Category: Uncategorized

I spent $15 on amazon and picked up two of my favorite Charlie Brown cartoons to start indoctrinating teaching my son what some of the best cartoons ever are.

Having a 2 year old is a great way to get to watch your favorite cartoons from when you were growing up.

The Relativity of Wrong… in the security industry.

Randy Raw, my professional mentor (not that I pay him, but I look to him for guidance in my profession… although he probably deserves to be paid for putting up with me) sent me a link to an article by Isaac Asimov on the relativity of wrong.

Reading it got me thinking about how security people see the security industry and Asimov hits it out of the park with this quote:

The basic trouble, you see, is that people think that “right” and “wrong” are absolute; that everything that isn’t perfectly and completely right is totally and equally wrong.

We do this all time.  If someone doesn’t have perfect security they have no security.  Next time a major company is breached watch the articles and tweets flow about how lax their security is.  No matter how they were attacked someone will put out the boiler plate article about how their security sucked.

Asimov closes with a line that I think is awesome:

What actually happens is that once scientists get hold of a good concept they gradually refine and extend it with greater and greater subtlety as their instruments of measurement improve. Theories are not so much wrong as incomplete.

I love a paraphrase to this quote and need to get it on a shirt…. 

Security is not so much wrong as it is incomplete.

In security we are always gradually refining all of our security theories and policies. If you look back at your companies security policies 2 years ago they weren’t wrong they were just incomplete.

What do you do when the Status quo becomes the Status:NO?

Recently I have noticed a disturbing trend in my professional and personal life.  It has become way easier for me to say “Sorry, I can’t help with that.  I do (this) at (that time) already” or “no, it works ok now let’s not change it.” or worst of all “If we do that these people might complain”.

My Three Keys to “Status: No”-ing are: 

• Highlighting the pain a few vocal critics might inflict instead of the benefits for the many.
• Exaggerate how good things are now in order to make change look unnecessary.
• Acting like my schedule is completely booked and taking on any additional responsibilities would be impossible.

I have become comfortable in my routine so I lie to myself about areas that need improvement and growth.  I have become a creature of habit. I have lived, worked and worshiped at the same place for the last 8 years of my life.

Basically it boils down to:  

I am not the new kid anymore.

I am part of the establishment now and when you become part of the establishment you do what the establishment does, you fight change. I defend the way things are because they are ingrained in my routine.  I am like the lady who cut off the end of the ham because that’s the way her mom did it.

So I guess my challenge is going to be: Figure out how to see what the new kid would see without actually being the new kid.

The older I get the more I value the investment of time. Its often a deciding factor of success or failure.

Here is my slide deck from last nights Ignite COMO event.

Ignite talks are five minute lightning talks with auto advancing slides every 15 seconds. It is honestly one of the hardest talks I have ever given.

This picture of me dunking at a pool party is too embarrassing to not share.

This XKCD comic hits is out of the park on password complexity vs a pass phrase. 

For a long time it was nearly impossible to tell who owned a cell phone because it didn’t provide a name on the caller ID.

Recently tnid.us has came to the attention of the security community and is giving out that information for free. I am not exactly sure how they do it but out of 10 numbers I checked 9 gave me the real name of the owner and one gave me “wireless customer”.

Good news is that there is a way to get off their list. They have a delete option that I would recommend you use if you value what little privacy your cell phone number carries.

QR codes are pretty awesome right?  They are the new cool thing to stick on websites, menus, billboards, real estate signs, shirts, etc.

I mean you hold your phone up to them and they can give you a secret message, they can send txt messages from your phone, or give you a URL to visit.  Pretty stinking cool right?

Scan these on your phone and see what they do.

The only thing is that there is no way to tell a malicious QR Code from a good QR Code.  So if your QR code app doesnt tell you explicitly what it is going to do before it does it you should obviously look for a new app.

Hat Tip: SANS