Remove CNNIC from OSX

After reading a few stories like this “Apple Leaves CNNIC Root in iOS, OSX Certificate Trust Lists” that didnt include instructions on how to remove them yourself I wrote a quick and ugly bash script that automatically removes the CNNIC and the China Internet Network Information Center EV Certificates Root certificates from OSX. 

You can download it here.

Use it at your own risk. I am a terrible script writer and this may install Windows 98. 

(Inserting code snippets on to my blog is ridiculously complex. I have to fix that.) 

5 Ways To Kill Your Dreams

I heard an amazing TED Talk on the way to work today and information was too good to not share. 

Here are 5 guaranteed ways to kill your dreams: 

Believe in overnight success.
No one becomes successful over night.  We have been trained as a society to devalue work ethic and think that all success is instant. 

Believe someone else has the answers for you.
Your family, your friends and your business partners all have opinions on what you should do but their opinions are always tainted with their own self interest. 

Believe that when growth is guaranteed, you should settle down.
Great dreams don’t have endings they just have chapter breaks. 

Believe the fault is someone else’s.
If you have dreams it is your responsibility to make them happen.

Believe that only the goals themselves matter.
Life is never about the goals themselves. Life is about the journey. The only way to really achieve all of your dreams is to fully enjoy every step of your journey. 

What is your time worth?

What is your time worth? 

That is the question that started my lunch with a mentor last week. I thought for a second and did some quick math and then pulled $300 an hour number out of the air.  He laughed and gave me these two quotes:

The price of anything is the amount of life you exchange for it.
– Henry David Thoreau

“My favorite things in life don’t cost any money. It’s really clear that the most precious resource we all have is time.”
– Steve Jobs

He went on to explain “If You Can’t Measure It, You Can’t Improve It“ (a running topic in our conversations).  So I sat down this weekend to figure out what my time is worth.

With the help of this life expectancy calculator I found out that I have 47 years of life left.   Using a date duration calculator that is 17,176 days (or 412,244 hours).  That makes every hour 0.0002% of my life. 

So here are some basic break downs:

Work:
A 40 hour work week is .008% of my life.
A work year is .416% of my life. 
A 5 day business trip is .024% of my life.
20 more years of work is 8.320% of my life. 

Sleep:
9 hours of sleep is 0.001% of my life.
A year of sleep is 0.655% of my life.
Sleep will take up 30.790% of the rest of my life. 

Miscellaneous: 
Watching a season of a TV show would be 0.005% of my life. 
Watching 10 football games a year would 0.006% of my life. 
Hitting the gym 5 hours a week would be 0.047% of my life.
Taking my son to swim lessons would be 0.020% of my life. 

The numbers are interesting but the more important lesson for me is to realize and treat my time like a valuable non-renewable commodity.  I need to give it freely to my family and friends while using it wisely for professional purposes and guarding it from time sinks.

What is your time worth?

The Rules Of Saying No

Information Security is an occupation filled with professional cynics, curmudgeons and defeatist who are often proud of that role and at the same time do not understand while they are not included in decision making in their companies. 

I think some security professionals think that Mordac is a role model:

A mentor of mine who is a CISO for a large organization has this quote hanging in his office: 

Successful people find a solution for every problem and unsuccessful people find a problem in every solution. 

We ended up having a fairly long discussion around this quote and he walked me through his basic rules of saying no.

Never Say “No” when you mean “I don’t know”.
If you are in a place to help make a decision an acceptable answer is always “I don’t know, I need to think about it”.   If it isn’t you aren’t being asked you are being told what is going to happen.

No isn’t a solution. 
You are being paid to provide solutions to help your company become more secure. Saying no makes other employees find reasons to work around you. No one wants to be insecure they just want to be productive. 

Saying “No” make you a target.
Saying no means you are not helping. You are leaving someone else without a solution for their problem and giving them someone to blame.

Say No.

Sometimes there isn’t a good solution to a problem an you just have to tell people no.  You are now not acting as a problem solver but as a sanity check. If you get too many of these types of questions it probably time to brush up your resume. 

Using the time-lapse feature in iOS8 to capture some quick snow shoveling. 

Safer Internet Day

Today is “Safer Internet Day” and I couldn’t let such an amazing made up holiday go by without giving you some of my favorite personal security
tips. 

Enable Two Factor Authentication.
GoogleFacebookTwitter and hopefully your bank all offer two
factor authentication.  Enabling it adds an extra layer of security to
help protect your accounts. 

Be Smarter About Your Passwords.
A personal password manager (I like LastPass) is a must.  They help ensure you have
amazingly complex and basically uncrackable passwords and helps you to not
commit the security sin of password reuse.

If you dont use a password manager you should follow the 3 basic rules of good passwords: 

15 characters or more. 
Mixture of uppercase, lowercase and special characters. 
Unique for each site you visit. 

Change Your Passwords Often.
No matter how complex your password is it is necessary to change it
regularly. I suggest changing all your passwords at least two
times a year.

Do You Have A Plan?

“If it isn’t documented it cant be a procedure” is what I told a coworker in the meeting before I went to have lunch with a mentor I have had since I was in high school.  

Today he shared with me his completed “Mission, Roles and Goals” worksheet.  I was impressed with his and I was a little embarrassed that I hadn’t spent the necessary time to write down my personal mission statement or goals. 

I will be spending the time to do so tonight but I wanted to share with you the outline he used in hope that you might spend the time to do so also: 

MRG Worksheet Blank.pptx
MRG Worksheet Blank.pdf

Fighting Experience Blindness

How long have you done your job?  
How much does that experience mean to your career?

I saw this old Dilbert comic this week and it reminded me that I have been doing network security for about 20 years and cut my teeth securing NT 4 and NetWare servers. 

I know that if I don’t make a concerted effort to stop experience blindness I quickly become the old guy in the comic.  

To do this I try to do the following things:

I read. 
I read /netsec, twitter, Russian hacker blogs, linkedin, mailing lists, white papers, bathroom stalls and anything else I can find about information security. 

I go to conferences and skip the keynotes. 
90% of the conferences I attend have keynotes given by people who make (part) of their living giving keynotes at conferences.  I have heard what they have said, bought their books and dont need to see the same talk they gave last year with new pictures.  I want to be in the room of the kid who has never spoke at a conference before and is likely to throw up and then give the best talk at the conference

I make friends with new people in security.
If you are new in the security industry I want to be hear your thoughts before someone who has been doing it as long as I have tells you that you are wrong and you need to be quite. 

I retool ever year. 
If it was up to me I would never sign a contract for a tool over a year in length.  I like to know that the tools I am using are the right tools.  I know people who spend a ridiculous amount of money on the wrong tools because it is easier to keep the tool they have then to go through the pain of retooling. 

What do you do to fight experience blindness?

Protect Yourself Online In 2015

If you didn’t have an account hacked in 2014 (you probably did) you will in 2015. 

Here are my best tips to help protect yourself online in 2015:

Enable Two Factor Authentication
One of the smartest things you can do to protect yourself online is to enable 2FA on all your accounts that offer it.  I wrote about how to enable it here.   

Be Smarter About Your Passwords
A Password manager (I like LastPass) is a must in 2015.  They help ensure you have amazingly complex and basically uncrackable passwords and helps you to not commit the security sin of password reuse.

Have Good Backups
Do you have good backups?  If someone stole your laptop how much stuff would you lose?

For about $200 you can buy all the tools you need to have great backups.

Buy a 1TB+ USB Drive for local backup (I like this WD Drive).
Signup for a Cloud backup service (I like Dropbox Pro).

Then you have to actually make sure you are backing up to the drive and syncing to the cloud for this to be a good strategy.  I have seen a lot of people buy a backup drive and then never back up to it.

Encrypt Your Important Files
You know those important files you have that you dont want anyone else to see? No, not those pictures… the PDFs of your tax returns… how are you protecting them?

You need to encrypt them (and those pictures) so that if someone does steal your computer they don’t have access.  There are a lot of tools both free (I like Ciphershed) and paid you can pick from and use. 

If you follow these 4 tips your information and accounts will be a lot safer in 2015.

Site Footer