Son Of Sun Tzu

To content | To menu | To search

Tag - podcasts

Entries feed - Comments feed

Tuesday 17 May 2016

"although it's unpleasant, you do want to have nay saying voices involved in any sort of decision that you make"

As a former penetration tester, and sporadic wargamer, I am completely sold on the "red team" concept. For those of you not familiar with the area, I'd describe it as "having someone or something with an adversarial mindset examine your nascent idea or project or hypothesis for flaws from the point of view of sentient opposition, and also to extrapolate the second and third order effects from the implementation of that idea". I am still surprised at how rare this point of view is, although I realise that I might be preaching to the converted.

I'm still working on having the kind of reputation where you can now quote me to your managers and get the resource for the Red Team Department you want to set up... but if I can't help, how about Professor David Dunning? David Dunning is "Professor of Psychology at Cornell University. As an experimental social psychologist, Dr. Dunning is a fellow of both the American Psychological Society and the American Psychological Association. " His full details are here: , he's most well known for his work on the Dunning-Krueger Effect. I had the pleasure recently of listening to him being interviewed for the "You're Not So Smart" podcast, this was episode 72: - it's well worth your time, and these are a couple of particularly useful quotes:

"There are some helpful points that psychology suggests in order to avoid overconfidence that leads you over the cliff, if you will. The first is that, although it's unpleasant, you do want to have nay saying voices involved in any sort of decision that you make. That is, you want someone to play devil's advocate. Basically to poke holes in what the group or the institution might be thinking about what it wants to do. The reason for that is, having a devil's advocate can help the organization spot when it's being overconfident. Or, sometimes just improve the decision that the institution’s going to do. So you want that."

"Having a devil’s advocate is unpleasant ... but what it does do is it does insulate you against unknown incompetence. And you just know that it’s going to show up sooner or later, you just don’t know where. So you might as well just have these policies that help you address the problems that you can’t anticipatewhen they finally rear up and try to bite you."

Episode 72 was a re-broadcast of episode 36, and these quotes are taken from the transcript of episode 36 of the "You Are Not So Smart: A Celebration of Self Delusion" podcast with some minor editing for clarity. The transcript is here:

Monday 2 May 2016

Why legal firms should consider moving to the Cloud.

A few days ago @munin highlighted a critical issue with Office365 and SAML assertions, and suggested that this is why high-stakes data shouldn't be in the Cloud. The tweets are here:

Credit for discovery of the vulnerability goes to Ioannis Kakavas and Klemen Bratec, their write-up is cross-posted on their blogs:

In response to this issue being disclosed @munin asserted that this is why "high-stakes data" shouldn't be in the Cloud.

Now I see where @munin is coming from, I was, and to some point still am, a fan of on-premises data storage rather than it being out there on the Internet somewhere. However information security is so difficult, the required protective infrastructure is so expensive, and skilled people are so hard to find, that using Cloud services in order to obtain the required infrastructure and skills is the way to go. There are many, many reasons, but I think these are the big ones:

1 Law firms are notoriously reticent to spend on information security, and arguably it's not economically viable for them to obtain security of the level used on Office 365. I state this from personal experience, not just the fallout from the recent Mossack Fonseca breach. Thankfully this was recently discussed on the invaluable Risky Business podcast, episode 407 - - head 35 minutes in if you're short of time, but otherwise the whole podcast is worth listening to. Anyway, HD Moore stated:

"if you look into legal services ... any industry where you've got a lot of high paid professionals that are not IT, the IT aspects of the security side of the business generally gets neglected; they just don't value the IT people, the security people, as much as they should. So that's one of the reasons you see a lot of wide open law firms..." ( edited slightly for clarity )

2 Munin's statement that "Because diversity in setups prevents large-scale attacks from working" is wrong. Theoretically this is incorrect, diverse but equally poor or out-dated setups, through the prevalence of easy to use tools such as MetaSploit, or the almost universal success of repeatable tactics such as phishing, mean that diversity is not of use here. Practically I think the sheer number of successful attacks, and the results from published Breach Investigation Reports, show that either through the large number of attackers, the low security of targets, or both, mean that facing new infrastructure isn't slowing anyone down. This is mainly due to the right skills being hard to find. Again, the timing of Risky Business was fortunate, as Space Rogue ( Chris Thomas, Strategist for Tenable Network Security ) said later on in that episode: "it comes down to people ... security people are hard to come by, they cost a fortune, and if you want decent security you need someone who knows what they're doing".

3 This disclosure was rewarded because of Microsoft's bug bounty programme... I assert that it's far less likely for a law firm to run such a programme.

4 Using this specific issue as an example, it was fixed in seven hours, I can't imagine a Law Firm's IT department being capable of achieving anything near to that.

Overall, if putting high-stakes data in the Cloud isn't the "best way" it is the "least worst". Wanting to keep to high-stakes data out of the Cloud is understandable, but particularly in the case of law firms, it's a little like saying its safer to keep your life savings under your mattress rather than in a bank: yes, you're not part of a big and attractive target, but your security is going to be much, much worse.

Footnote - of course, you need the right Cloud service... as pointed out on Risky Business 407, Mossack Fonseca are selling their own secure cloud document service:

Sunday 13 December 2015

The Message podcast

The best description of this podcast is from its website on

The Message is a new podcast following the weekly reports and interviews from Nicky Tomalin, who is covering the decoding of a message from outer space received 70 years ago. Over the course of 8 episodes we get an inside ear on how a top team of cryptologists attempt to decipher, decode, and understand the alien message.

Each week she’ll bring you the latest chapter, so it’s important to listen in starting with Episode 1.

The Message is a co-production between Panoply and GE Podcast Theater, unlocking the secrets of healing with sound technology.

I'd be surprised if it's not quite different to what you usually listen to, whoever you are, so it's recommended if you want a break - my subscriptions are mostly around information security, with the occasional Radio 4 comedy and sports podcast thrown in, and quite a lot of Nerdist interviews... this was definitely a change of pace.

To listen to them all you'll need just under two hours and probably a mild suspension of disbelief as I'm not sure about some of the science on radio and audio and biology; but I'd be interested to hear thoughts from anyone knowledgeable in that area.

I loved it, I found it really gripping and interesting, especially in a "what would I do in that situation?" kind of way, which to me is always the sign of an involving drama. It's very much whatever the podcast equivalent is to a "page turner", so maybe save it for a long flight or similar where you need to lose two hours all in one go ...