This News Just in…

July 22nd, 2016

If you’re an infamous person that the government is out to get, don’t use iTunes. Or Facebook. The guy supposedly in charge of Kickass Torrents used both, his IP address for iTunes matched the IP address for editing his website’s Facebook page, and it was all over for him. He would seriously have benefited from adversary-resistant computing and adversary-resistant networking.

RSAC 2016 Reading List

March 4th, 2016

Hello one and all, and I hope you’re in a security frame of mind. Here’s a list of things to read up on, as recommended by presenters at RSA Conference 2016: free proxy server for home use from Blue Coat. I’m using it now. Although I needed to open up YouTube for personal use, I like knowing that it’s leveraging that vendor’s ability to block malicious content. Proxies aren’t just for kids anymore. Every layer of personal security helps.

The Security Awareness Company: Lots of free stuff here, including humorous parody videos. Worth a visit or three, and there may be something useful for your enterprise here.

Google Hacking for Penetration Testers: A very juicy PDF with information on how to Google things up like you never dreamed possible. If you like it, consider buying the book.

How to Fool a GPS: suggested in the session that dealt with hacking the XBEE traffic in a commercial drone.

Janell Burley Hofmann’s Contract: This is for the kids and their parents. Parents would do well to sign a slightly modified version of the contract.

SFS.Gov: Instead of having ROTC pay for college, how about getting the NSF to pay, with the students working in the US Government cyber-security services after graduation? An excellent way to start a career in security.

CERT Guide to Insider Threats: PDF of contents, index, and sample chapter. If you want a complete picture of security, you need to look at the threat within, and the authors of this book really know their stuff.

ICS CERT Summary of Ukraine Power Grid Hack: Nice summary, should get you thinking, hopefully researching on this matter further. The means by which the hack was accomplished was not all that difficult to mitigate.

ASD Top 4 Mitigation Strategies: Your firm would do well to adopt these as standards.

I hope this helps you all to have some very paranoid fun.

Interview Guide, Part Four

February 3rd, 2014

Let’s talk about telling the truth in an interview. Too often, depressed people use the phrase, “BUT IT’S THE TRUTH!” when they say horrible things about themselves. I like to tell them to feel free to rot in the hell of their own creation. It’ll save me some time when I rise from the depths of Sunken R’Lyeh to ruin everybody’s day. People say that’s harsh, and I respond back with “Not as harsh as you’re being on yourself. Lighten up, bub.”

And that’s the truth: job hunting is a massive beat-down in so many ways. It extracts a spiritual, intellectual, and even physical toll on the job-seeker. Your job as a job-seeker, your number one job as a job-seeker, is to stay positive in spite of the storms that beset you. That is the hardest thing to do, but the most necessary thing to do. No matter what you’ve got on your resume, no matter how impressive your history may be, one lousy interview and you’ll never have the job you seek. If you go into an interview ready to tell the truth in the best way possible, you have a strong chance of coming across as the best fit for the job.

It’s a simple thing, really… often, it’s easier to train someone in technical areas than it is to teach someone how to be a more enjoyable person to be around. You will work with other people, and they want to know that you’ll be someone that fits in with the rest of the team. Not knowing how to be positive or upbeat will destroy your chances in the interview. So, you go in, you tell the truth, and you make it sound good.

Say you’ve been out of work for a year or two. That’s harsh. The wrong way to explain that gap is to say, “I was out of work for two years.” Sure, that’s the truth, but that’s a way of putting it that makes the speaker sound like nothing special.

“I couldn’t find a job for two years.” Oof. Even more depressing. I won’t give you a job, but I might give you a hug and tell you to cheer up.

“I’ve been out of work for two years. It’s been a tough local market, but now I’m able to start looking outside my area.” Better. What else can you add to it? Have you taken training classes? Have you volunteered for charity work? (A word on charity – even if it’s not in your field, if you have nothing else, do that. It tells your potential employer that you’re willing to do hard work and that you have a good heart. What could be wrong with that?) Did you do any internships? *Can* you look outside your area?

However you dress it up, don’t lie, but also don’t be depressing. My minions have observed people with hard felony time and unusual gaps in their job history go into interviews with a good attitude, tell the truth in a positive light, and – here’s the payoff – get the job. That’s right, they get the job. Ten years in prison, twenty years of parole served, no IT job worth mentioning in the last few years: with a good attitude, this guy can get an IT job.

When you think of reasons why you left previous positions, think more of what you were walking towards than running away from. Even if you hated a job, it still gave you experience, and it wasn’t totally without merit. Be positive. If you have hopes and aspirations, here’s where they come out as you discuss your leaving past jobs.

When you talk about one of your weaknesses, remember that you have strengths and that, compared to your strengths, you have skills that aren’t as strong. Those are your weaknesses. Personally, I’m a great motivator. Compared to my motivation and leadership skills, I’m not as good of an administrator. That’s a great way of introducing my weakness. I don’t leave it there, though: I mention what I’m doing to improve my weakness. If it’s something that’s not true right now, then I need to make it true right now so that I won’t be lying in the interview.

If you’re asked something technical and you don’t know the answer, just say that you don’t know. That will help your employer figure out what training you need when you get hired. Worst case, you may be interviewing for the wrong job – the one that will make you miserable – and revealing that you don’t actually have the expertise for the role will help you avoid being in a job you are not prepared to do properly. If you really want the job, be honest about what you don’t know and ask what needs to be done in order to close the gap between where you are now and what you need to have to be qualified for the job. Then, go and do those things.

Above all, learn about where you’re going to interview at and get some genuine excitement for the possibilities. Read up on your potential employer and think of three great things that would go with working there. Is it close to home? Is it a growing company? Does it have an interesting focus? Does it provide a needed service? Do other people like working there? Find out what’s good about it, and use that in your answer when you’re asked why do you want to work there. If you say something along the lines of how it’s just another job, then you’re just another applicant. If you can be excited to be there, they can be excited to have you be there.

Interview Guide, Part Three

January 31st, 2014

Body language is very simple, really. Lots of people think that it makes a huge difference and teevee shows are full of guys that study body language for “tells” into the mind of the person they’re studying. Set all that pop psychology stuff aside and focus on one big, happy truth:

If you are comfortable and not hiding anything, you look and feel relaxed and confident.

And, its corollary:

If you look like you’re relaxed and confident, employers will think better of you over someone that looked nervous, sad, agitated, angry, or comatose.

That’s key to getting a job. People want to hire people that they like. People like people that are relaxed and confident. So, get your body language in order.

Step one is to take a good shower, get a clean shave, fix your hair nicely, wear appropriate makeup, ditch the facial piercings (see part two for the rest of looking the part), and wear clothes that both look good and feel good on you. You don’t want them causing you to have a pained expression, do you? Comfy clothes that look good let you relax and feel confident.

Step two is to smile. Smiling is the most important form of body language. It’s reassuring, comforting, cheery, and pleasant. Do you think employers want to hire the depressing, abrasive, gloomy, or unpleasant? They don’t, so smile and you won’t be part of that group.

Step three is to play to tell the truth in the best way possible. You may have to drop your smile when you explain a serious bit, like, “I had to be out of work for a year while I took care of my aging mother,” but if you can smile at the end of it, there’s a happy ending and the truth wasn’t so bad. If you plan to tell the truth, you’ll have nothing to fear. If you have nothing to fear, you can relax and feel confident. That’ll put a smile on your face, won’t it?

Do keep your posture open, but don’t go into a panic if you discover that you’ve accidentally crossed your arms. Just uncross them and keep smiling. Do sit up straight, but don’t give up hope should you find that you’ve developed a bit of a slouch. Sit up, roll your shoulders back, and smile. If you commit any other pop psychology faux pas, just fix it and smile so that you stay relaxed and confident.

As you can see, body language is easy. It’s not a matter of following a list of what to do and what not to do. It’s a matter of putting your own mind at ease and where the mind goes, the body will follow.

Inerview Guide, Part Two

January 30th, 2014

What do you wear to an interview? It’s hard to overdress. It’s not hard to wear the wrong thing. The key to dressing correctly for an interview is to not argue with anyone giving you advice on what to wear to an interview that is writing this article. Got that? No arguments. Not a peep. Just do what I say.

For men and women, wear a suit. It’s that simple. If you don’t have a suit, get one. Make sure it fits. You should not put it on and say, “Well, that’s good enough.” You should put it on and say, “Wow, that really fits well and doesn’t look too tight or too loose.” It should cover everything from the neck to the ankles and the arms down to the wrists. Women can open the top button or two, but men still need to put a tie on. The exception to the tie rule for men would be if you have a build of a true athlete, are well-tanned, and have enough spiky hair gel to make yourself look like you’re about to get the highest bid at the bachelor auction later that night… and you’re interviewing for a sales, marketing, or other con-man type position.

The suit itself should be black or dark gray or navy blue. No stripes, no checked patterns, nothing. You should look like a Pilgrim with a tie if you’re a man. Women can choose between slacks and a skirt, but that skirt really should go past the knees when you sit down. As far as accessories go, conservative is the watchword. The earrings, necklace, and brooch you wear should be simple, unassuming, and certainly not overpowering. You want the people interviewing you to look at your face, not your bling.

Speaking of your face, you need to let it shine. Hair should be pulled back or cut close. Facial hair should be trimmed close or absent. Tilt your head up when you talk so that the light shines on you and you look great. Women, you’re going to have to do a good, conservative job with your makeup. Too much makeup is as bad as not enough. Dial it in just right and go with that. What is just right? Look at any woman in an executive position and copy her. That’ll do.

The tie for men is simple: dark red or dark blue. Simple pattern is OK, simple quiet stripes are OK. Anything loud or complicated is out. Remember, you want them to look at your face.

Shoes should be nice, clean, and not sneakers. Get a good pair that’s comfortable, shine ’em up, and go to that interview.

Should your interviewer tell you to come as you are, you have the green light to not have to wear the tie if you’re a man. Everything else should be as above, though. If you’ve already done a great phone interview and have already accepted the offer letter, *then* you can show up in flip flops and a Hawaiian shirt. Otherwise, “as you are” is actually quite nice, as it turns out.

Above all, wear a smile. Humans love to see smiles, even forced ones. Smile through your interview as much as possible. You’ll appear relaxed, confident, comfortable, and energetic – all components of the BIG WET (See part one for that acronym).

Interview Guide, Part One

January 28th, 2014

All the skills in the universe don’t mean a thing if you can’t put them to use in a job. Jobs aren’t handed out like candy at a kid’s party: you have to go and get them. To get a job, you have to interview for a job. I’m going to write up a series on interviewing to help all you miserable mortals be a little less miserable, so that when I come to destroy the world, you’ll have something to lose and you won’t be looking forward to the end of your misery. Those kinds of things are important to me. So, here we go with interview advisements.

The most important thing about advice is that it be easy to remember. So here you go: BIG WET. You are not likely to forget that. BIG stands for being big. If you feel larger, you project strength. It’s the way animals raise up when threatened: getting bigger means they’re less likely to get whacked. If you sit openly and assertively – in a big way – you can send a message that you’re in charge of your side of things and that you can add something to any enterprise. Before you go in, look in a mirror with your hands over your head, standing tall, stretching out, being BIG, in a word.

While you’re doing the big thing, go with the W, which is for win. If you visualize yourself winning, you enter the interview with confidence. Confidence tells the interviewers that you’re the kind of person that they want to be working with. As you do your big moves, tell yourself that you’re a winner and that you might very well be the best. Not one of the best – the best. Imagine that and go in smiling.

Smiling is part of the E, energy. You can never have too much appropriate energy in an interview. You might think it’s ridiculous, but the interviewer will think you’re the only person that’s really excited about the opportunity. You won’t be applying because you’re desperate for any job or because you decided to show up for another interview that might actually deliver. No, you will be happy to be there and eager for what lies ahead. Win.

The T is for truth. You need to tell the truth about yourself in the best way possible. If you leave gaps in your responses, the interviewer will wonder if you’re trying to deceive him. Be forthright, but be tactful. Find the best way of saying things and that will build off your winning energy.

I can elaborate more on each of these areas, but for now, just remember: BIG WET.

Twitter Twits

November 12th, 2013

Fun stuff in a Pew Research report about Twitter users: only 16% of America’s adults use Twitter. Of them, only half use it for news. That means – I’ll do the math for you, you’re welcome – only 8% of USA adults use Twitter for anything more than ranting and following Miley Bieber or Khloe Cyrus or whoever. The data get more interesting: roughly half of Twitter’s users are 18-29 years old, and they are disproportionately college-educated, relative to the rest of the US population. Put that together with recent unemployment trends and the pattern emerges: Twitter is the home for unemployed college students with nothing better to do. Great demographics, there.

Twitter news users tend to be caught up in a constantly-shifting emotional flux. They forward along stories, talk about them for a few hours, and then lose all interest and focus in the face of a new story to be passionate about. I don’t see much monetization potential here, space cadets.

This makes me wonder about those that purchased Twitter stock… while I won’t offer any advice on equities, I will wonder about the sanity of those that bought into the hype. Perhaps I shall find some cultist fodder amongst their weak and suggestible minds.

You’re So Vain

October 30th, 2013

So you think the NSA has time to bug the likes of you? Please. You’re not that important, unless you’re doing things to make yourself stand out, like trying to use encryption and anonymizers for all your Internet traffic. Just think about it…

There are hundreds of millions of Internet users in the USA alone. If you’re in the USA, you’re one of them. That means your traffic is aggregated with all other traffic and dumped somewhere. There is no one person that will single out your traffic to hold up and mock: if you aren’t doing anything exceptional, you’re just part of the vast flow of sludge that passes through the Internet pipes. Even if what you’re doing isn’t particularly sludgeworthy, your traffic is in the mix, so you might as well know what’s flowing alongside your ones and zeroes.

We can start with the 166 million Facebook pages for USA users. Imagine wading through 166 million Facebook pages every day. The number of game spam updates alone would drive a mortal into madness. Then there are the people that post things Facebook has to take down, due to the content being explicitly sexual, overly violent, or slightly critical of the Turkish government’s treatment of its Kurdish population. All that goes to the NSA before it gets taken down by a Facebook drone in Morocco or Vietnam. Those guys usually lose their minds after only a few weeks of doing content review grunt work: there’s no way the NSA wants to expose its staff to that kind of attrition. Let a computer filter it and then file away the report where nobody sees it.

It’s not like the NSA is actually doing anything with that data. How many times do Americans get to see the making of a terrorist/murderer on his Facebook page after the fact? You’d think the proactive chaps at the NSA would swoop in on something as obvious as some of the stuff that these guys put out. The reason why they don’t is that they’re not looking at individual numbers. They’re looking at patterns formed by masses of users.

If you’re doing something unusual like using Arabic in Greenland, that’s going to get on the NSA’s list of things to monitor today. If you’re merely indulging in your favorite sins on the Internet, nobody in a spook lab is giving a flying flip about you. The Facebook traffic is just the start: think of how many times “Friday” or “Oppa Gangnam Style” wound up on an NSA traffic haul. Yeah. Just carry on, citizens, because there’s so much stuff going on that there’s no way you’ll get noticed unless you’re as unique as someone who gets noticed.

Go Cheap, Then Go Home

October 21st, 2013

There’s the old saw about being penny wise and pound foolish. If you’re a company officer, and you’re looking to skimp on network security and redundancy to save a few bucks up front, just ask yourself this one little question:

How much money will you lose when your network goes completely down due to a security incident or a major hardware failure of a key device? Those events are not possibilities, they are guaranteed to happen at some time in the future. Does the future cost justify the short-term savings?

Does your IT staff agree with your assessment?

If you pay up front and have a secure network with high availability, your network guys aren’t printing off this article in secret and sliding it under your door. They’re satisfied that you’ve followed due diligence and that they won’t have to try and find another job before the big meltdown hits so that they won’t be blamed for your stinginess.

If this article *does* wind up passed to you surreptitiously, then rather than going after the guy that dropped the note on you, how about you revisit those budget figures for network security and high availability and get a better set of solutions in line so that when disaster happens, your network guys are positioned to deal with it appropriately.

At the end of the day, it’s your call, but don’t be surprised if the good talent bails out on a bad network.

IT Personnel Areas

October 17th, 2013

Most companies get this right, but there are a few outliers that haven’t gotten with the program. I’m talking about the right way to house your IT personnel at the workplace. Some people get it wrong and put their IT staff into a converted storage area.

Ideally, IT staff should go into an actual, unconverted, storage area. Just run an extension cord with a power outlet strip attached to the area and make sure they wear hard hats, if appropriate. If, however, you have insufficient warehouse space to allow your IT staff to office there, then you’ll have to get creative.

Inspect your building blueprints. You’ll notice that nearly everything will have a label. If you’re lucky, there will be a room without a label on it that’s next to the elevators and/or stairwell. It has a door and, when you see it in person, it’s half-full of building supplies and/or disused computer equipment. That’s the perfect spot for your IT guys!

If you don’t have that, don’t give up. You can still find them a suitable location. See if there’s an internal office – no windows at all on this one – that has very poor ventilation. You’re looking for a place that will either freeze or roast your staff, regardless of season, preferably with some airflow pattern that concentrates environmental evaporates – like 4-PC and Styrene from the latex backing in carpets – in that area. If you have more than one such room, pick the one that is furthest away from the data center and then be sure to use the one(s) that are closer to the data center for furniture storage.

If, for legal reasons, you have to provide a safe and tolerable work environment for your IT staff, there are still ways to optimize their work environment, even if you can’t encase them in a storeroom sarcophagus. If you have a satellite campus, removed from the main data centers, put them there. If there are other departments there, be sure to have your IT staff in their own section, as far removed from the amenities of the building as possible. If you do not have a satellite campus and you can’t stick them in a storeroom, it’s time to talk to a commercial real estate guy and get yourself a remote facility for your IT crew. If you can get your IT guys into a metal building in an industrial zone, that’s almost as good as a warehouse. Failing that, the far end of a light industrial park is another good spot.

Around the world, these are the kinds of environments IT people are used to. These are the environments they expect. If you actually give them windowed offices with close proximity to the data center, they will become disoriented and confused by their surroundings, and those stresses can lead to your IT staff losing their ability to lash out against passers-by. Should your IT staff acquire “people skills,” they’ll never get their work done as a result of having cheery interactions with other people. For them to be focused on their demanding tasks, they need to be kept in hellish, semi-barbaric environments, so that their only solace comes from fixing technological issues and vendor lunches.