Literally overwhelming. The outpouring of love and support I received was humbling and deeply moving. It made me want to be a better person (although a dear friend cautioned me against making any rash decisions).
The words “thank you” are not enough, especially tossed out here on my neglected blog, but it is a start. Thank you- to friends old and new, acquaintances, and complete strangers. I am truly humbled by your support.
For those who had not heard the news or our story, my wife and I met when she was 14 and I was 15, we started dating a few months later and never stopped. Below is a photo of us from 1976 (and yes, it is one of the last known photos of me without a beard).FallFormal1976-1



2016 was a rough year for many of us and 2017 is presenting us with new challenges, but (forgive my optimism) together we can make things suck less, personally and professionally.
For me 2017 is about friends old, new, and as yet unmet. I still love technology, I love abusing technology and solving problems with technology, but this year is about people. I’ll be at most of the usual events, and a lot of smaller ones, all around the world. If our paths cross please find me, say hello, maybe share coffee or a cocktail and conversation.
I was recently at Shmoocon, it is an event I have always enjoyed and this year it was especially good to reconnect with the Shmoocon crowd as I started my return to being active and engaged on the road. I’ll be at BSides San Francisco and RSA in a couple of weeks, after that I’m regrouping before hitting the road again, but more on that later.

Thank you
Jack