Son Of Sun Tzu

To content | To menu | To search

Tag - recommendations

Entries feed - Comments feed

Monday 2 July 2018

Lessons from the Legion - references from my presentations at Snoopcon and DC4420

Further to my presentations at Snoopcon and DC4420, please find a list of the most relevant references.

I'm flattered by the interest I've received, if my ideas had coalesced sooner, and I'd have expected such a response, I would have done this in advance. Thank you for your patience.

I've categorised references by type, kind of, I figure that's the easiest way for people to navigate this. Constructive feedback always welcome.


"Bullshit Jobs" is by David Graeber, there's a description here

"It's Football, Not Soccer" is by Stefan Szymanski and Silke-Maria Weineck. I haven't read it, I just spotted a tweet. The book is here:

The Numbers Game by Chris Anderson covers Strong Link and Weak Link games, and well, actually, I should buy this and read it, but this article covers all you need to know:

Blog posts:

Log Blog - Tim Brown's blog on incident response issues can be found here:

Rapid 7 on the number of CVEs is here:


Blinky Boxes - Frasier Scott's presentation on threat modelling has slides here: I think this is part of his current repetroire, so best caught live of course; or seeing as he's in DevOps, it'll have iterated several times already.

CTFs - The Last CTF Talk You'll Ever Need from DEFCON 25, is here:

CTRL+Break The OODA Loop by Abel Toro of Forcepoint from BSides London 2018 isn't up yet on their channel ; it was on Track 3, I'm hoping that was recorded... or that Abel will be giving the presentation again.

The Cuckoo's Egg reference was inspired by Paul Midian's BSides Glasgow 2018 keynote "Everything You Know Is Wrong" -

Hacker's being needed on the Blue Team comes from Harron Meer's Nullcon Goa 2018 keynote:

Ian Fish - Crisis Management - from CrestCON 2018 - is here:

Incident Response in Your Pyjamas - Paco Hope - Securi-Tay 2018 - is here:

Intruder's Dilemma - is mentioned in this from BSides Munch 2018:

Penetration Testing Must Die - Rory McCune at BSides London 2011 - is here:

Playbooks - Common Traps & Pitfalls in Red-teaming by Andrew Davies and Jon Medvenics from CRESTCon is here:

Pratchett - Circle City Con - The Network Night Watch, by @munin and @hacks4pancakes, is here:

Strategy - John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here:


The Base of Sand Problem, the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here:

The Cyber Resilience Report from KPMG, that really makes the point that preparation is key, can be found here:

The Global Risks Report 2018 from the World Economic Forum can be obtained here:

Outpost24's report on their survey of RSA attendees can be found here:

State of CyberSecurity Report - InfoSecurity Magazine - where they highlight regulation can drive security - can be found here:

Seattle Seahawks and other less cybery references:

The article "Bobby Wagner Can See into the Future" is here:

Bobby Wagner's PFF rating is from this tweet: ( as a side note, check out this video on Luke Kuechly, who's also on that list, that's basically team-mates and rivals saying how smart he is )

Fewest points allowed - this ESPN article summarises it nicely

Introduction - the quick cartoon shoulderpunch is taken from this introduction to the game:

Kam Chancellor - I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: ( as a side note, while I don't think it's relevant to the analogy, Kam Chancellor appears to have retired - update on 3rd July: this is a good video summary of what he provided to the team )

Legion of Boom - there's a nice retrospective that's just a five minute video:

If you want an emphasis on the boom, watch this:

My main source for Pete Carroll's philosophy, in many senses of the word, is here: ; I have a lot of reading to look forward to.

If you want to see just how many players there are on a team then you'll see the Seahawks roster here:

Tackling video - the Seahawks 2015 video summarising their technique is shown here:

Olivia Jeter, Defensive End for Blandensburg High School, is covered in these videos: and Yes, I do realise that those videos are from 2014, but she provides such great soundbites, I must find out what happened to her.

YouGov's survey on British interest in various sports is here:


Grugq being unimpressed by deception technologies is here:

Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: I've got into interesting discussions on how true or untrue that figure may be, watch this space.

Vincent Yiu on recruiter messages on LinkedIn is here:


Bananas - Chiquita using pharmaceutical packaging is detailed here:

Banks using mobile phone companies ... dammit, I had a single reference, which I think was a line or two in an article I had to use to source, but looking for "banks learning from" online there's many industries and many examples.

Bartle's Taxonomy of player types is taken from this: is, well, here:

The Caffrey Triangle is mentioned here , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming.

Cyber Resilience - Phil Huggins' Black Swan Security blog is here:

Cyberscape - the amount of tools we have, is taken from Momentum's cyberscape:

Dentistry using space technology is here:

Emergency response - the three element model can be seen is some detail here on the College of Policing website:

Francium - my main inspiration for choosing the element Francium is here:

HorseSenseUK - Equine Assisted Education - can be found here:

Incident Response, the four stages - I detailed that in this blog post:

Incident Response Timelines - this is taken from the Logically Secure website, and can be found here:

Intruder's Dilemma - I think the first reference to it from Richard Bejtlich is here:

MWR - the TechCrunch article I refer to, where F-Secure note the need for offensive capability, is here:

Naval - Paul Raisbeck, who uses his naval experience in what is loosely described as management consultancy, can be found here: , and a relevant piece by him here:

OODA loops are basically described here, but again, please pay me to research these concepts:

Playbooks, Rick Howard, the CSO of Palo Alto, on the small number of opponent's playbooks:

Practice - "any incident response plan is only as strong as the practice that goes into it" is from Mike Peters, Vice President of RIMS, the industry body for Risk Management. Best to search online for that specific quote and use whichever source will look best in your board level presentation.

Star Wars - security lessons to learn from Hazel Southwell, can be found here:

TRIZ on Wikipedia is here: and the main British consultancy, as far as I can tell, is here:


Sometimes I get the gist of something and use that. If you know any of these ideas better than I do, meaning that I've missed a nuance, or not read an important reference, please do get in touch. I always appreciate constructive corrections.

Saturday 2 September 2017

Bluetooth keyboard reviews

I've had a bunch of Bluetooth keyboards kicking around for ages ( I suspect at least two years ). I've only used a couple of them a couple of times, so I've finally decided to give them a quick try-out - so I thought I'd put those reviews up here in case they turn up in an online search and someone finds them useful. But they have been sat in the To Do pile for quite some time, so make and model are best guesses.

Note that I just typed on each one for three lines or, while sat properly at a desk, within two feet of the Android phone I was using for testing.

If anyone's intrigued by any of these but wants to confirm whether:

  • they remain connected for more than a few minutes
  • can they hold a charge for a day
  • they have any specific functionality you're after for Unix / terminal usage
  • the specific placement of specific keys

do say so in the comments and I'll figure that out.

Some crappy Bluetooth thing off eBay

Bah, I can't find this in my order histories online, it looks like this:

I don't know this specific make and model so all I can say is to avoid the really cheap stuff. While this did appear to replicate what I typed on the screen it has a weird double space bar, the keys feel genuinely awful, and the USB power connector is Micro A.

Anker TC320

So that'll be this one: - do note that searcher for this model will actually bring up a newer version.

Works nicely on my Android phone, pretty big size, and I had this one relatively loose in a large bag, so the middle is something like 2mm higher than the edges, but it still works. OK if you want a decent size keyboard, but you'll want it in a firm bag.

EC Technology Foldable Keyboard

I think it's this, or close enough:

This is reasonable enough to type on - it's essentially a "meh" keyboard, which is the best you can expect from something portable. Also it folds up nicely and appears to be suitably rugged, so something that will slip into a pocket or smaller bag.

Note it doesn't have a right CTRL key, which just might be important to you. Also the layout is, er, American, I think.

Zoom Bluetooth Keyboard - Series 1087 - Model 9010

Pretty sure this is this one: ... hmmm, this was left on a low power charger ( 500mA or so ) overnight, then left switched off for a few days, and had no charge left. It has a row of media keys along the top, with what I think are a "home button" key and a "lock screen" key.

Seems rugged enough too, not sure about that charge going away. Also bear in mind the power socket is USB Mini-B, not Micro-B.


A bluetooth foldable keyboard - which will look like this:


The key positioning is too weird on this one - the EC Technology foldable keyboard is OK because it folds a quarter of the way in from either end, this keyboard folds in the middle - which means the centre of the space bar I tend to hit is the join, the right shift is in a weird place, and the placement of the keys in the middle detracts from ease of use. Only the foldable keyboards will fit in the smallest of my bags, along with a phablet and a spare battery... so I like the idea of them, but they don't seem to work in practice, at least without spending more money.

Palm Universal Wireless Keyboard

This . Not a Bluetooth keyboard, just an illustration of what I had lying around in the "must figure out what this is" pile ;)

Monday 13 February 2017

The "Targus Wireless Bluetooth Presenter Remote Control & Mouse Cursor", model BEU0564C

In an earlier blog here I stated I was going to use a Targus device that combined the functionality of being a wireless mouse, and a wireless remote control for presenting; rare functionality that is exactly what I was after.

As stated... it does work with Linux, but only for short periods of time. Sometimes it can only last for a couple of minutes before it just kind of forgets that it was talking to something else. This makes it completely unusable for presentations, and essentially completely worthless. Reading through the Amazon reviews more thoroughly, it looks like I'm not the only one with this problem.

I realise the device was on the "cheap and cheerful" side but I expected basic functionality, rather than no functionality.


Suggestions for equivalent but reliable devices would be appreciated in the comments.

Tuesday 17 May 2016

"although it's unpleasant, you do want to have nay saying voices involved in any sort of decision that you make"

As a former penetration tester, and sporadic wargamer, I am completely sold on the "red team" concept. For those of you not familiar with the area, I'd describe it as "having someone or something with an adversarial mindset examine your nascent idea or project or hypothesis for flaws from the point of view of sentient opposition, and also to extrapolate the second and third order effects from the implementation of that idea". I am still surprised at how rare this point of view is, although I realise that I might be preaching to the converted.

I'm still working on having the kind of reputation where you can now quote me to your managers and get the resource for the Red Team Department you want to set up... but if I can't help, how about Professor David Dunning? David Dunning is "Professor of Psychology at Cornell University. As an experimental social psychologist, Dr. Dunning is a fellow of both the American Psychological Society and the American Psychological Association. " His full details are here: , he's most well known for his work on the Dunning-Krueger Effect. I had the pleasure recently of listening to him being interviewed for the "You're Not So Smart" podcast, this was episode 72: - it's well worth your time, and these are a couple of particularly useful quotes:

"There are some helpful points that psychology suggests in order to avoid overconfidence that leads you over the cliff, if you will. The first is that, although it's unpleasant, you do want to have nay saying voices involved in any sort of decision that you make. That is, you want someone to play devil's advocate. Basically to poke holes in what the group or the institution might be thinking about what it wants to do. The reason for that is, having a devil's advocate can help the organization spot when it's being overconfident. Or, sometimes just improve the decision that the institution’s going to do. So you want that."

"Having a devil’s advocate is unpleasant ... but what it does do is it does insulate you against unknown incompetence. And you just know that it’s going to show up sooner or later, you just don’t know where. So you might as well just have these policies that help you address the problems that you can’t anticipatewhen they finally rear up and try to bite you."

Episode 72 was a re-broadcast of episode 36, and these quotes are taken from the transcript of episode 36 of the "You Are Not So Smart: A Celebration of Self Delusion" podcast with some minor editing for clarity. The transcript is here:

Monday 21 March 2016

Prototype 2

You've somehow stumbled across this blog post because you want to know if Prototype 2 is worth playing. I played it on the Xbox360 and really enjoyed it.

This summary of the game pretty much tells you what you'll be doing:

"Tear your way through the quarantined streets of Manhattan, crushing tanks and ripping apart horrific mutants, with awesome super-mutant powers of your own. You are Sgt James Heller, a soldier and grieving husband, taking down everyone responsible for the murder of your family, and have your revenge!"

If you're wondering whether to spend the £16 or so on Xbox Live to download it, or pick up a second hand copy from somewhere like CEX for £4 the game will suit you if you want:

  • An offline game, no connectivity is required, there's no multi-player options. I think some of the "RADNet" functionality will have gone away if you're offline or buying this game so late that it's been removed from Xbox Live servers, but all you'll be missing are some side quests that mainly involve running across rooftops or throwing barrels into incinerators.
  • A game where you don't have to think that hard... as you can see from the summary above, contrary to my last game, Remember Me, in this case you're definitely in the "I'm a gruff male, and I need to avenge the loss of someone or something by killing everything in range" zone.
  • Hilariously over the top and indiscriminate combat - it would have been interesting to have a penalty for injuring or killing the citizens you're apparently there to protect, but due to the auto-aiming combat system and area effect of the weapons you'll obtain you'll find yourself shredding anything that gets in-between you and your target... whether you want to or not. At the start of the game those civilians will be bystanders you try to avoid, by one hour in they're just wandering health packs.
  • A game that isn't that difficult. I think I'm of about average ability for a video game player, and this game was only slightly challenging on Normal level.

In order to play it you will need:

  • At least 20 hours of time according to, I'm sure I took longer, maybe 30 or 40.
  • No squick about blood or tendrils, there is a lot of cutting people apart in this game, or literally pulling them to pieces; and you obtain information from adversaries by literally consuming and absorbing them.
  • An acceptance of "game logic", you can evade helicopters chasing you by running around a corner and switching to a different identity, you gain powers by collecting things because that's what happens in video games, there are boss fights because there are always boss fights.
  • No extra cash, the DLC is all essentially optional as far as I could tell.

Thursday 31 December 2015

Not A Good Day To Die Hard

"A Good Day To Die Hard" is the fifth instalment in the Die Hard series of films, an engaging set of action packed movies, so should you watch this one?

TL;DR - no, don't watch this film.

If you're after a good film - it just isn't. There's no real suspense, the characters aren't engaging, the actors are capable of much better performances, and the interesting twist isn't enough to save it... and for an action film, the action is disappointing.Check out IMDB and Rotten Tomatoes for similar but more comprehensive reviews.

If you're after a mindless action film - don't watch this, the actions sequences are somehow boring... there's armoured personnel carriers barrelling through the streets of Moscow, there's helicopters on fire, and I didn't care. Maybe it needs a large screen and surround sound, but the dramatic events just didn't engage me, and there's a lot of "but that wouldn't happen", "why is that character doing that?", "why has there been no police response at all", and "maybe we should just fast forward through this bit".

If you're after a "good bad" film - I will blog more about these in future, as myself and a few friends are fans of "so bad they're good" films... but this film isn't in that class, it isn't that kind of bad; it's just perplexing and confusing.

The only reason to watch this film for me - so I could watch the "Everything Wrong With" episode afterwards -

Monday 21 December 2015

Remember Me

You've somehow stumbled across this blog post because you want to know if Remember Me is worth playing. I played it on the Xbox360 and really enjoyed it.

If you want a spoilerific summary there's this, or keep this in mind as something to watch after you've completed the game:

Otherwise there's a nice summary of reviews at Wikipedia: ; or the description on the XboX website is: "Break into people’s minds and steal memories" ...

Neo-Paris. 2084. Personal memories can now be digitised, bought, sold and traded. The last remnants of privacy and intimacy have been swept away in what appears to be a logical progression of the explosive growth of social networks at the beginning of the 21st century. The citizens themselves have accepted this surveillance society in exchange for the comfort only smart technology can provide. This memory economy gives immense power over society to just a handful of people.

Remember Me™ is a 3rd person action adventure where players take on the role of Nilin, a former elite memory hunter with the ability to break into people’s minds and steal or even alter their memories.

If you're wondering whether to spend the £19.99 on Xbox to download it... bear in mind that the game will suit you if you want:

  • An offline game, no connectivity is required, there's no multi-player options.
  • A different kind of protagonist and therefore a different drive for the story. It's enjoyable to have the reason behind your actions in the game be something different from "I'm a gruff male, and I need to avenge the loss of someone or something by killing everything in range".
  • Scenery that looks good. Even on my Xbox360 I sometimes just stopped to look around.
  • A relaxing time - apart from some difficult fights, a lot of time you are progressing through what is essentially an interactive movie. While there is a lot of leaping around to do, it just involves directing the main character, Nilin, to the correct location and pressing the jump button, rather than having any specific aiming or timing requirements for the leap; so it's engaging rather than taxing.

In order to play it you will need:

  • About 8 to 16 hours of time according to reviews on line, most notably this site . I'm an averagely skilled player, and while the game doesn't tell me how long I played it for, I'm pretty sure it was over 16 hours.
  • Some suspension of disbelief, the AI can be ropey and predictable, the "hit people to regain health" idea doesn't survive scrutiny... but it's just a game, to me the world was so well built I found it easy to go with the flow rather than be thrown out of the game by a "fridge moment".
  • Patience for some of the boss fights. I mostly found them challenging rather than insurmountable, although a couple were in the "I'll try again tomorrow" class; and there's plenty of advice online on how to defeat particular opponents.
  • No extra cash, the DLC is all essentially optional as far as I could tell.

Sunday 13 December 2015

The Message podcast

The best description of this podcast is from its website on

The Message is a new podcast following the weekly reports and interviews from Nicky Tomalin, who is covering the decoding of a message from outer space received 70 years ago. Over the course of 8 episodes we get an inside ear on how a top team of cryptologists attempt to decipher, decode, and understand the alien message.

Each week she’ll bring you the latest chapter, so it’s important to listen in starting with Episode 1.

The Message is a co-production between Panoply and GE Podcast Theater, unlocking the secrets of healing with sound technology.

I'd be surprised if it's not quite different to what you usually listen to, whoever you are, so it's recommended if you want a break - my subscriptions are mostly around information security, with the occasional Radio 4 comedy and sports podcast thrown in, and quite a lot of Nerdist interviews... this was definitely a change of pace.

To listen to them all you'll need just under two hours and probably a mild suspension of disbelief as I'm not sure about some of the science on radio and audio and biology; but I'd be interested to hear thoughts from anyone knowledgeable in that area.

I loved it, I found it really gripping and interesting, especially in a "what would I do in that situation?" kind of way, which to me is always the sign of an involving drama. It's very much whatever the podcast equivalent is to a "page turner", so maybe save it for a long flight or similar where you need to lose two hours all in one go ...