Son Of Sun Tzu

To content | To menu | To search

Monday 2 May 2016

Why legal firms should consider moving to the Cloud.

A few days ago @munin highlighted a critical issue with Office365 and SAML assertions, and suggested that this is why high-stakes data shouldn't be in the Cloud. The tweets are here:

https://storify.com/SonOfSunTzu/no-it-doesn-t

Credit for discovery of the vulnerability goes to Ioannis Kakavas and Klemen Bratec, their write-up is cross-posted on their blogs:

http://www.economyofmechanism.com/office365-authbypass.html

https://bratec.si/security/2016/04/27/road-to-hell-paved-with-saml-assertions.html

In response to this issue being disclosed @munin asserted that this is why "high-stakes data" shouldn't be in the Cloud.

Now I see where @munin is coming from, I was, and to some point still am, a fan of on-premises data storage rather than it being out there on the Internet somewhere. However information security is so difficult, the required protective infrastructure is so expensive, and skilled people are so hard to find, that using Cloud services in order to obtain the required infrastructure and skills is the way to go. There are many, many reasons, but I think these are the big ones:

1 Law firms are notoriously reticent to spend on information security, and arguably it's not economically viable for them to obtain security of the level used on Office 365. I state this from personal experience, not just the fallout from the recent Mossack Fonseca breach. Thankfully this was recently discussed on the invaluable Risky Business podcast, episode 407 - http://risky.biz/RB407 - head 35 minutes in if you're short of time, but otherwise the whole podcast is worth listening to. Anyway, HD Moore stated:

"if you look into legal services ... any industry where you've got a lot of high paid professionals that are not IT, the IT aspects of the security side of the business generally gets neglected; they just don't value the IT people, the security people, as much as they should. So that's one of the reasons you see a lot of wide open law firms..." ( edited slightly for clarity )

2 Munin's statement that "Because diversity in setups prevents large-scale attacks from working" is wrong. Theoretically this is incorrect, diverse but equally poor or out-dated setups, through the prevalence of easy to use tools such as MetaSploit, or the almost universal success of repeatable tactics such as phishing, mean that diversity is not of use here. Practically I think the sheer number of successful attacks, and the results from published Breach Investigation Reports, show that either through the large number of attackers, the low security of targets, or both, mean that facing new infrastructure isn't slowing anyone down. This is mainly due to the right skills being hard to find. Again, the timing of Risky Business was fortunate, as Space Rogue ( Chris Thomas, Strategist for Tenable Network Security ) said later on in that episode: "it comes down to people ... security people are hard to come by, they cost a fortune, and if you want decent security you need someone who knows what they're doing".

3 This disclosure was rewarded because of Microsoft's bug bounty programme... I assert that it's far less likely for a law firm to run such a programme.

4 Using this specific issue as an example, it was fixed in seven hours, I can't imagine a Law Firm's IT department being capable of achieving anything near to that.

Overall, if putting high-stakes data in the Cloud isn't the "best way" it is the "least worst". Wanting to keep to high-stakes data out of the Cloud is understandable, but particularly in the case of law firms, it's a little like saying its safer to keep your life savings under your mattress rather than in a bank: yes, you're not part of a big and attractive target, but your security is going to be much, much worse.

Footnote - of course, you need the right Cloud service... as pointed out on Risky Business 407, Mossack Fonseca are selling their own secure cloud document service: http://www.mossfon.com/service/evolusoft/

Saturday 9 April 2016

Do the Seahawks need a good offensive line?

There's been a lot of consternation over the apparent lack of talent on the Seahawks Offensive Line. For example this article states it "may just be the worst position group in the entire NFL".

But, as squeaky as their playoff games were, the Seattle Seahawks were one score away from taking their Divisional playoff game into overtime, and did go 10-6 for the season; whereas the offensive lines I hear the most compliments about are the Browns and the Cowboys, who went 3-13 and 4-12 respectively.

So, do offensive lines matter? It's interesting to compare the 32 NFL team's successes against the quality of their offensive line and see if there's a match. I'm taking the quality of the offensive lines in the 2015 season from Pro Football Focus's rankings at the end of the season here: https://www.profootballfocus.com/blog/2016/01/20/pro-ranking-all-32-offensive-lines-this-season/ ; and my analysis... well, my quick look at some stats... is inspired by Shell Kapadia's article on ESPN: http://espn.go.com/blog/seattle-seahawks/post/_/id/18978/making-sense-of-the-seahawks-offensive-line-philosophy .

So, comparing offensive line rank to the most important statistic first, did the team make the playoffs or not?

Rank Team Playoffs?
1 Dallas Cowboys yes
2 Carolina Panthers yes
3 New Orleans Saints yes
4 Atlanta Falcons yes
5 Cleveland Browns yes
6 Oakland Raiders yes
7 Green Bay Packers yes
8 Cincinnati Bengals yes
9 Buffalo Bills yes
10 Pittsburgh Steelers yes
11 Washington Redskins yes
12 Philadelphia Eagles yes
13 Baltimore Ravens yes
14 Minnesota Vikings yes
15 Indianapolis Colts yes
16 Chicago Bears yes
17 Arizona Cardinals yes
18 Houston Texans yes
19 Jacksonville Jaguars yes
20 New York Giants yes
20 Denver Broncos yes
22 Kansas City Chiefs yes
23 Tampa Bay Buccaneers yes
24 Detroit Lions yes
25 New England Patriots yes
26 New York Jets yes
27 San Francisco 49ers yes
28 St Louis Rams yes
29 Tennessee Titans yes
30 Seattle Seahawks yes
31 Miami Dolphins yes
32 San Diego Chargers yes

So, apart from showing that tables are hard.... there is a pretty even spread of playoff teams across all levels of offensive line play quality.

How about teams versus wins? The X axis below is decreasing in offensive line rank from left to right, so you'd expect a general trend of wins to go down from left to right...

20160409085927.png

Same again, I see no trend by wins.

But how about a more realistic rating of how good a team is than wins, FootballOutsiders' offensive DVOA ranking? Lower numbers are a higher rank.

20160409093213.png

Again, all over the place.

Originally I planned some kind of scatter graph with team or helmet logos, but that's not something I can put together in a reasonable amount of time. So while it's something I've thrown together using online resources, and arguably some of the the axis should have been the other way around... I think the complete lack of any trend shows something. Especially as the offensive line is about half of one side of the team, and key to every play, I think the results are a little surprising; maybe of all the positions for the offensive line their team play is more important that a collection of individual statistics?

And maybe, in relation to the Seahawks, it shows that a philosophy of having an Offensive Line that is just good enough, rather than exemplary, especially considering the apparent lack of talent at the position, is the way to go?

Monday 21 March 2016

Prototype 2

You've somehow stumbled across this blog post because you want to know if Prototype 2 is worth playing. I played it on the Xbox360 and really enjoyed it.

This summary of the game pretty much tells you what you'll be doing:

"Tear your way through the quarantined streets of Manhattan, crushing tanks and ripping apart horrific mutants, with awesome super-mutant powers of your own. You are Sgt James Heller, a soldier and grieving husband, taking down everyone responsible for the murder of your family, and have your revenge!"

If you're wondering whether to spend the £16 or so on Xbox Live to download it, or pick up a second hand copy from somewhere like CEX for £4 the game will suit you if you want:

  • An offline game, no connectivity is required, there's no multi-player options. I think some of the "RADNet" functionality will have gone away if you're offline or buying this game so late that it's been removed from Xbox Live servers, but all you'll be missing are some side quests that mainly involve running across rooftops or throwing barrels into incinerators.
  • A game where you don't have to think that hard... as you can see from the summary above, contrary to my last game, Remember Me, in this case you're definitely in the "I'm a gruff male, and I need to avenge the loss of someone or something by killing everything in range" zone.
  • Hilariously over the top and indiscriminate combat - it would have been interesting to have a penalty for injuring or killing the citizens you're apparently there to protect, but due to the auto-aiming combat system and area effect of the weapons you'll obtain you'll find yourself shredding anything that gets in-between you and your target... whether you want to or not. At the start of the game those civilians will be bystanders you try to avoid, by one hour in they're just wandering health packs.
  • A game that isn't that difficult. I think I'm of about average ability for a video game player, and this game was only slightly challenging on Normal level.

In order to play it you will need:

  • At least 20 hours of time according to gamelengths.com, I'm sure I took longer, maybe 30 or 40.
  • No squick about blood or tendrils, there is a lot of cutting people apart in this game, or literally pulling them to pieces; and you obtain information from adversaries by literally consuming and absorbing them.
  • An acceptance of "game logic", you can evade helicopters chasing you by running around a corner and switching to a different identity, you gain powers by collecting things because that's what happens in video games, there are boss fights because there are always boss fights.
  • No extra cash, the DLC is all essentially optional as far as I could tell.

Saturday 12 March 2016

Does the Samsung EDD-S20HWE mobile phone dock work with a Samsung Galaxy Mega's MHL output over cables that claim to carry MHL, even the decent cables from StarTech that have 11 pins rather than 5?

No.

Sunday 28 February 2016

"The Deactivation of the American Worker"

"The Deactivation of the American Worker - From factories to cubicles to open offices to Slack channels" , a very well put article on the rise of "the new feudalism" in the workplace, and the changing nature of work, can be found here.

For readers with time: it's about a ten minute read, and is a nice summary of what seems to be the current state of play.

For cyber security readers: this emphasises how important IDAM is, with so many more employees being mainly online, and defined and controlled by their access to online resources, getting IDAM right becomes increasingly important when you need to hire or fire people rapidly without error.

For "time poor" people who just want a quick hit and struggled to skim this far down the post: the article uses the word "perma-terror", which is a great kentucky word.

I wrote another blog

Well actually, I didn't, it just feels like it.

This really hit home - http://puttylike.com/is-this-the-biggest-multipotentialite-fear/ ; it's a quick coffee break sized read, and if this covers your views on procrastination or commitment: "This is the fear that I suspect might be the most toxic fear of all:What about my freedom? What if I want to do something else later? What if I change my mind?" then you'll enjoy it, you might even get that wonderful "how did you get into my head?!?!" feeling.

I haven't felt quite like this for a while, the last time was reading Daniel Miessler's blogs on Free Will, I think https://danielmiessler.com/blog/honesty-multiple-truths/ is the one that really made me envious that a half-formed idea from my head was put so well, and so succinctly.

And yes, I know, but trackbacks, how do they work?

Monday 4 January 2016

Florence Mussolini

I like memes.

In a Facebook thread a little while ago a FOAF suggested quotes attributed to Florence Nightingale, but which were actually by Benito Mussolini. This was amusing, but it turns out the alternative works much better...

flo2

flo1

flo3

FB1

Thursday 31 December 2015

Not A Good Day To Die Hard

"A Good Day To Die Hard" is the fifth instalment in the Die Hard series of films, an engaging set of action packed movies, so should you watch this one?

TL;DR - no, don't watch this film.

If you're after a good film - it just isn't. There's no real suspense, the characters aren't engaging, the actors are capable of much better performances, and the interesting twist isn't enough to save it... and for an action film, the action is disappointing.Check out IMDB and Rotten Tomatoes for similar but more comprehensive reviews.

If you're after a mindless action film - don't watch this, the actions sequences are somehow boring... there's armoured personnel carriers barrelling through the streets of Moscow, there's helicopters on fire, and I didn't care. Maybe it needs a large screen and surround sound, but the dramatic events just didn't engage me, and there's a lot of "but that wouldn't happen", "why is that character doing that?", "why has there been no police response at all", and "maybe we should just fast forward through this bit".

If you're after a "good bad" film - I will blog more about these in future, as myself and a few friends are fans of "so bad they're good" films... but this film isn't in that class, it isn't that kind of bad; it's just perplexing and confusing.

The only reason to watch this film for me - so I could watch the "Everything Wrong With" episode afterwards - https://www.youtube.com/watch?v=tA42PExrg3g

Monday 21 December 2015

Remember Me

You've somehow stumbled across this blog post because you want to know if Remember Me is worth playing. I played it on the Xbox360 and really enjoyed it.

If you want a spoilerific summary there's this, or keep this in mind as something to watch after you've completed the game: https://www.youtube.com/watch?v=zxsxCPwYHFw

Otherwise there's a nice summary of reviews at Wikipedia: https://en.wikipedia.org/wiki/Remember_Me_(video_game)#Reception ; or the description on the XboX website is: "Break into people’s minds and steal memories" ...

Neo-Paris. 2084. Personal memories can now be digitised, bought, sold and traded. The last remnants of privacy and intimacy have been swept away in what appears to be a logical progression of the explosive growth of social networks at the beginning of the 21st century. The citizens themselves have accepted this surveillance society in exchange for the comfort only smart technology can provide. This memory economy gives immense power over society to just a handful of people.

Remember Me™ is a 3rd person action adventure where players take on the role of Nilin, a former elite memory hunter with the ability to break into people’s minds and steal or even alter their memories.

If you're wondering whether to spend the £19.99 on Xbox to download it... bear in mind that the game will suit you if you want:

  • An offline game, no connectivity is required, there's no multi-player options.
  • A different kind of protagonist and therefore a different drive for the story. It's enjoyable to have the reason behind your actions in the game be something different from "I'm a gruff male, and I need to avenge the loss of someone or something by killing everything in range".
  • Scenery that looks good. Even on my Xbox360 I sometimes just stopped to look around.
  • A relaxing time - apart from some difficult fights, a lot of time you are progressing through what is essentially an interactive movie. While there is a lot of leaping around to do, it just involves directing the main character, Nilin, to the correct location and pressing the jump button, rather than having any specific aiming or timing requirements for the leap; so it's engaging rather than taxing.

In order to play it you will need:

  • About 8 to 16 hours of time according to reviews on line, most notably this site http://www.gamelengths.com/games/playtimes/Remember+Me/ . I'm an averagely skilled player, and while the game doesn't tell me how long I played it for, I'm pretty sure it was over 16 hours.
  • Some suspension of disbelief, the AI can be ropey and predictable, the "hit people to regain health" idea doesn't survive scrutiny... but it's just a game, to me the world was so well built I found it easy to go with the flow rather than be thrown out of the game by a "fridge moment".
  • Patience for some of the boss fights. I mostly found them challenging rather than insurmountable, although a couple were in the "I'll try again tomorrow" class; and there's plenty of advice online on how to defeat particular opponents.
  • No extra cash, the DLC is all essentially optional as far as I could tell.

Sunday 13 December 2015

The Message podcast

The best description of this podcast is from its website on http://themessagepodcast.com/.

The Message is a new podcast following the weekly reports and interviews from Nicky Tomalin, who is covering the decoding of a message from outer space received 70 years ago. Over the course of 8 episodes we get an inside ear on how a top team of cryptologists attempt to decipher, decode, and understand the alien message.

Each week she’ll bring you the latest chapter, so it’s important to listen in starting with Episode 1.

The Message is a co-production between Panoply and GE Podcast Theater, unlocking the secrets of healing with sound technology.

I'd be surprised if it's not quite different to what you usually listen to, whoever you are, so it's recommended if you want a break - my subscriptions are mostly around information security, with the occasional Radio 4 comedy and sports podcast thrown in, and quite a lot of Nerdist interviews... this was definitely a change of pace.

To listen to them all you'll need just under two hours and probably a mild suspension of disbelief as I'm not sure about some of the science on radio and audio and biology; but I'd be interested to hear thoughts from anyone knowledgeable in that area.

I loved it, I found it really gripping and interesting, especially in a "what would I do in that situation?" kind of way, which to me is always the sign of an involving drama. It's very much whatever the podcast equivalent is to a "page turner", so maybe save it for a long flight or similar where you need to lose two hours all in one go ...

Tuesday 10 March 2015

Premier billet

Je suis le premier billet. Modifiez moi.

page 2 of 2 -