Communicating With Respect
On communicating in a respectful, open, honest, and empathetic manner
Communication can be a real challenge; working across cultures, backgrounds, experiences, and perspectives can result in different interpretations — and this is under the best of circumstances. However, when it’s written communication, the challenge is multiplied due to the lack of feedback cues from facial expressions, body language, and the like. These challenges make it exceedingly easy to create a situation where what a person hears is entirely different from what the speaker (or writer) intended.
Read more…On Software Subscriptions
A look at why subscriptions deliver more value to users, the tools I'm in love with today, and why this shift is happening
Like many in this field, I am always looking for ways to improve my workflow, improve my productivity, achieve more. Part of this is evaluating new tools that help me get work done, tools that become critical to my process. While looking at something that could be useful, I had a startling realization — but there are a couple of things I’d like to cover first.
Supporting What You Love
I always try to pay for things that make my life better and support businesses that give me real value. When I worked in an office, I would always eat lunch at locally-owned restaurants; I wanted them to succeed, I wanted them to stay in business, so they got my money. There are many things that I pay for that I don’t have to, but I want them to keep making my life better. I don’t need to pay for a Twitter client, but I do. I don’t need to pay for a note-taking tool, but I do. I don’t need to pay for a to-do list tool, but I do.
Read more…Win by Building for Failure
Systems fail; it doesn’t matter what the system is. Something will fail sooner or later. When you design a system, are you focused on the happy path, or are you building with the possibility of failure in mind?
If you suffered a data breach tomorrow, what would the impact be? Does the system prevent loss by design, or does it just fall apart? Can you easily minimize loss and damage, or would an attacker have free rein once they get in? How would your customers or clients be impacted?
Read more…Parasitic & Symbiotic Business Models
Does your business model thrive as your customer thrives, or does it drain the life from your customers? After a recent1 conversation on the impact of improved privacy tools (i.e., the eventual elimination of third-party tracking cookies), I realized that the most significant effect of these improvements would be to companies with a parasitic business model. A business model which I see no problem in disrupting.
For many years, the web has existed as an advertiser’s dream2 — minimal privacy limitations, technical controls that had little impact, and a strong lobbying arm that has been able to derail many efforts to improve the situation. Now, this is not to say that all advertising is evil, but that it’s ripe for abuse by those that get too greedy. In many cases, this has opened the door to parasitic business models that offer no real value, and in fact, only extract value from the end-user.
Read more…Declaring War on Ransomware
It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge.
For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent. The story here is that for too long, this issue hasn’t been addressed seriously by too many, and it’s time for that to change.
Read more…On Automatic Updates and Supply Chain Attacks
Once again, a supply chain attack is in the news; this time, it’s a ransomware attack against Kaseya which has impacted hundreds if not thousands of businesses. According to Kevin Beaumont, the attackers used a 0day vulnerability in the Kaseya VSA appliance to deploy a fake update to all systems it managed; that update is actually the REvil ransomware. As this is a VSA is used by Managed Service Providers (MSPs), this resulted in an attack not just on the MSPs but also their customers.
Read more…Crew Resource Management for Security Teams
Over the last year or so, I’ve become quite a fan of Air Disasters, a television show dedicated to analyzing plane crashes and similar incidents. As I watched the show, I started seeing many ways that the lessons and procedures around aircraft safety also apply to running a security team; this valuable and hard-won wisdom, often born out of tragedy, can be of significant impact if appropriately applied. In this article, I will explore Crew Resource Management and how it can be applied to Information Security to make teams run better. Hopefully, these insights help you achieve more and fulfill the critical missions we are entrusted with.
Read more…Leading Experts
A friend of mine recently asked for my thoughts on leading people who have more experience or expertise in a topic than they do; this is an important question and one that I felt deserved more thought and exploration. Leading people can be difficult, but when leading people that know more than you do about a given topic, it’s a different challenge. This was particularly well-timed, as I’ve found myself in just that situation, as I’ve just hired a specialist in incident response. While I’m fairly confident in my knowledge there, it pales in comparison to hers.
Read more…Developers, Developers, Developers
Note: This was written in 2012, but not published at the time. The point is still valid, perhaps moreso than ever and deserves to be made publicly. The content has been updated as appropriate, though the core of this article remains intact from the 2012 draft. I would like to note that this doesn’t apply to every environment, there are some where developers are very knowledgeable about security, and write code with minimal issues – my current employer happens to be one of those rare & exciting places. I hope that some of these issues have improved over the last 8 years, though in many places, these issues are alive and well.
Read more…Write Like You Are Running Out of Time
The cultural phenomenon that is Hamilton, brought back to the forefront due to its streaming release, is an artistic feat, but it also serves as an opportunity to refresh our memories on the history behind these characters, and look for opportunities to learn lessons that apply today. This is exactly what I’ve been doing.
For all of his flaws, one thing that I have to respect about Alexander Hamilton (as well as his wife, Eliza) is the understanding of the long-term impact of the written word. Many things fade as the years go on, though few things will last as long, or can be so easily preserved as what you write.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.