Son Of Sun Tzu

To content | To menu | To search

Sunday 5 August 2018

Media Review - 5th August 2018

InfoSec Recruiting – Is the Industry Creating its own Drought?

This can be found at: https://www.liquidmatrix.org/blog/2018/07/16/infosec-recruiting-industry-creating-drought/ . An interesting point of view from someone on both sides of the recruitment process. I don't think the problem Fischer highlights is respnsible for the drought, but poor recruiting and evaluation processes certainly don't help.

Why you should have your own black box | Matthew Syed | TEDxLondonBusinessSchool

This can be found on YouTube at https://www.youtube.com/watch?v=MmVCYqs3mko, presented by Matthew Syed. This is a really well put contrast between the growth mindset of the aeronautical industry, and the fixed mindset of the healthcare industry - and how the difference in culture between the two makes such a difference in outcomes. He then expands on that, and makes some excellent points. This is worth fifteen minutes of your time.

A Complete Guide to Getting What You Want

I probably read to many self-help articles as I try and figure out what I actually want to do and where I fit. But contrary to the comment at the start of it, this is a relatively short read: https://www.raptitude.com/2018/06/getting-what-you-want/ , and steps through the stages of figuring out what you want and how to get it.

Favourite quote, which I must remember to use elsewhere, is

"We’re fearful creatures after all, with an evolutionary impulse to cling to virtually any tolerable status quo, no matter how dull or crappy it is."

The Only Thing You Need to Get Good At

I recently discovered raptitude.com, another useful resource highlighted to me by the wonderful Career Shifters.

This blog post in particular is at https://www.raptitude.com/2017/03/only-thing-get-good-at/ ; and is a very high level explanation of stoicism, which has always intrigued me, and this post explains how you should only be concerned with that which you can control. Easier said than done, but wirth saying all the same.

As a side note, it highlighted to me my attitudes towards Left wing and Right wing politics in general; In general I think the policies of the left wing are far more effective, but think their tactics are awful; and while I generally dislike the policies of the right wing for various reasons - most significantly because they don't work, but I think their tactics are far more effective. I also think that's a massive over-generalisation for now and I'll stick with it in practice and see if it survives. That's something I'm tempted to expand on... but of course I've no political influence, and nothing personally to gain from doing so, so that would be a waste of time from a stoic point of view.

From chaotic ripples to complicated waves

Due to my interest in TRIZ I came across Ron Donaldson's blog, and this entry, at https://rondon.wordpress.com/2018/07/23/from-chaotic-ripples-to-complicated-waves/ , was particularly interesting. I like the aim of just enough rules to enable other teams in different areas to follow a successful example, rather than taking something that's worked and trying to make different areas, with different cultures, identical. I also liked that staff happiness, rather than just patient happiness, is seen as a gain - there can be too much emphasis on the "customer", with staff just seen as another resource to be manipulated appropriately.

Saturday 4 August 2018

Presenting tips for new and nearly new speakers

I've a note on presenting guidance I make a point of reading whenever I'm putting something together, I figure it would be useful to others too:

Recommended reading

How to give an Effective Presentation: https://qz.com/work/1110377/how-to-give-an-effective-presentation/

This presents the idea of how to structure the talk overall... and how to get your ideas together. I would emphasise this, I still struggle with trying to put too much in, spending days on research, and then realising I have a 90 minute presentation for a fifty minute slot. The sooner you can determine what is and isn't in the talk, the more time you'll save.

If you want to be above average then avoid all of the "anti-patterns" Troy Hunt mentions in this article... a bit of preparation and avoiding very basic pitfalls can take you a long way: https://www.troyhunt.com/speaker-style-bingo-10-presentation/

For a step beyond that, Thom Langford has written a good three part guide to presenting, this is worth working through:

Part 1: https://thomlangford.com/2018/05/18/the-art-of-the-presentation-part-1-of-3/

Part 2: https://thomlangford.com/2018/05/30/the-art-of-the-presentation-part-2-of-3/

Part 3: https://thomlangford.com/2018/07/20/the-art-of-the-presentation-part-3-of-3/

If you want the level beyond that then make the most of the transitions, moving on to the next slide on the right word can make all the difference, as described in this piece. However this does require practice, I've only become this good after repeatedly giving the same presentation four times a day for a week: https://medium.com/@saronyitbarek/transitions-the-easiest-way-to-improve-your-tech-talk-ebe4d40a3257

Confidence tips

Practice. Preferably in front of family or colleagues or friends, but if it comes down to it just practice in a room on your own with the laptop and a timer. That way you know the timing works, you'll at least have an inkling of what slide is coming next as you present - and if you can get any kind of audience they'll give you feedback on what does or doesn't make sense.

If you need confidence just before a performance... power pose with fists clenched... and by "power pose" I mean that rather silly looking stance Tory MPs have adopted recently where they stand with their legs slightly too far apart. In that pose your body will automatically think you're about to enter some kind of conflict and boost you with the right chemicals for a fight.

This idea was mentioned to me by my first mentee for BSides London, just imagine that the audience are penguins... flapping and squawking away, or waddling down to the water's edge for fish. It's silly, and nonsensical, but if it works it puts a smile on your face before you walk out there to face everyone.

And one last point, if you're an introvert, as per this tweet: https://twitter.com/KevinGoldsmith/status/963850794440187904, presenting gives you something to talk about with people, rather than having to navigate the morass of small talk.

Sunday 29 July 2018

Media Review - 29th July 2018

Cyber resilience - nothing to sneeze at

NCSC explains the concept of "cyber resilience" using an analogy to the human body's defences: https://www.ncsc.gov.uk/blog-post/cyber-resilience-nothing-sneeze

I'm not sure how far this analogy stretches - i.e. how do the aims of a cold virus compare to the aims of a typical attacker - but the "Prepare - Absorb - Recover - Adapt" feels much more likely to succeed than "Protect Protect Protect... ".

The bendy circus performers who help keep watch at a disused Birmingham school

This BBC report on four property guardians learning circus skills, found at https://www.bbc.co.uk/news/resources/idt-sh/balancing_act , was particularly interesting, and really impressive at how they've approached a difficult economic situation. I'm disappointed that this isn't seen as "adult"-ing, whereas the traits they exhibit: "self-reliance, building networks, learning skills, having fun, financial planning in a difficult environment, thinking unconventionally" as I put it in a tweet, are exactly what adults should aim for IMHO.

Why Diversity Wins

There is a lot of "politics" around diversity, what it means and who it applies to, and everything else that goes with that. I'm mainly interested in the arguments put forward in this sub-four minute video from Everything Is A Remix: https://www.youtube.com/watch?v=4Dn8NuiMADY ; that diversity gives you a better chance at solving complex problems than if you operate in its absence.

Don’t Leave Hungry! Plan a Full Red Teaming Meal

Another well put article from Reciprocal Strategies here: https://www.reciprocalstrategies.com/the-full-red-teaming-meal/ . The main take away is the distinction between:

  • Gegenspiel, or thinking like an opponent; and
  • Kontraspiel, or thinking like a contrarian or devil’s advocate.

I think Kontraspiel is a really useful approach to adopt when looking at a project, or any significant corporate decision... or decision in life for that matter.

Of course neither matches the current definition of Red Teaming used in penetration testing, which is essentially "goal orientated pentesting, mainly technical, with some social engineering sprinkled on top". And a pentester's Gegenspiel will be thinking like an opponent, rather than thinking like any of the opponents, but that's a discussion for a different time.

You should read the article, I like the use here of "all-role red teaming" to describe what Reciprocal Strategies offer.

I think I'm naturally inclined towards this kind of analysis, focusing on concepts, looking at overall issues, adopting different points of view and exploring them to see where they take me, and where they take whoever I'm working with and working for... and I think this kind of analysis is incredibly useful in all sorts of situations. However I gather Reciprocal Strategies is having to search for customers, and I'm disappointed to note the Twitter account has 85 followers at the time of writing - considering how smart and how knowledgeable Mark Mateski is that makes me incredibly wary of trying to turn this idea into a business myself.

Monday 23 July 2018

Lessons From The Legion - a summary

Overview

A summary of my presentation "Lessons From The Legion". I'm hoping to give the presentation more often, in order to generate more interesting and useful conversations, so this will undoubtedly evolve, your feedback is welcome.

Alternatively, if you've requested a copy of my slides... I've directed you to this summary instead. For various reasons I'm conscious of how complex copyright law is, and I think I'm just on the right side of it, but I'm not aiming to test that more than necessary. Also the aim is always that the slides help you understand what I'm saying, and help me to remember what to say next, if they're standalone then I've not presenting my ideas effectively.

A very high level summary would be this tweet, if you want to point someone at a very short summary:

"people trying to excel at self-taught technical skills are sub-optimal at strategic decisions required for a nebulous conflict, their emphasis should be on team work, and on the strategies of, and constraints on, their adversaries; they should seek inspiration elsewhere"

As a less brief summary, but trying to keep things snappy, my reasoning is as below. A slide by slide summary is too dense, and makes me realise how many ideas I've pushed into the audience's heads in less than an hour, so I've tried to be more logical below.

Logical Progression of the talk

Introduction

I have a question - In Cyber Security - if we're all so smart, which we are, and we all work so hard, which we do, why is everything so awful?

Most presentations will start with an explanation of who the speaker is, their history, and why you should listen to them, and then give you an answer to the technical question they posed. This presentation is more of an "investigation wall", where the investigator links diverse ideas and newspaper clippings and surveillance photos and post-it notes with string to try and reveal an idea.

Also those technical presentations tend to be tactical, and I think the problem is that we have unintentionally decided on a vague strategy based on tactical choices, rather than an informed strategic choice has decided which tactics we should use.

John Kindervag's presentation "Winning the Cyberwar With Zero Trust" is a good example of thinking at a strategic level and making informed tactical choices accordingly, I specifically mention it here because I borrow some of his slides.

The main three areas I'm familiar with, as a cyber security practitioner, are:

  • System Administrators / Developers
  • Penetration Testing
  • Incident Response

The strategy in all three areas is based on being the most technically skilful practitioner you can - sysadmins patch as quickly and as thoroughly as they can through knowledge of their operating systems, developers code as securely as they can through knowledge of their languages; penetration testing aptitude and success is based entirely on how technically adept the pentester is and how well they apply the "flaw hypothesis methodology"; and incident responses work on their forensics skills to learn how to spot different attacks, and prepare playbooks to run through once an attack has been detected.

Arguably the way this strategy has come about is because of how we train and practice for each area - all of which is based on self-motivated learning, and a passion for the job that is often described as "eat, sleep, breathe security". Therefore the emphasis is on individual skill and knowledge rather than on wider context.

Where has this choice got us? I cite various references that illustrate the poor state of cybersecurity, and the danger that poor cybersecurity poses to organisations in general and civilisation as a whole.

This method of practising reminds me of golf. Excelling at golf is based on individual skill, which is reflected in how a player performs in the game - because success in the game is based almost solely on individual performances. Even in a team game of golf, with a team and against an opposing team, there is very little your team-mates or opponents can do to directly affect your standard of play. And the actual course will be static also, apart from the vagaries of weather.

There is nothing wrong in practising like golf if you're going to play golf, however the practice of cyber security is nothing like the game of golf, I think we need to look at a different game.

Using this kind of analogy, and cross-pollentating ideas, between areas is generally derided, but if you look hard enough there are examples where this works. In particular the idea of TRIZ, of abstracting problems and solutions in order to determine what kind of solution is required in a rapid way.

So, if we're practising for golf, but not playing golf, what game are playing?

I argue that our industry feels a lot more like American Football. It is a ridiculously complex and violent sport, with many specialisms, and very much a team game where your success or failure is very dependent on the quality of your team and your ability to work with them, and how you act against and react to your opponent.

Therefore we should look to learn lessons from a successful American Football team. American Football is the only sport where each team has essentially two squads on it - an Offense for when your team has possession of the ball, and a Defense for when your team does not.

I think that as defenders in cyber security, even red teamers are looking to improve the performce of the blue team and the survivability of defenders, we should look to the best Defense. I classify Defense in American Football, and cyber security, as a "weak link game", where the overall ability of the team is decided by the ability of the worse players on your squad, not the best.

Possibly influenced by personal biases, but backed up by many sports facts I'll quote in the novella length version of this description, I have chosen the Legion of Boom, the Seattle Seahawks defense from 2011 to 2017, as an example to follow.

Looking at the central tenets of the team, and the defensive philosophy of the Seattle Seahawks head coach, Pete Carroll ( who has approximately 40 years of experience and an exemplary record ), I pick some of the main lessons from the Seahawks successful Defense:

First lesson - eliminate the big play.

There is not time to explain the Seahawks' use of "Cover-3 with a single high Free Safety", and their general approach of keeping the ball in front of the defenders to ensure the Defense always has another chance to prevent their opponents scoring, so I look at personnel choices.

Most NFL defenses, when choosing personnel, have emphasised their Defensive Line, the first line of defense against an opponent. Carroll has always specifically looked to the Defensive Backs, the last line of defense, most notably the Free Safety position, which is what he played in college.

This is reflected in the NIST Cyber Security Framework, and the five Core Functions. I am old enough to remember when Identify and Protect were the only aspects seen as useful, but slowly we are learning that Detect, Respond, and Recover are at least as important in surviving an attack, rather than believing in the "Defender's Dilemma", that if an attacker breaches us we have immediately lost.

I would argue ( and if I remember during the presentation I'll actually say it ) that the emphasis should be on Detect, Respond, Recover - the last line of defense, not the first.

Second lesson - train how you fight

Because American Football is such a complex game it is necessary to practice complex play calls and formations in advance, and to ensure that each individual knows their responsibility, and everybody else's responsibility, on each play so that they can function as a team.

Because the teams are so large there are enough players for the second and third string players in each squad to form "scout teams". These teams imitate the playing style and formations of upcoming opponents so that both they, and the first string players, understand what is coming up in next week's game, and also are less surprised by any of their opponents individual styles in the game.

This links into the concept from wargaming of the Caffrey Triangle, showing how a red team - in a red team exercise specifically designed to assist the blue team - should act depending on the objectives of the engagement. I argue that penetration testers work almost solely at the top of the triangle, being the most effective attackers they can, when they should operate in the right hand corner, emulating the TTPs of genuine adversaries in order to prepare the blue team for their real world opponents.

Also I stress here that any kind of practice is required, as the discipline of Incident Response is notorious for organisations referring to their plans for the first time, or even writing them the first time, during an actual incident. Constant practice is crucial, especially when we are moving from being in Cyber Security to proposing Cyber Resilience.

Third lesson - know your enemy

I briefly introduce John Boyd's concept of the OODA loop - Observe Orient Decide Act - as a way of understanding how you process information in a conflict, and how "getting inside your opponents OODA loop" by progressing through the steps faster than them, leads to victory.

This takes me to showing plays by Bobby Wagner, a Linebacker with the Seattle Seahawks, and arguably the best player at this position, and who has stated that the game is "90% mental" because as you can only get as fast or as strong as everyone else. I show a play whereby, even though on defense, even though on the side of the ball that's meant to react to the play, Wagner knows what the offensive is going to do and so is able to take advantage of that to disrupt his opponent.

As a side note - this emphasis on researching your opponent, and therefore being so much more confident during a game, has many more references from the entire Legion of Boom, especially their three most well known Defensive Backs. I have some references, and some video clips... when I say there's a three hour version of this presentation waiting to be written I'm not joking.

I link this to the RAND paper from 1991, the Base of Sand Problem, mainly because of the excellent footnote that explains that the effective of forces - their training, logistics, and positions - is much more crucial to deciding who is the victor in a particular conflict, than the sheer size of any force.

Also I use references that your opponent has a limited number of playbooks, and therefore learning them is an achievable aim, rather than attempting to defend all assets against all attacks from all possible adversaries.

Fourth lesson - out hit your opponent

The second of Pete Carroll's tenets, it is a physical game, it is a collision sport, and there are psychological and as well as other gains to be made by simply hitting your opponent as hard as you can.

Also this tallies with the first aim, to eliminate the big play, as it physically puts the defenders in an excellent position to tackle or otherwise collide with their opponents - but I don't often have time to go into this level of detail on the game.

For this I use clips from Richard Sherman, Earl Thomas, but mainly Kam "Bam Bam" Chancellor executing the "Shoulder Punch", a Seahawks tackling technique which is as it sounds.

The aim here is to inflict pain on your opponent, and to reduce the speed of their OODA loop. I've learnt here to specifically state that I'm not advocating any kind of "strikeback" methodology, but in showing that on the blue team we've forgotten that we're facing an opponent.

I link this to the standard Incident Response methodology, which is based on Gold, Silver, and Bronze Commanders, and is designed for what I'd describe as "non-sentient opponents". Maybe we need to add a "Francium Commander", based on the most dangerous of elements, where an incident would be handed over to someone who would specifically attempt to deceive and disrupt the enemy. This could be achieved through deception, in making your opponent so unsure of their context that they are reduced to ITIL type processes to ensure they aren't detected. Also I emphasise that this is a team game, and that sharing adversary TTPs with other defenders assists everyone and builds the size of your time.

Summary

Usually at this point I stress that I'm not sure of my ideas, but that F-Secure's purchase of MWR shows that someone else agrees, at least in general, with some of what I'm proposing.

Also that what I'm advocating, which is only half-thought through at best, is a change in strategy and/or doctrine and/or ideology. These are the most difficult changes to make, and the least liked, organisations prefer simple solutions that state they'll eradicate the problem, regardless of their actual effectiveness. However as many have said, for example Anton Chuvakin of Gartner, the industry does not have enough staff, and already has more than enough products, yet we are still facing more of the same problems.

At this point I summarise all of the above, and kind of finish indecisively to encourage questions rather than proposing I have definitive answers.

END

The latest set of references should be elsewhere on this blog, please scroll down, or up, the find the version related to whichever "performance" you watched.

Combining the logic above with those references is something I should do, but at the moment I'm happy to do that "live" during the performances of this talk. Questions on supporting evidence are welcome by email or in the comments, and overall if you've any questions please do get in touch.

Friday 20 July 2018

Media Review - 21st July 2018

The happy secret to better work

This TEDx presentation on how happiness leads to success - https://www.ted.com/talks/shawn_achor_the_happy_secret_to_better_work - was 12 minutes well spent. In particular how it advocates being happy in order to achieve success, rather than aiming for success, a goal that always moves once you reach it.

I think this kind of concept has massive ramifications for cyber security, a notoriously pessimistic industry. I mean the industry is understandably "glass half-empty" given the challenges it faces, but that doesn't mean those in the industry can't indulge in a little wilful self-deception, or confidence, to improve their abilities and chances for success.

Of course maybe the solution is to have a process as a goal: "always strive for a better job", with the knowledge that you are kind of always succeeding at that goal if you're always striving.

And, of course, that completely goes against everything you'll read about goal setting, which advocates the "Specific, Measurable, Attainable, Realistic, Timely", increasingly I think that's suitable for projects, not so much for your personal objectives.

The Utility of War Gaming

This can be found at https://wavellroom.com/2017/11/21/the-utility-of-war-gaming ; I'm "cheating" here slightly because I actually discovered this in November last year, but it came up in the Wavell Room's twitter feed, and as I started reading it, and enthusiastically nodding along, I realised I'd read it before.

Of particular interest is the emphasis on command, and how useful dice are in providing factors you weren't aware of or don't understand, as long as the umpires can explain the effect of the dice then they're just a device, rather than some kind of destiny or fate that decides if you win or lose.

DtSR Episode 302 - InfoSec Superhero Syndrome

This was an episode of the Down The Security Rabbit Hole, which you can download or listen to here: http://podcast.wh1t3rabbit.net/dtsr-episode-302-infosec-superhero-syndrome

I was driving at the time so I didn't take any notes, so all I can say is that this is worth your time. Excellent points on how cyber security people don't scale, and how security practitioners trying to do everything is not only inefficient but leads to burnout. It was just really refreshing to hear something I've been thinking but not really said: that it's OK to admit that you don't know something, and that actually it's better to do so than try to wing it.

A New Approach to Command Post Training

An interesting article from the Wavell Room, a thoughtful website I discovered thanks to a Peter Apps ( https://twitter.com/pete_apps ) tweet; you can find this specific article here: https://wavellroom.com/2018/07/10/a-new-approach-to-command-post-training/.

The article highlights how unrealistic current Command Post training is for the British Army, and the following points really stuck out for me, in relation to my own interest in wargaming, and my investigations into Incident Response training:

  • The unrealistic environment: it appears that these command posts are much more comfortable than those in the field, whereas you want people to be aware how those kind of situations affect their decision making ability.
  • Lack of friction: a common problem with wargames is modelling all the little things, the mis-communications, the misunderstandings, that just make life harder.
  • Steady injects: as a training exercise designer... as you would as an RPG DM, or as a video game designer... you want the exercise to adapt to the skill level of the players, and push them to become better - a predictable stream of injects at a regular pace won't do this.
  • Train tracks: the term used when a predictable set of injects is used. Understandable as it's easy to create and play, but terrible when you're training people to deal with the unexpected, especially as adversarial force.
  • Failure: to me one of the main points of a wargame is to have a "safe space" where players can fail, that way they learn what does and doesn't work, and they learn their limits, in a space with no consequences.
  • Playing divisions against each other: I love this idea from the article, because it reminds me of TRIZ's "use the problem as the solution" concept ( which I've probably over-simplified ). Training exercises suffer because there is no red team to play against, and also they're expensive because you have to run one for every division. So why not have the divisions fight each other, therefore running two exercises for the cost of one.

Wednesday 18 July 2018

Lessons From The Legion - references from my presentation at Cyber London

If all's gone to plan this blog post should appear just as questions are finishing at my presentation at Cyber London ( which was detailed here https://www.meetup.com/London-Cyber-Capital-One/events/252353488/ ).

As before, I've categorised references by type, kind of, I figure that's the easiest way for people to navigate this. They're in alphabetical order, but with an index of "the thing I think I put to the fore when mentioning this", which isn't the most objective criteria. Constructive feedback always welcome - I'm sure there's a better way to list these, but I'm not sure how.

Books:

"Bullshit Jobs" is by David Graeber, there's a description here https://www.penguin.co.uk/books/295446/bullshit-jobs/

The Numbers Game by Chris Anderson covers Strong Link and Weak Link games, and well, actually, I should buy this and read it, but this article covers all you need to know for the level I use it at: http://www.asalesguy.com/soccer-and-messi-basketball-and-lebron-how-one-is-like-sales-and-the-other-isnt/

Blog posts:

First Mover Advantage - Tenable's blog post on the how quickly attackers and defenders evaluate vulnerabilities: https://www.tenable.com/blog/quantifying-the-attacker-s-first-mover-advantage ; I've literally grabbed the headline thanks to the pointer to this from Dark Reading: https://www.darkreading.com/prnewswire2.asp?rkey=20180524PH05742&filter=3849

Peak security product - Anton Chuvakin's point on not having enough people is here https://blogs.gartner.com/anton-chuvakin/2018/06/21/is-security-just-too-damn-hard-is-productservice-the-future/ ( at the time of writing I don't expect to be able to mention it, but this Leviathan Security paper is a useful resource for highlighting that there will never be enough people: https://static1.squarespace.com/static/556340ece4b0869396f21099/t/559dada7e4b069728afca39b/1436396967533/Value+of+Cloud+Security+-+Scarcity.pdf ; with a hat tip to Harron Meer on this podcast: https://securityboulevard.com/2018/07/we-have-the-silver-bullet-for-bs-detection-ciso-security-vendor-relationship-podcast/ )

Rapid 7 on the number of CVEs is here: https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/

SR-71 Blackbird: this might have made it in as a very quick reference, I thought of that context listening to this podcast: https://www.lockheedmartin.com/en-us/who-we-are/business-areas/aeronautics/skunkworks/insideskunkworks.html#Episode-1

Presentations:

Blinky Boxes - Frasier Scott's presentation on threat modelling has slides here: https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops I think this is part of his current repetroire, so best caught live of course - at the time of preparing this I'm not sure how much he'll have used in his talk following mine.

CTFs - The Last CTF Talk You'll Ever Need from DEFCON 25, is here: https://www.youtube.com/watch?v=MbIDrs-mB20

CTRL+Break The OODA Loop by Abel Toro of Forcepoint from BSides London 2018 isn't up yet on their channel https://www.youtube.com/channel/UCXXNOelGiY_N96a2nfhcaDA ; it was on Track 3, I'm hoping that was recorded... or that Abel will be giving the presentation again.

The Cuckoo's Egg reference was inspired by Paul Midian's BSides Glasgow 2018 keynote "Everything You Know Is Wrong" - https://www.youtube.com/watch?v=KvksyvF6MN4

Cyber Defense Threshold - this is from Sean T Malone's presentation "Using An Expanded Cyber Kill Chain Model to Increase Attack Resiliency", the video is here: https://www.youtube.com/watch?v=1Dz12M7u-S8 and the slides are here: https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf

Hackers being needed on the Blue Team comes from Haroon Meer's Nullcon Goa 2018 keynote: https://www.youtube.com/watch?v=2F3wWWeaNaM

Ian Fish - Crisis Management - from CrestCON 2018 - is here: https://www.youtube.com/watch?v=R1UOW3xGpZE

Intruder's Dilemma - is mentioned in this from BSides Munch 2018: https://www.youtube.com/watch?v=PQgsEtRcfAA

Penetration Testing Must Die - Rory McCune at BSides London 2011 - is here: https://www.youtube.com/watch?v=MyifS9cQ4X0

Playbooks - Common Traps & Pitfalls in Red-teaming by Andrew Davies and Jon Medvenics from CRESTCon is here: https://www.youtube.com/watch?v=bYTrwzFUSSE

Strategy - John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here: https://www.brighttalk.com/webcast/10903/280059

Reports:

The Base of Sand Problem, the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here: https://www.rand.org/pubs/notes/N3148.html

The Cyber Resilience Report from KPMG, that really makes the point that preparation is key, can be found here: https://assets.kpmg.com/content/dam/kpmg/ie/pdf/2017/09/ie-cyber-resilience-2.pdf

The Global Risks Report 2018 from the World Economic Forum can be obtained here: https://www.weforum.org/reports/the-global-risks-report-2018

Outpost24's report on their survey of RSA attendees can be found here: https://outpost24.com/sites/default/files/2018-05/RSA-2018-Survey-Outpost24.pdf

State of CyberSecurity Report - InfoSecurity Magazine - where they highlight regulation can drive security - can be found here: https://www.infosecurity-magazine.com/white-papers/state-of-cyber-security-report/

Seattle Seahawks and other less cybery references:

The article "Bobby Wagner Can See into the Future" is here: https://www.si.com/mmqb/2017/06/29/nfl-bobby-wagner-seattle-seahawks

Bobby Wagner's PFF rating is from this tweet: https://twitter.com/PFF/status/1005914257563836416 ( as a side note, check out this video on Luke Kuechly, who's also on that list, that's basically team-mates and rivals saying how smart he is https://www.youtube.com/watch?v=umfgvffJ6M0 )

Fewest points allowed - this ESPN article summarises it nicely http://www.espn.co.uk/nfl/story/_/id/17886833/how-seattle-defense-dominated-nfl-five-years-running-nfl-2016

Introduction - the quick cartoon shoulderpunch is taken from this introduction to the game: https://www.youtube.com/watch?v=3t6hM5tRlfA

Kam Chancellor - I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: https://www.youtube.com/watch?v=qgh8HmKVja8 ( as a side note, while I don't think it's relevant to the analogy, Kam Chancellor appears to have retired http://www.espn.com/nfl/story/_/id/23967587/kam-chancellor-seattle-seahawks-safety-appears-announce-retirement-via-twitter - this is a good video summary of what he provided to the team https://www.youtube.com/watch?v=8SltNCS4Jg0 )

Legion of Boom - there's a nice retrospective that's just a five minute video: https://www.youtube.com/watch?v=N73r5HemB0M

If you want an emphasis on the boom, watch this: https://www.youtube.com/watch?v=xF6OLtz280Y

My main source for Pete Carroll's philosophy, in many senses of the word, is here: https://www.fieldgulls.com/football-breakdowns/2014/2/3/5374724/super-bowl-48-seahawks-pete-carrolls-richard-sherman-marshawn-lynch ; I have a lot of reading to look forward to.

If you want to see just how many players there are on a team then you'll see the Seahawks roster here: https://www.seahawks.com/team/players-roster/

Tackling video - the Seahawks 2015 video summarising their technique is shown here: https://www.youtube.com/watch?v=6Pb_B0c19xA

Olivia Jeter, Defensive End for Blandensburg High School, is covered in these videos: https://www.youtube.com/watch?v=yAYS2VnfFi8 and https://www.youtube.com/watch?v=5xD8qjihHf8 Yes, I do realise that those videos are from 2014, but she provides such great soundbites, I must find out what happened to her.

YouGov's survey on British interest in various sports is here: https://yougov.co.uk/news/2018/01/10/what-most-boring-sport/

Tweets:

Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: https://twitter.com/jeremiahg/status/996469856970027008 I've got into interesting discussions on how true or untrue that figure may be, watch this space.

Websites:

AIS - The article from Cyberscoop on the DHS's Automated Information Sharing portal being underused is here: https://www.cyberscoop.com/dhs-ais-cisa-isnt-used-jim-langevin/

Bananas - Chiquita using pharmaceutical packaging is detailed here: http://archive.boston.com/business/globe/articles/2007/03/07/yes_we_have_one_banana/

Banks using mobile phone companies ... I had a single reference for this and lost it, so as per my real world presentation, I think I said something generic like "there's many examples of banks talking to many different industries", do get in touch if you find any particularly good ones.

Bartle's Taxonomy of player types is taken from this: https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_types

BreachLevelIndex.com is, well, here: https://breachlevelindex.com/

The Caffrey Triangle is mentioned here https://paxsims.wordpress.com/2016/08/19/connections-2016-conference-report/ , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming.

Cyber Resilience - Phil Huggins' Black Swan Security blog is here: http://blog.blackswansecurity.com/2016/02/cyber-resilience-part-one-introduction/

Cyberscape - the amount of tools we have, is taken from Momentum's cyberscape: https://momentumcyber.com/docs/CYBERscape.pdf

Dentistry using space technology is here: https://phys.org/news/2010-10-benefits-space-technology-dentists.html

DevSecOps WAF concept is described here: https://www.acrosec.jp/what-is-a-devsecops-waf/?lang=en

Emergency response - the three element model can be seen is some detail here on the College of Policing website: https://www.app.college.police.uk/app-content/operations/command-and-control/command-structures/

Francium - my main inspiration for choosing the element Francium is here: http://www.sparknotes.com/mindhut/2013/09/06/the-worlds-most-dangerous-elements

Full Spectrum Response - yes, it is something I've read about only briefly, and it is for the battlefield rather than as a viable response to your regional office receiving a phishing email. There's a short PDF here: https://www.northropgrumman.com/Capabilities/Cybersecurity/Documents/Events/Datasheets_IA15/IA15_FSO_Datasheet.pdf

HorseSenseUK - Equine Assisted Education - can be found here: http://horsesenseuk.com/

Incident Response, the four stages - I detailed that in this blog post: http://blog.sonofsuntzu.org.uk/post/2017/03/26/Notes-on-Incident-Response-from-the-SC-Congress

Incident Response Timelines - this is taken from the Logically Secure website, and can be found here: https://www.logicallysecure.com/blog/ir-metrics-part-1/

Intruder's Dilemma - I think the first reference to it from Richard Bejtlich is here: https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html

MWR - the TechCrunch article I refer to, where F-Secure note the need for offensive capability, is here: https://techcrunch.com/2018/06/18/f-secure-to-buy-mwr-infosecurity-for-106m-to-offer-better-threat-hunting/

Naval - Paul Raisbeck, who uses his naval experience in what is loosely described as management consultancy, can be found here: https://www.linkedin.com/in/paulraisbeck/ , and a relevant piece by him here: https://www.linkedin.com/pulse/what-could-your-business-learn-from-royal-navy-people-paul-raisbeck/

OODA loops are basically described here, but again, please pay me to research these concepts: https://en.wikipedia.org/wiki/OODA_loop

Playbooks, Rick Howard, the CSO of Palo Alto, on the small number of opponent's playbooks: https://www.csoonline.com/article/3207692/leadership-management/exploit-attacker-playbooks-to-improve-security.html

Practice - "any incident response plan is only as strong as the practice that goes into it" is from Mike Peters, Vice President of RIMS, the industry body for Risk Management. Best to search online for that specific quote and use whichever source will look best in your board level presentation.

RASP, being Runtime Application Security Protection, is described here: https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/

Strikeback - yes, I have thought it's a bad idea for just over twenty years now: http://seclists.org/firewall-wizards/1998/May/69

TRIZ on Wikipedia is here: https://en.wikipedia.org/wiki/TRIZ and the main British consultancy, as far as I can tell, is here: https://www.triz.co.uk/

Overall

Sometimes I get the gist of something and use that. If you know any of these ideas better than I do, meaning that I've missed a nuance, or not read an important reference, please do get in touch. I always appreciate constructive corrections.

Tuesday 17 July 2018

Media review, just making notes on things I watched or read

Security Lessons from Dictators - Jerry Gamblin - 44CON2013

As I'm currently all aboard the analogy train I found this particularly interesting, Jerry looks at errors that dictators have made and compares that to errors that cyber security practioners make. It can be watched on YouTube https://www.youtube.com/watch?v=1Rya1GWOG2w and is worth 30 minutes of your time.

Jerry Gamblin is worth following on Twitter, his account can be found here: https://twitter.com/JGamblin ; and I quote this tweet of his every so often: https://twitter.com/jgamblin/status/845773296410910721?lang=en

Forget About Setting Goals. Focus on This Instead.

This can be read at https://jamesclear.com/goals-systems - basically emphasise the processes in your life and you will reach your goals, rather than choosing long-term goals and then striving to reach them.

I really like this idea, and think it's a good way to approach, well, basically everything. This ties in with the Japanese idea of Kaizen, and the general ideas of Stoicism, as far as I can tell. Concentrate on small, gradual, continual improvements - so it fits in with Agile and DevOps too, but at a really high level. I'm intrigued by where this comparison works or falls apart.

Interestingly I think this would contrast with something like Angela Duckworth's Grit, a book I was rather impressed by earlier this year. Now there's a book I should have written up on here, I might have to read it again.

Why your brain never runs out of problems to find

This makes interesting reading at https://theconversation.com/why-your-brain-never-runs-out-of-problems-to-find-98990 ; "It turns out that a quirk in the way human brains process information means that when something becomes rare, we sometimes see it in more places than ever." A few experiments were run where participants were told to define something as a threat, or as blue. Over the course of the experiment the number of items matching the original criteria was reduced, but the participants' analysis didn't reflect that. I've read the article, but not the paper, it should give you the gist.

Massive ramifications from this - regardless of changes in absolute terms does this mean humans will always find a percentage of things offensive, or expensive, or disturbing, or threatening, or....

How to become a Super-Forecaster

This article by Daniel Miessler https://danielmiessler.com/blog/how-to-be-a-super-forecaster/ was an interesting read, about the kind of people who are most proficient at predicting the future, and the qualities they have. I was particularly interested in this because I've always been intrigued by futurism, and in this case I like to think I possess all of the qualities listed. Those qualities are these by the way:

  • They are in the top 20% of intelligence, but don’t have to be at the very top
  • Comfortable thinking in guestimates
  • They have the personality trait of Openness (which is associated with IQ, btw)
  • They take pleasure in intellectual activity
  • They appreciate uncertainty and like seeing things from multiple angles
  • They distrust their gut feelings
  • Neither left or right wing
  • They’re not necessarily humble, but they’re humble about their specific beliefs
  • They treat their opinions as “hypotheses to be tested, not treasures to be guarded”
  • They constantly attack their own reasoning
  • They are aware of biases and actively work to oppose them
  • They are Bayesian, meaning they update their current opinions with new information
  • Believe in the wisdom of crowds to improve upon or discover ideas
  • They strongly believe in the role of chance as opposed to fate

I disagree on a couple of points, but only a couple, it'd be interesting to try this out.

Evolving The Creativity Scan

Taken from the TRIZ Journal, this article is here: https://triz-journal.com/evolving-the-creativity-scan/ ; I found it a cracking read and really intriguing, especially its descriptions of two types of intelligence, and that a lot of the criteria for creativity seemed to resonate with me. Further investigation required, as always, very interested in rating myself against the criteria listed.

Challenging local realism with human choices

At https://arxiv.org/abs/1805.04431 - it's been in my list of tabs for ages, it looks incredibly important but complex and would take several visits to "get my head around"

Project outcomes include closing of the freedom-of-choice loophole, gamification of statistical and quantum non-locality concepts, new methods for quantum-secured communications, a very large dataset of human-generated randomness, and networking techniques for global participation in experimental science.

I'm still trying to figure out a job where someone will pay me to read things like this. Advice welcome.

Sunday 15 July 2018

Lessons from the Legion - references from my presentation at DC151

Further to my presentation at DC151 please find a list of the most relevant references. It's almost all the same as those from earlier meetings, but I did want to highlight what a pleasure it was to present there, thanks to everyone who came, and to those who took part in the discussion afterwards - I've still got a couple of pages of notebook notes to work through.

As before, I've categorised references by type, kind of, I figure that's the easiest way for people to navigate this. Constructive feedback always welcome - I'm sure there's a better way to list these, but I'm not sure how.

Books:

"Bullshit Jobs" is by David Graeber, there's a description here https://www.penguin.co.uk/books/295446/bullshit-jobs/

The Numbers Game by Chris Anderson covers Strong Link and Weak Link games, and well, actually, I should buy this and read it, but this article covers all you need to know: http://www.asalesguy.com/soccer-and-messi-basketball-and-lebron-how-one-is-like-sales-and-the-other-isnt/

Blog posts:

Peak security product - Anton Chuvakin's point on not having enough people is here https://blogs.gartner.com/anton-chuvakin/2018/06/21/is-security-just-too-damn-hard-is-productservice-the-future/

Rapid 7 on the number of CVEs is here: https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/

Presentations:

Blinky Boxes - Frasier Scott's presentation on threat modelling has slides here: https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops I think this is part of his current repetroire, so best caught live of course; or seeing as he's in DevOps, it'll have iterated several times already.

CTFs - The Last CTF Talk You'll Ever Need from DEFCON 25, is here: https://www.youtube.com/watch?v=MbIDrs-mB20

CTRL+Break The OODA Loop by Abel Toro of Forcepoint from BSides London 2018 isn't up yet on their channel https://www.youtube.com/channel/UCXXNOelGiY_N96a2nfhcaDA ; it was on Track 3, I'm hoping that was recorded... or that Abel will be giving the presentation again.

The Cuckoo's Egg reference was inspired by Paul Midian's BSides Glasgow 2018 keynote "Everything You Know Is Wrong" - https://www.youtube.com/watch?v=KvksyvF6MN4

Hacker's being needed on the Blue Team comes from Harron Meer's Nullcon Goa 2018 keynote: https://www.youtube.com/watch?v=2F3wWWeaNaM

Ian Fish - Crisis Management - from CrestCON 2018 - is here: https://www.youtube.com/watch?v=R1UOW3xGpZE

Intruder's Dilemma - is mentioned in this from BSides Munch 2018: https://www.youtube.com/watch?v=PQgsEtRcfAA

Penetration Testing Must Die - Rory McCune at BSides London 2011 - is here: https://www.youtube.com/watch?v=MyifS9cQ4X0

Playbooks - Common Traps & Pitfalls in Red-teaming by Andrew Davies and Jon Medvenics from CRESTCon is here: https://www.youtube.com/watch?v=bYTrwzFUSSE

Strategy - John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here: https://www.brighttalk.com/webcast/10903/280059

Reports:

The Base of Sand Problem, the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here: https://www.rand.org/pubs/notes/N3148.html

The Cyber Resilience Report from KPMG, that really makes the point that preparation is key, can be found here: https://assets.kpmg.com/content/dam/kpmg/ie/pdf/2017/09/ie-cyber-resilience-2.pdf

The Global Risks Report 2018 from the World Economic Forum can be obtained here: https://www.weforum.org/reports/the-global-risks-report-2018

Outpost24's report on their survey of RSA attendees can be found here: https://outpost24.com/sites/default/files/2018-05/RSA-2018-Survey-Outpost24.pdf

State of CyberSecurity Report - InfoSecurity Magazine - where they highlight regulation can drive security - can be found here: https://www.infosecurity-magazine.com/white-papers/state-of-cyber-security-report/

Seattle Seahawks and other less cybery references:

The article "Bobby Wagner Can See into the Future" is here: https://www.si.com/mmqb/2017/06/29/nfl-bobby-wagner-seattle-seahawks

Bobby Wagner's PFF rating is from this tweet: https://twitter.com/PFF/status/1005914257563836416 ( as a side note, check out this video on Luke Kuechly, who's also on that list, that's basically team-mates and rivals saying how smart he is https://www.youtube.com/watch?v=umfgvffJ6M0 )

Fewest points allowed - this ESPN article summarises it nicely http://www.espn.co.uk/nfl/story/_/id/17886833/how-seattle-defense-dominated-nfl-five-years-running-nfl-2016

Introduction - the quick cartoon shoulderpunch is taken from this introduction to the game: https://www.youtube.com/watch?v=3t6hM5tRlfA

Kam Chancellor - I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: https://www.youtube.com/watch?v=qgh8HmKVja8 ( as a side note, while I don't think it's relevant to the analogy, Kam Chancellor appears to have retired http://www.espn.com/nfl/story/_/id/23967587/kam-chancellor-seattle-seahawks-safety-appears-announce-retirement-via-twitter - this is a good video summary of what he provided to the team https://www.youtube.com/watch?v=8SltNCS4Jg0 )

Legion of Boom - there's a nice retrospective that's just a five minute video: https://www.youtube.com/watch?v=N73r5HemB0M

If you want an emphasis on the boom, watch this: https://www.youtube.com/watch?v=xF6OLtz280Y

My main source for Pete Carroll's philosophy, in many senses of the word, is here: https://www.fieldgulls.com/football-breakdowns/2014/2/3/5374724/super-bowl-48-seahawks-pete-carrolls-richard-sherman-marshawn-lynch ; I have a lot of reading to look forward to.

If you want to see just how many players there are on a team then you'll see the Seahawks roster here: https://www.seahawks.com/team/players-roster/

Tackling video - the Seahawks 2015 video summarising their technique is shown here: https://www.youtube.com/watch?v=6Pb_B0c19xA

Olivia Jeter, Defensive End for Blandensburg High School, is covered in these videos: https://www.youtube.com/watch?v=yAYS2VnfFi8 and https://www.youtube.com/watch?v=5xD8qjihHf8 Yes, I do realise that those videos are from 2014, but she provides such great soundbites, I must find out what happened to her.

YouGov's survey on British interest in various sports is here: https://yougov.co.uk/news/2018/01/10/what-most-boring-sport/

Tweets:

Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: https://twitter.com/jeremiahg/status/996469856970027008 I've got into interesting discussions on how true or untrue that figure may be, watch this space.

Websites:

Bananas - Chiquita using pharmaceutical packaging is detailed here: http://archive.boston.com/business/globe/articles/2007/03/07/yes_we_have_one_banana/

Banks using mobile phone companies ... I had a single reference for this and lost it, so as per my real world presentation, I think I said something generic like "there's many examples of banks talking to many different industries", do get in touch if you find any particularly good ones.

Bartle's Taxonomy of player types is taken from this: https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_types

BreachLevelIndex.com is, well, here: https://breachlevelindex.com/

The Caffrey Triangle is mentioned here https://paxsims.wordpress.com/2016/08/19/connections-2016-conference-report/ , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming.

Cyber Resilience - Phil Huggins' Black Swan Security blog is here: http://blog.blackswansecurity.com/2016/02/cyber-resilience-part-one-introduction/

Cyberscape - the amount of tools we have, is taken from Momentum's cyberscape: https://momentumcyber.com/docs/CYBERscape.pdf

Dentistry using space technology is here: https://phys.org/news/2010-10-benefits-space-technology-dentists.html

Emergency response - the three element model can be seen is some detail here on the College of Policing website: https://www.app.college.police.uk/app-content/operations/command-and-control/command-structures/

Francium - my main inspiration for choosing the element Francium is here: http://www.sparknotes.com/mindhut/2013/09/06/the-worlds-most-dangerous-elements

HorseSenseUK - Equine Assisted Education - can be found here: http://horsesenseuk.com/

Incident Response, the four stages - I detailed that in this blog post: http://blog.sonofsuntzu.org.uk/post/2017/03/26/Notes-on-Incident-Response-from-the-SC-Congress

Incident Response Timelines - this is taken from the Logically Secure website, and can be found here: https://www.logicallysecure.com/blog/ir-metrics-part-1/

Intruder's Dilemma - I think the first reference to it from Richard Bejtlich is here: https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html

MWR - the TechCrunch article I refer to, where F-Secure note the need for offensive capability, is here: https://techcrunch.com/2018/06/18/f-secure-to-buy-mwr-infosecurity-for-106m-to-offer-better-threat-hunting/

Naval - Paul Raisbeck, who uses his naval experience in what is loosely described as management consultancy, can be found here: https://www.linkedin.com/in/paulraisbeck/ , and a relevant piece by him here: https://www.linkedin.com/pulse/what-could-your-business-learn-from-royal-navy-people-paul-raisbeck/

OODA loops are basically described here, but again, please pay me to research these concepts: https://en.wikipedia.org/wiki/OODA_loop

Playbooks, Rick Howard, the CSO of Palo Alto, on the small number of opponent's playbooks: https://www.csoonline.com/article/3207692/leadership-management/exploit-attacker-playbooks-to-improve-security.html

Practice - "any incident response plan is only as strong as the practice that goes into it" is from Mike Peters, Vice President of RIMS, the industry body for Risk Management. Best to search online for that specific quote and use whichever source will look best in your board level presentation.

TRIZ on Wikipedia is here: https://en.wikipedia.org/wiki/TRIZ and the main British consultancy, as far as I can tell, is here: https://www.triz.co.uk/

Overall

Sometimes I get the gist of something and use that. If you know any of these ideas better than I do, meaning that I've missed a nuance, or not read an important reference, please do get in touch. I always appreciate constructive corrections.

Adam Shostack discussing threat modelling on BrakeSec podcast 2017-36

This is a summary of what Adam Showstack said on an episode of the BrakeSec security podcast that I've only just made time to listen to. As the BrakeSec ( Brakeing Down Security Podcast ) page says "Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly."

This isn't a transcript, just me making some typed notes, corrections or comments welcome.

The link to the appropriate page is here: http://brakeingsecurity.com/2017-036-adam-shostack-talks-about-threat-modeling-and-how-to-do-it-properly

The link to the podcast is here: http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Different threat modelling methods are:

STRIDE: It's a bad taxonomy, it's useful as a menumonic. It stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege. It helps you think of how each endpoint or data flow or connection could be attacked.

Trike: Asset-centric, has a spreadsheet, it's its own methodology.

PASTA: Has seven steps, it's promoted as a "risk centric system", Adam describes it as useful for a consultant because it describes interview steps at the start and comes to risk at the end.

DREAD: Don't use it. "is a lovely acronym and a bad risk-management approach". You assign a 1-10 rating and average them out, with no guidance on how ratings are given.

Overall, the aim of this is to find threats, not to rate them.

Tuesday 3 July 2018

Gareth Southgate looking to other sports and areas for tactics and ideas

Just a brief summary of the articles I've found showing that Gareth Southgate has sought knowledge outside of his specific area:

BBC 26th June 2018 - https://www.bbc.co.uk/sport/football/44616567 - interesting that the Seahawks and the use of set-pieces are specifically mentioned.

Telegraph 26th June 2018 - https://www.telegraph.co.uk/world-cup/2018/06/26/gareth-southgate-fuelled-englands-world-cup-bid-inspiration/ - a useful summary of just how many other sports Southgate has referred to, notably the way NFL stars are presented to the media.

See also this from the Guardian https://www.theguardian.com/football/2018/jun/25/england-set-pieces-world-cup ; this from MyNorthwest in the USA http://sports.mynorthwest.com/477017/keen-to-embrace-us-sporting-ideas-southgate-revives-england/? ;

Hopefully the England team does well enough that I can use this quote from Southgate: "One of the reasons some of our guys have travelled is to see how the NFL operate because we don't have to do things the way they've always been done, we can try different things that work" ( my emphasis ) - from http://www.espn.co.uk/football/england/story/3371770/england-boss-gareth-southgate-looks-to-super-bowl-for-inspiration

And a note to myself, if I rewrite my current presentation with more soccer references, Sir Bobby Robson is very quotable: https://www.bbc.co.uk/sport/football/44605562 ; this from Alan Shearer:

As a player, I always knew there would be opportunities at set-pieces, if not for me then for one of my team-mates.

At Newcastle, Sir Bobby Robson would tell us "there is always one dope who falls asleep" and we would try to pick out the defender who would let his side down.

Monday 2 July 2018

Lessons from the Legion - references from my presentations at Snoopcon and DC4420

Further to my presentations at Snoopcon and DC4420, please find a list of the most relevant references.

I'm flattered by the interest I've received, if my ideas had coalesced sooner, and I'd have expected such a response, I would have done this in advance. Thank you for your patience.

I've categorised references by type, kind of, I figure that's the easiest way for people to navigate this. Constructive feedback always welcome.

Books:

"Bullshit Jobs" is by David Graeber, there's a description here https://www.penguin.co.uk/books/295446/bullshit-jobs/

"It's Football, Not Soccer" is by Stefan Szymanski and Silke-Maria Weineck. I haven't read it, I just spotted a tweet. The book is here: https://www.amazon.co.uk/Its-Football-Soccer-Vice-Versa-ebook/dp/B07C9DJFKD

The Numbers Game by Chris Anderson covers Strong Link and Weak Link games, and well, actually, I should buy this and read it, but this article covers all you need to know: http://www.asalesguy.com/soccer-and-messi-basketball-and-lebron-how-one-is-like-sales-and-the-other-isnt/

Blog posts:

Log Blog - Tim Brown's blog on incident response issues can be found here: https://blogs.cisco.com/security/the-importance-of-logs

Rapid 7 on the number of CVEs is here: https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/

Presentations:

Blinky Boxes - Frasier Scott's presentation on threat modelling has slides here: https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops I think this is part of his current repetroire, so best caught live of course; or seeing as he's in DevOps, it'll have iterated several times already.

CTFs - The Last CTF Talk You'll Ever Need from DEFCON 25, is here: https://www.youtube.com/watch?v=MbIDrs-mB20

CTRL+Break The OODA Loop by Abel Toro of Forcepoint from BSides London 2018 isn't up yet on their channel https://www.youtube.com/channel/UCXXNOelGiY_N96a2nfhcaDA ; it was on Track 3, I'm hoping that was recorded... or that Abel will be giving the presentation again.

The Cuckoo's Egg reference was inspired by Paul Midian's BSides Glasgow 2018 keynote "Everything You Know Is Wrong" - https://www.youtube.com/watch?v=KvksyvF6MN4

Hacker's being needed on the Blue Team comes from Harron Meer's Nullcon Goa 2018 keynote: https://www.youtube.com/watch?v=2F3wWWeaNaM

Ian Fish - Crisis Management - from CrestCON 2018 - is here: https://www.youtube.com/watch?v=R1UOW3xGpZE

Incident Response in Your Pyjamas - Paco Hope - Securi-Tay 2018 - is here: https://www.youtube.com/watch?v=k1J1-WyyJs4

Intruder's Dilemma - is mentioned in this from BSides Munch 2018: https://www.youtube.com/watch?v=PQgsEtRcfAA

Penetration Testing Must Die - Rory McCune at BSides London 2011 - is here: https://www.youtube.com/watch?v=MyifS9cQ4X0

Playbooks - Common Traps & Pitfalls in Red-teaming by Andrew Davies and Jon Medvenics from CRESTCon is here: https://www.youtube.com/watch?v=bYTrwzFUSSE

Pratchett - Circle City Con - The Network Night Watch, by @munin and @hacks4pancakes, is here: https://www.youtube.com/watch?v=kjEdaJ6KhOo

Strategy - John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here: https://www.brighttalk.com/webcast/10903/280059

Reports:

The Base of Sand Problem, the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here: https://www.rand.org/pubs/notes/N3148.html

The Cyber Resilience Report from KPMG, that really makes the point that preparation is key, can be found here: https://assets.kpmg.com/content/dam/kpmg/ie/pdf/2017/09/ie-cyber-resilience-2.pdf

The Global Risks Report 2018 from the World Economic Forum can be obtained here: https://www.weforum.org/reports/the-global-risks-report-2018

Outpost24's report on their survey of RSA attendees can be found here: https://outpost24.com/sites/default/files/2018-05/RSA-2018-Survey-Outpost24.pdf

State of CyberSecurity Report - InfoSecurity Magazine - where they highlight regulation can drive security - can be found here: https://www.infosecurity-magazine.com/white-papers/state-of-cyber-security-report/

Seattle Seahawks and other less cybery references:

The article "Bobby Wagner Can See into the Future" is here: https://www.si.com/mmqb/2017/06/29/nfl-bobby-wagner-seattle-seahawks

Bobby Wagner's PFF rating is from this tweet: https://twitter.com/PFF/status/1005914257563836416 ( as a side note, check out this video on Luke Kuechly, who's also on that list, that's basically team-mates and rivals saying how smart he is https://www.youtube.com/watch?v=umfgvffJ6M0 )

Fewest points allowed - this ESPN article summarises it nicely http://www.espn.co.uk/nfl/story/_/id/17886833/how-seattle-defense-dominated-nfl-five-years-running-nfl-2016

Introduction - the quick cartoon shoulderpunch is taken from this introduction to the game: https://www.youtube.com/watch?v=3t6hM5tRlfA

Kam Chancellor - I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: https://www.youtube.com/watch?v=qgh8HmKVja8 ( as a side note, while I don't think it's relevant to the analogy, Kam Chancellor appears to have retired http://www.espn.com/nfl/story/_/id/23967587/kam-chancellor-seattle-seahawks-safety-appears-announce-retirement-via-twitter - update on 3rd July: this is a good video summary of what he provided to the team https://www.youtube.com/watch?v=8SltNCS4Jg0 )

Legion of Boom - there's a nice retrospective that's just a five minute video: https://www.youtube.com/watch?v=N73r5HemB0M

If you want an emphasis on the boom, watch this: https://www.youtube.com/watch?v=xF6OLtz280Y

My main source for Pete Carroll's philosophy, in many senses of the word, is here: https://www.fieldgulls.com/football-breakdowns/2014/2/3/5374724/super-bowl-48-seahawks-pete-carrolls-richard-sherman-marshawn-lynch ; I have a lot of reading to look forward to.

If you want to see just how many players there are on a team then you'll see the Seahawks roster here: https://www.seahawks.com/team/players-roster/

Tackling video - the Seahawks 2015 video summarising their technique is shown here: https://www.youtube.com/watch?v=6Pb_B0c19xA

Olivia Jeter, Defensive End for Blandensburg High School, is covered in these videos: https://www.youtube.com/watch?v=yAYS2VnfFi8 and https://www.youtube.com/watch?v=5xD8qjihHf8 Yes, I do realise that those videos are from 2014, but she provides such great soundbites, I must find out what happened to her.

YouGov's survey on British interest in various sports is here: https://yougov.co.uk/news/2018/01/10/what-most-boring-sport/

Tweets:

Grugq being unimpressed by deception technologies is here: https://twitter.com/thegrugq/status/1007724361426452480

Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: https://twitter.com/jeremiahg/status/996469856970027008 I've got into interesting discussions on how true or untrue that figure may be, watch this space.

Vincent Yiu on recruiter messages on LinkedIn is here: https://twitter.com/vysecurity/status/1005071605419118592

Websites:

Bananas - Chiquita using pharmaceutical packaging is detailed here: http://archive.boston.com/business/globe/articles/2007/03/07/yes_we_have_one_banana/

Banks using mobile phone companies ... dammit, I had a single reference, which I think was a line or two in an article I had to use archive.org to source, but looking for "banks learning from" online there's many industries and many examples.

Bartle's Taxonomy of player types is taken from this: https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_types

BreachLevelIndex.com is, well, here: https://breachlevelindex.com/

The Caffrey Triangle is mentioned here https://paxsims.wordpress.com/2016/08/19/connections-2016-conference-report/ , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming.

Cyber Resilience - Phil Huggins' Black Swan Security blog is here: http://blog.blackswansecurity.com/2016/02/cyber-resilience-part-one-introduction/

Cyberscape - the amount of tools we have, is taken from Momentum's cyberscape: https://momentumcyber.com/docs/CYBERscape.pdf

Dentistry using space technology is here: https://phys.org/news/2010-10-benefits-space-technology-dentists.html

Emergency response - the three element model can be seen is some detail here on the College of Policing website: https://www.app.college.police.uk/app-content/operations/command-and-control/command-structures/

Francium - my main inspiration for choosing the element Francium is here: http://www.sparknotes.com/mindhut/2013/09/06/the-worlds-most-dangerous-elements

HorseSenseUK - Equine Assisted Education - can be found here: http://horsesenseuk.com/

Incident Response, the four stages - I detailed that in this blog post: http://blog.sonofsuntzu.org.uk/post/2017/03/26/Notes-on-Incident-Response-from-the-SC-Congress

Incident Response Timelines - this is taken from the Logically Secure website, and can be found here: https://www.logicallysecure.com/blog/ir-metrics-part-1/

Intruder's Dilemma - I think the first reference to it from Richard Bejtlich is here: https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html

MWR - the TechCrunch article I refer to, where F-Secure note the need for offensive capability, is here: https://techcrunch.com/2018/06/18/f-secure-to-buy-mwr-infosecurity-for-106m-to-offer-better-threat-hunting/

Naval - Paul Raisbeck, who uses his naval experience in what is loosely described as management consultancy, can be found here: https://www.linkedin.com/in/paulraisbeck/ , and a relevant piece by him here: https://www.linkedin.com/pulse/what-could-your-business-learn-from-royal-navy-people-paul-raisbeck/

OODA loops are basically described here, but again, please pay me to research these concepts: https://en.wikipedia.org/wiki/OODA_loop

Playbooks, Rick Howard, the CSO of Palo Alto, on the small number of opponent's playbooks: https://www.csoonline.com/article/3207692/leadership-management/exploit-attacker-playbooks-to-improve-security.html

Practice - "any incident response plan is only as strong as the practice that goes into it" is from Mike Peters, Vice President of RIMS, the industry body for Risk Management. Best to search online for that specific quote and use whichever source will look best in your board level presentation.

Star Wars - security lessons to learn from Hazel Southwell, can be found here: https://www.linkedin.com/pulse/how-blow-up-your-death-star-genuine-data-security-from-southwell/

TRIZ on Wikipedia is here: https://en.wikipedia.org/wiki/TRIZ and the main British consultancy, as far as I can tell, is here: https://www.triz.co.uk/

Overall

Sometimes I get the gist of something and use that. If you know any of these ideas better than I do, meaning that I've missed a nuance, or not read an important reference, please do get in touch. I always appreciate constructive corrections.

Sunday 3 June 2018

Money Making Machines

This is something I've referred to sporadically when talking to people, and I've been meaning to write up for a while... but then I found someone had put it rather well. The best way to make money is to make money making machines. This is explained below.

Meanwhile the original Twitter thread the text comes from is here: https://twitter.com/naval/status/1002103360646823936 ; which I turned into a pretty page by using the Thread Reader bot here: https://threadreaderapp.com/thread/1002103360646823936.html to make it easy for me to cut and paste the text...

How to Get Rich (without getting lucky):

Seek wealth, not money or status. Wealth is having assets that earn while you sleep. Money is how we transfer time and wealth. Status is your place in the social hierarchy.

Understand that ethical wealth creation is possible. If you secretly despise wealth, it will elude you.

Ignore people playing status games. They gain status by attacking people playing wealth creation games.

You’re not going to get rich renting out your time. You must own equity - a piece of a business - to gain your financial freedom.

You will get rich by giving society what it wants but does not yet know how to get. At scale.

Pick an industry where you can play long term games with long term people.

The Internet has massively broadened the possible space of careers. Most people haven't figured this out yet.

Play iterated games. All the returns in life, whether in wealth, relationships, or knowledge, come from compound interest.

Pick business partners with high intelligence, energy, and, above all, integrity.

Don't partner with cynics and pessimists. Their beliefs are self-fulfilling.

Learn to sell. Learn to build. If you can do both, you will be unstoppable.

Arm yourself with specific knowledge, accountability, and leverage.

Specific knowledge is knowledge that you cannot be trained for. If society can train you, it can train someone else, and replace you.

Specific knowledge is found by pursuing your genuine curiosity and passion rather than whatever is hot right now.

Building specific knowledge will feel like play to you but will look like work to others.

When specific knowledge is taught, it’s through apprenticeships, not schools.

Specific knowledge is often highly technical or creative. It cannot be outsourced or automated.

Embrace accountability, and take business risks under your own name. Society will reward you with responsibility, equity, and leverage.

The most accountable people have singular, public, and risky brands: Oprah, Trump, Kanye, Elon.

“Give me a lever long enough, and a place to stand, and I will move the earth.” - Archimedes

Fortunes require leverage. Business leverage comes from capital, people, and products with no marginal cost of replication (code and media).

Capital means money. To raise money, apply your specific knowledge, with accountability, and show resulting good judgement.

Labour means people working for you. It's the oldest and most fought-over form of leverage. Labour leverage will impress your parents, but don’t waste your life chasing it.

Capital and labour are permissioned leverage. Everyone is chasing capital, but someone has to give it to you. Everyone is trying to lead, but someone has to follow you.

Code and media are permissionless leverage. They're the leverage behind the newly rich. You can create software and media that works for you while you sleep.

An army of robots is freely available - it's just packed in data centres for heat and space efficiency. Use it.

If you can't code, write books and blogs, record videos and podcasts.

Leverage is a force multiplier for your judgement.

Judgement requires experience, but can be built faster by learning foundational skills.

There is no skill called “business.” Avoid business magazines and business classes.

Study microeconomics, game theory, psychology, persuasion, ethics, mathematics, and computers.

Reading is faster than listening. Doing is faster than watching.

You should be too busy to “do coffee," while still keeping an uncluttered calendar.

Set and enforce an aspirational personal hourly rate. If fixing a problem will save less than your hourly rate, ignore it. If outsourcing a task will cost less than your hourly rate, outsource it.

Work as hard as you can. Even though who you work with and what you work on are more important than how hard you work.

Become the best in the world at what you do. Keep redefining what you do until this is true.

There are no get rich quick schemes. That's just someone else getting rich off you.

Apply specific knowledge, with leverage, and eventually you will get what you deserve.

When you're finally wealthy, you'll realize that it wasn't what you were seeking in the first place. But that's for another day.

Sunday 6 May 2018

Librarian of Experts

I had a great conversation with a friend/coach recently about, well, what to do careerwise, and this subject came up.

One of the things I'd like to be, and I'd like to be paid to be, is a "Librarian of Experts". I've always been naturally drawn to smart people, and I get a thrill out of seeing just how good people can be at certain tasks or skills or challenges; and also I enjoy being able to learn the detail about other's' areas of expertise without having to go through all the learning they've gone through. I naturally think of people in terms of what they know, I think because of, partly, laziness/efficiency - why spend a day figuring something out if someone else could give me the answer in thirty seconds ( I'd reciprocate from my own expertise of course ), and partly it's a chance to have an interesting conversation.

This Neil Gaiman quote has always summarised how I feel about these experts: “Google can bring you back 100,000 answers, a librarian can bring you back the right one.”

However, I struggle to keep track of who I know with expertise in each area, especially if it's not their main or current profession. While my memory isn't great I can usually recall who I know who's proficient in a certain area through a combination of searching LinkedIn, twiiter, and old emails; having some memory that I have a contact who's better at something than I am, or knows more about something that I do, feels like one of the few side benefits to occasional bursts of Imposter Syndrome.

Not only as a profession, but also to make it as easy as possible to discuss potential professions with many others, it would be very useful for me to have some kind of "Capability Matrix" of who I know, and what I could ask them about. This is a requirement that's come up again and again in my permanent jobs, figuring out who in their team can do what, but often the answer is just a half-thought out Excel spreadsheet that only works in very limited disciplines, penetration testing for example.

So if I want some kind of index of talents in people, how do I classify those talents, where do I start? For all of human knowledge how do I classify what people know in a reliable and repeatable way. I figure the Dewey Decimal system ( https://en.wikipedia.org/wiki/List_of_Dewey_Decimal_classes ) is a start - also it might have established rules for dealing with people/books that fall into more than one category, and established software for computers and mobiles that I can easily adapt from books to people.

For example if you are one of my librarian friends you'd be under 26.026 I believe.

Thank you for your time, my questions are:

  • Is this a good business idea? Even as one of many simultaneous professions? ( I've only seen this is one place before, the company Chime Advisors )
  • Is this the best way to classify people's expertise?
  • I wonder how to deal with people being experts in multiple areas, and so falling into multiple categories?
  • Is there any free software, that works across computers and mobile devices, where this information could be stored?
  • Is there a better solution I've missed?

All suggestions welcome.

Wednesday 4 April 2018

Grabbing all the right cookies from the Burp Pro cookie jar

This solution works for me, on Kali Linux, using my keyboard; as always, YMMV.

In Burp Suite Pro:

  • Select Project Options from the tabs along the top
  • Select the Sessions tab
  • Scroll down to Cookie Jar
  • Click "Open cookie jar"
  • Ctrl+A to select the entire contents
  • Ctrl+C to copy all of those content

Now go to a file open in your favourite text editor. For me this is a file open in vim within a the gnome terminals Kali uses.

Ctrl+Shift+Insert to paste the contents of the clipboard into that file.

Now run this command, and you should have a list of cookie names you can work through:

grep <target domain> <name of file> | tr -d "/" | cut -f 3 | sort | uniq

Saturday 24 March 2018

Trying to watch the NFL Network on a KODI system, running in virtualbox, using a USB screen as the output

Yet another niche blog post that only one person will read, but maybe I will save them an evening.

I have an HP Workstation as my new desktop PC, so I'm now only a couple of generations behind in hardware, rather than ten years old. So with the increased memory and processing power, I thought I'd plug my iMo USB screen into it, pass that through to a VM running in virtualbox, and run kodi on that. It's much easier than trying to make the USB screen run under my main Arch Linux and not interfere with the other four screens I've already set up.

( also easier than making it work on a Raspberry Pi, which I tried here: http://blog.sonofsuntzu.org.uk/post/2017/04/01/How-to-run-Xbian-off-a-USB-display

Considering the time of year in the NFL season, there's a lot happening in free agency and the draft is coming up, so really the reason I wanted to run this was to have the NFL Network playing in the background so I can keep an eye out for headlines.

So....

Attempt 1

Set up: Debian buster, because I know the USB screen just works with Debian.

Reason it failed: NFL Network live streaming ( but not the games apparently ), needs the InputAdaptive and RTMP functionality of KODI to work. It turns out the relevant kodi packages for this haven't been in Debian since Sid.

Attempt 2

Set up: Alpine system, because I like Alpine because it's so small and fast.

Reason it failed: I just couldn't get the keyboard and mouse to work on Alpine once I started X. I tried hard, but not that hard as Alpine has no drivers ( "udlfb" ) for the USB screen anyway, I just wanted to get something working.

Attempt 3

Set up: Linux Mint 18.3. Mint tends to "just work" in general, and is one of the easier Linux distributions to get started with.

Reason it failed: Mint was weird... it would boot in the virtualbox monitor, then the Linux Mint graphical boot screen would appear on the USB monitor, but then the Mint interface would only show on the virtual monitor in virtualbox. This system was then unable to "see" the USB monitor at all, even after removing the specific entry to blacklist the udlfb driver in /etc/modprobe.d/blacklist.conf

Attempt 4

Set up: OpenELEC, installed by converting the OpenELEC img file to a vdi file and booting from it.

Reason it failed: As I suspected already from online forum postings, but I wanted to check with the latest version, OpenELEC doesn't appear to support the virtualbox virtual graphics card, so this didn't get anywhere at all.

Attempt 5

Set up: Windows 10 VM with Kodi installed, it worked well, although it took a while for the system to get the iMo screen drivers installed. For Kodi on Windows the relevant InputAdaptive and RTMP functionality just comes as part of the install package.

Reason it failed: Well... it kind of failed. I could actually watch the NFL Network streaming live using this, but from a quick look at the output of the htop command it was taking a lot to make this happen.

Other Notes

The mouse and keyboard use on this is weird, in general the virtual machine would boot, "transfer" the screen to the USB monitor, but then I'd operate the mouse on the USB screen by moving it around the, now blank, monitor being shown by virtualbox on my PC. On the Linux Mint solution the mouse and keyboard didn't get picked up, but after a reboot or two... it did. As you'll have seen above, it just wouldn't work under Alpine.

On Windows I only got as far as running that will two screens, and sometimes the mouse with be on the monitor being displayed in virtualbox, and the USB monitor, at the same time. I would have been tempted to play with that more except htop was showing how hard my PC was having to work.

Any constructive comments welcome...

Tuesday 6 March 2018

How not to fix the Lenovo Computer Stick 300

A friend was using a Lenovo Compute Stick 300, but a Windows update rendered it inert, as it wouldn't boot they passed it on to me to take a look.

( TL;DR - I couldn't fix it, I'd be tempted to avoid this form factor in future. )

So I had a go at fixing this, using https://www.tweaktown.com/reviews/7099/intel-compute-stick-stck1a32wfc-2gb-windows-8-1-review/index3.html as a sort of guide to the hardware.

I removed the BIOS battery, as advised in a URL I didn't note, which meant I could get it booting into the BIOS or the Windows recovery options.

However plugging the battery in, and trying all the Windows recovery options, and this fix https://support.lenovo.com/gb/en/solutions/ht118103 , didn't fix the device. The device still shows the Lenovo logo for a bit, then just powers itself down, or hitting the hotkey gets me to BIOS / Windows recovery options, which all fail in the same way as they did when I removed the BIOS key.

A few notes if you've stumbled across this blog post and want to see if you have more success:

  • The "hotkey" needed to get into the BIOS or Windows Recovery Partition is F2.
  • The "top" is the bit with the Lenovo logo sticker on, the bottom is everything else, including the "vents" on the sides, you'll see the join.
  • It's the only way to do it, but separating the top from the bottom using a screwdriver will mash the plastic.
  • You will need to use considerable force to pull the top off the bottom once you've got the top mostly off the bottom.
  • To disconnect the motherboard from the end of the casing opposite the HDMI port you'll need to lift off the large sticker that covers the bottom.
  • With the USB key plugged in with the new UEFI files it seemed a bit random as to what pressing the hotkey actually took me to.
  • On that second URL, note that you'll need to type "fs1:", with a colon at the end, not "fs1", as per the instructions on the page.

But as I say, after all of the above I'm only slightly farther along than I was when I started - I can boot into different recovery options, but they don't help.

I'll have a crack at putting Linux on it at some point, but right now this is going to the bottom of the "to do" pile.

Wednesday 17 January 2018

Fans specifications in an HP Z600

Making a mockery of RSS I'm just posting this because it's bound to be of use, to someone, on the Internet, once.

  • Double pair rear fans - 12V 0.6A 92mm wide, 25mm deep - both have 4 pins but are amalgamated in the shroud into 6 pins coming out - max rpm 4042 from Thermal option in BIOS, marked as "chassis"
  • Front bottom fan - 12V 0.24A 4 pins, 80mm wide, 25mm deep - uses plastic clips not screws, so will need replacements for those if you replace the fan - fan with my Z600 with can't be oiled, max rpm 3158 from Thermal option in bios, marked as "PCI"
  • Two separate processor fans - 12v 0.40A, 80mm wide, 15mm deep - can't be deeper due to mounting
  • Top / Memory fan - 12V 0.50A 80mm wide 25mm deep - fan says 495659-001 on it, shroud is 468628-001 - marked as "memory" in Thermal section in the BIOS
  • Small fan - 12V 0.15A 4 pins - 40mm wide, 19mm deep - I think max rpm 8438 from Thermal option in bios, marked "chipset"
  • Power supply fans are 2 x 60mm x 25mm according to HP website

If you can advise on OEM replacements, especially quieter versions, comments are welcome. Note that all of the fans appear to do a speed test as the machine starts.

Saturday 2 September 2017

Bluetooth keyboard reviews

I've had a bunch of Bluetooth keyboards kicking around for ages ( I suspect at least two years ). I've only used a couple of them a couple of times, so I've finally decided to give them a quick try-out - so I thought I'd put those reviews up here in case they turn up in an online search and someone finds them useful. But they have been sat in the To Do pile for quite some time, so make and model are best guesses.

Note that I just typed on each one for three lines or, while sat properly at a desk, within two feet of the Android phone I was using for testing.

If anyone's intrigued by any of these but wants to confirm whether:

  • they remain connected for more than a few minutes
  • can they hold a charge for a day
  • they have any specific functionality you're after for Unix / terminal usage
  • the specific placement of specific keys

do say so in the comments and I'll figure that out.

Some crappy Bluetooth thing off eBay

Bah, I can't find this in my order histories online, it looks like this:

I don't know this specific make and model so all I can say is to avoid the really cheap stuff. While this did appear to replicate what I typed on the screen it has a weird double space bar, the keys feel genuinely awful, and the USB power connector is Micro A.

Anker TC320

So that'll be this one: https://www.amazon.co.uk/Bluetooth-Ultra-Slim-Aluminum-Keyboard-Windows/dp/B00BKW2410 - do note that searcher for this model will actually bring up a newer version.

Works nicely on my Android phone, pretty big size, and I had this one relatively loose in a large bag, so the middle is something like 2mm higher than the edges, but it still works. OK if you want a decent size keyboard, but you'll want it in a firm bag.

EC Technology Foldable Keyboard

I think it's this, or close enough: https://www.amazon.co.uk/EC-Technology-Foldable-Ultra-Slim-Aluminium-3-Folding-Keyboard/dp/B00QRQZQR8/

This is reasonable enough to type on - it's essentially a "meh" keyboard, which is the best you can expect from something portable. Also it folds up nicely and appears to be suitably rugged, so something that will slip into a pocket or smaller bag.

Note it doesn't have a right CTRL key, which just might be important to you. Also the layout is, er, American, I think.

Zoom Bluetooth Keyboard - Series 1087 - Model 9010

Pretty sure this is this one: http://www.zoomtel.com/products/9010.html ... hmmm, this was left on a low power charger ( 500mA or so ) overnight, then left switched off for a few days, and had no charge left. It has a row of media keys along the top, with what I think are a "home button" key and a "lock screen" key.

Seems rugged enough too, not sure about that charge going away. Also bear in mind the power socket is USB Mini-B, not Micro-B.

Periboard-805

A bluetooth foldable keyboard - which will look like this:

.

The key positioning is too weird on this one - the EC Technology foldable keyboard is OK because it folds a quarter of the way in from either end, this keyboard folds in the middle - which means the centre of the space bar I tend to hit is the join, the right shift is in a weird place, and the placement of the keys in the middle detracts from ease of use. Only the foldable keyboards will fit in the smallest of my bags, along with a phablet and a spare battery... so I like the idea of them, but they don't seem to work in practice, at least without spending more money.

Palm Universal Wireless Keyboard

This https://www.cnet.com/products/palm-3169ww-universal-wireless-keyboard/review/ . Not a Bluetooth keyboard, just an illustration of what I had lying around in the "must figure out what this is" pile ;)

Saturday 1 April 2017

How to run Xbian off a USB display on a Raspberry PI

The short version

Don't.

The long version

( I've not gone into too much detail, I figure the only people who'll stumble across this are either considering the same solution, or troubleshooting their own attempt )

I had a Raspberry Pi 2, it's a "2+" I think, running Xbian. Xbian is a pre-built version of Kodi, the popular media player that used to be called XBMC. No X server is used, Xbian turns your Raspberry Pi into a media player with relatively little effort.

Having acquired a couple of USB screens over the years I thought it would be useful to connect one of these screens to the Pi, just so something like BBC News 24 or the NFL Network could run in the background to the side of my main monitors, or a Twitch channel.

So I connected a Mimo USB UM710 monitor and rebooted the Pi. This came up as a green screen, which means that the udlfb driver has loaded; and from the command line I can see that I have "/dev/fb0" and "/dev/fb1" - meaning that two framebuffers are available.

However I couldn't find any way within the Xbian interface to direct Xbian to use /dev/fb1, nor any kind of option to specify this in any of its configuration files.

I tried using the con2fb tool to redirect a different console to each framebuffer, directing tty1 to the USB monitor, in the hope that Xbian was starting on tty1 ... but still running "kodi start" from the command line brings up Xbian on HDMI.

I looked at somehow disabling the first framebuffer, but to no avail; the relevant bcm2708_fb driver is part of the kernel, and there's no way to stop it being used. Also I don't know if that functionality is required to generate that graphics that are then sent to the USB monitor using the udlfb driver. I expect that a Raspbian kernel can be compiled that doesn't include this functionality, but I decided that for a relatively simple system, which I'm trying to use in an "plug and play" way as possible, compiling my own kernels was a step too far, especially as I had no idea if the solution would work or not.

Also, ideally, I would be able to switch this device from using the USB screen to an HDMI screen with a few commands.

( As a side note, if you're looking at this in general it's worth researching the "chvt" and "xbmc_send.py" commands online )

On further research it turns out this is a common issue for people trying to extend their use of a Raspberry Pi.

That research did lead to a couple of possible solutions, these are framebuffer copiers, or mirrors, that copy of the output from framebuffer to another. While not ideal, this could work.

Firstly I tried fbcp but that just didn't work.

I set the Xbian resolution down to 480p to match what the USB screen was capable of, but this didn't make a difference.

So I moved on to raspi2fb instead.

This worked up to a point, showing the output of the first framebuffer at the right resolution, and at something like 25 frames a second. While slightly jerky this was more than enough to satisfy my requirement to keep an eye on the channel. Kodi's BBC News 24 plugin worked fine, the NFL Network worked fine at a low enough resolution ... but both the Twitch and YouTube plugins would crash the entire system. As far as I can tell it seemed that if I attempted to display anything above the resolution supported by the USB screen the Pi would just crash and need to be manually restarted. Also the system was now a little flaky in general.

I tried both 1.0 amp and 2.0 amp power supplies with the same result.

In the end I gave up, and decided I'd try something else to get Xbian on the USB monitor.

However having disconnected the USB screen, and tried using the Raspberry Pi on an HDMI monitor again, it's crashed after a few minutes. I'll be seeing if there's some kind of software diagnostics I can run to spot any obvious problems - it feels like something the community will have written already.

So in the end I have a Pi that appears to be broken in some way, possibly a result of how many USB devices I plugged into it at once - suggestions for easy ways of running hardware diagnostics are welcome in the comments below.

Sunday 26 March 2017

Notes on Incident Response from the SC Congress

I had the pleasure of attending the "Do Data Breaches Matter? Mitigating Impact" session at the SC Congress last month ( details here http://www.sccongress.com/london/programme/section/4505/ ).

The panel consisted of:

  • Beverley Allen CISA, Information Security Professional, Independent|
  • Bob Tarzey, Analyst and Director, Quocirca
  • Sarb Sembhi CISM, CTO CISO DPO, Virtually Informed

There were some great points made on incident response, which I've summarised below:

The stages of incident response

The actions that result from an incident being detected and becoming a breach fall into the stages below:

Stage 1 - The company wonders why it's been attacked, is in shock to discover it has been successfully compromised.

Nothing happens during this stage.

Stage 2 - Staff ask "What do we do? What's the plan? Where's the plan?"

A lack of leadership will be shown up here.

Also people will think they know better than the plan and will act independently.

It will be illustrated that the plan has never been tested and does not work in practice.

Stage 3 - Dealing with the breach

I.T. teams are likely to take control of the situation because the compromise will be I.T. based, and they will fall back on, or create, informal processes if no formal processes are available.

Internal teams may make land grabs during incident response, or actively avoid responsibility in order to avoid blame, both responses are counter-productive.

Stakeholders will want updates during the incident and afterwards, this capability should be planned for.

Everyone has a role, even if that role is staying out of the way.

Stage 4 - After the breach has been resolved.

It is important here to review the actions that took place in the previous stage, so that the breach can be learnt from in future. If an ad-hoc response method was used it's extremely unlikely that sufficient information will be available.

While the impact on share price and customer trust can be insignificant over the longer term, don't underestimated the impact on staff morale on the long term viability of their employer, also that scrutiny by regulators and auditors will be intense and ongoing.

Stage 0

Not a term that was used on the day, but looking at the stages above much of the conversation covered what was required before an incident response plan had to be initiated:

Part of thinking ahead is determining who is in charge of the breach response, and who should be contacted, and how.

This is the most important stage to get right, and is the foundation for best practice for all the other stages.

Companies don't have time to be breached, so make time now for your preparation - Sarb Sembhi.

"You have to do all of your thinking up front, test it, and test it again" - Beverley Allen.

 

- page 1 of 3