Thursday, April 30, 2015

Lessons from CSI:Cyber

Unrealistic scenarios aside, CSI: cyber is doing some good by bringing attention to real issues (albeit in far-fetched ways), and perhaps inspiring future digital forensic analysts.
The CSI: franchise has been a very successful television endeavor, combining entertainment with a view into how forensic science is used to identify and prosecute criminals. Needless to say, creative liberty is taken to fit a story into a 42 minute episode, but it never pretended to be instructional. It's TV, not a college class. I have no training in pathology or chemical analysis, and only a basic background in the physics of force and motion, but I've been involved in cyber technologies since before "cyber" was a household term.

There has been considerable complaint from my industry over the way CSI: Cyber sensationalizes real events, and invents wholly unrealistic threats, for the sake of entertainment. I get it - I really do. The daily grind of a real cyber expert is not nearly as exciting as an action-packed TV episode. Hours of digging through logs or interpreting a pcap (a record of network traffic) wouldn't make for very exciting television. As researcher/hacker Charlie Miller recently said on Twitter, real hacking doesn't happen in the span of a 42-minute made-for-TV episode. It is the result of days, weeks, or even years of research, learning, and poking at a topic.

Tuesday, April 28, 2015

How you handle a conflict speaks loudly

How you handle a problem (as a person, and as a company) speaks far more loudly than the problem itself. No one is perfect. There will be conflicts whether in business or in social life. At times those conflicts are the result of an intentional slight or a boneheaded decision, but just as often they are the result of simple miscommunication.

Tuesday, April 14, 2015

What if Jesus was a hacker?

It's interesting the ways faith and security intersect. This weekend I attended an information security conference in which one speaker talked about the often-strained relationship between hackers / researchers and reporters. Author / blogger / journalist Violet Blue (warning: in many cases very much NSFW) gave a talk entitled "Everything They Don't Tell You: When Hackers Talk to the Press" that was quite eye-opening. A key point was that so many (not all, but a significant majority of) reporters think career first, and are more interested in being *first* with a story than in being *right* with a story. Interviewees may be manipulated into giving statements that fit the story the reporter is trying to tell, by reporters that don't really understand the technologies and security threats they are writing about. The end result is that hackers need to be very careful in whom they talk with.

Tuesday, April 7, 2015

Don't get pwned by a former service provider

When establishing a business - to - business relationship, don't forget to specify what happens to information when the business relationship ends.
The growth of the Internet from a novel idea into a business necessity created a new market for online service providers. Large corporations have the resources to run their own web servers and to hire professional staff to keep them running well and (hopefully) secure. When you run a small business though - and in particular, a business that is not in a computer technology field - more often than not you are dependent on third parties to provide such services. If your company is in the business of collecting and disposing of garbage, you might expect to invest heavily in trucks and landfill property. A company web site through which to offer online bill payment may not be at the top of your in-house priority list.

There's absolutely nothing wrong with that.Why try to be something you are not? Doing what you do, well, and paying someone else to do the rest can be an effective business model. Alas, outsourcing isn't (or at least shouldn't be) a "choose someone and forget about it" decision.