Proving you should NEVER trust me to make tech predictions, upon seeing Mosaic, I will forever be remembered as saying "Who'd ever use that, Gopher is WAY more efficient"
This. One of my best promotions ever was a woman who had started in the call center. She knew all the ins and outs of the software and every fraud trick in the book. She also had a technical mindset. When I resigned, I recommended her for my old position, and she's rocking it.
CyberSecurity IMO is about 50% technical chops, and 50% soft/social/psych skills, outside of some narrow entry level positions. Even a technical pentester needs to be able to put themselves in the shoes of the developer and ask themselves "If I were them, where might I have taken a shortcut".
That's why it's so difficult to hire for the position.
90% of my interview candidates can't articulate the difference between public key and symmetric encryption. I'd probably hire them if they could play Zork, and knew the difference between the two.
Interestingly there might be deep reasons why men are more prone to autism and aspergers
Actually - it turns out that diagnosis presents differently in girls/women and that many (high functioning, although that term has been dropped from the DSM-V, I still use it to differentiate the set of people who have enough social communication skills to 'pass') ASD women get misdiagnosed, or go undiagnosed.
There is some legitimate debate in the medical community if there is a biological basis for the difference in expression of the symptoms in autism in women, or if it comes form the fact that society, when faced with a non-socially-conforming female puts into place a social training regime that would make most intensive behavioral invention programs jealous, which works to lower the observable impact of the symptoms. As in most things, it's probably a bit of column A and a bit of column B.
Since we don't know what causes Autism, it's difficult to say how prevalent it is in women. It's worth noting that the prevalence of diagnosed cases in women has increased over the years though, which absent a causal factor to increase its expression in women suggests that we are still coming to grips with the different symptoms in women.
Source: I'm the father of a newly diagnosed ASD daughter, and research is how I deal with life. Please, if you have a child, male or female, and you suspect ASD, get them tested. If it's significant enough that you suspect it, it's also impacting their lives.
My daughter was diagnosed years late because her pediatrician mistook the symptoms for shyness, and it wasn't until she was seen and tested by a specialist that we got the correct diagnosis.
Then the point of greatest vulnerability becomes whatever is protecting whatever keys or passwords that the password manager uses. A password manager adds no additional security by itself, and only is superior to using individual passwords in that it can be more convenient to use, but it is certainly not any more secure (arguably, it may be less secure, because all of your passwords are stored in one place, and if that is compromised, you have to change *ALL* of your passwords).
The big advantage for me is that when one of the hundreds of sites I log into gets compromised, that's it. Compromising site #1 tells an attacker nothing about site #2 (and if site #1 has done ANY hashing at all, I can smile as I imagine someone trying to determine when they crack my hash, as they'll just get more randomness)
Also, my password manager gives me u2f protection so I can get some of the advantage of 2fa even on sites that will never get it.
So I'm left with my windows/linux password, my password manager password and my bank card PIN to remember. My windows and my password manager are both ~30 characters, alpha/num/symbol. My password manager also requires a 2FA auth. Working on windows/linux.
My bank card is chip+pin so have fun with the smartchip.:)
As always, security is risk based, this works for my risk profile, yours will be different so you'll have different security needs.
My daughter was borrowing one of my IPs on a VPN provider when she was 5. Why? She was following me to hacker conferences, and we wanted her traffic to be encrypted (5 is too young to end up on the Wall of Sheep!)
If your 14 year old is politically active in a repressive regime, (I'll leave it as an exercise for the reader to determine if their regime is repressive) hopefully they already have one.
If they want to roll their own as a project, I'd be like "sure!" - Mind, I'm realistic that if mine decided she wanted to access the internet unfettered she'd go to a friend's place, or outsmart dear ol' Daddy (can you think of a way to get data out of your work network? Your kid can likely come up with a way to jump your firewall too...)
So best to teach them safe habits and cross the fingers. The 'great firewall of China' strategy's time has gone.
Get ready to change. There's lots of roles in IT that tend to prefer more experienced folks, the type of role where "Ya, I've seen that 5 times before, here's what we're going to do about it..." is the order of the day. Architectural roles of all stripes, infosec in general, etc. I've moved roles a few times in the last 25 years, (network monkey -> Mgmnt -> infosec -> infosec architecture) and I always find a new fun challenge every time I have.
You're probably in technology because you can adapt to change, not because you're scared of it. Embrace that.
Add to to this - It's not exactly 'normal' for the CSO level to be exposed to the level of detail of "Hey boss we have this Apache Struts vulnerability in these servers. We're gonna punt this down the road a bit... now moving down to decision #343 made by people below you in the last week"
CSO level conversations are more of the sort "Hey boss, ass you can see on the dashboard, we have 124 vulnerabilities that have breached our maximum time to resolution according to the policy. Can we get another headcount for vulnerability management next budget cycle?"
CSOs are forward looking and strategic, not tactical. Large companies deal with small breaches "Shit, Joe clicked the link! Quarantine his system till we can clean that up." all the time. Companies can't afford enough CSOs for them to have enough time to have the visibility for this breech to be laid at their feet.
So I doubt if she had a phd in Bruce Schneiderness coupled with a minor in Chuck Norisness, she could have stopped this CNN moment.
Now on the other hand, the question of how the hell you could have an impending CNN moment and anyone can say the CSO sold stock a day before and didn't know anything with a straight face strains credibility.
44 (AKA old enough that I had to break out calc to work that out:)) and ditto. You can apparenlty teach an old dog new tricks, although I'll NEVER understand my daughter's love for watching other people play games on Youtube she doesn't wanna play herself! I'll watch her watching someone play a game on youtube and offer to get it for her on Steam. "No it's OK Daddy, I just wanna watch play".
I've always found this puzzling - the concept of anti-american values. As a Canadian, I find it hard to imagine telling anyone who is not waving a Nazi flag around that they have anti-Canadian values. Frankly anything I'd classify that as are anti-Human values too.
I realize that was probably a rhetorical question, but I'm gonna be that guy and answer it seriously anyways.
In a way, that's the tough one. You NEED someone to be the 'risk champion' just like someone in the 3 of you needs to ensure the bills get paid. And maybe Mr AC is right and it should be you as you've at least shown the interest to get involved in my conversation. In a small company, your ability to recover from a risk event is very limited, but your chief asset is the ability to take risks, so you need to carefully decide which bets you're going to take. Also, one of the key dangers in a small group like yours is echo-chambering. Having someone whose job it is to look at risk in a structured manner is one of the best defenses against group-think in my opinion.
They tend to be the folks who raise their hand and point out that doing a major project release on the day most of your customers are doing their end of month, when you're a key piece of that process is likely not worth the benefit of releasing a week earlier. (I literally once saw a release control meting go from all yes with one no to all nos in exactly that scenario).
In most companies I've worked in, *you* don't decide. You raise the risk to your risk management team, who breaks the bad news to the people who get paid to make the 'hot seat' decisions.
So failure analysis suggests one of the following happened, all of which fall under the "QA" side of the business processes::
1) QA was not thorough enough to detect that this firmware update would have enough of a worse failure rate to raise business risks to an unacceptable level. 2) Risk management wasn't doing their job or 3) Management made a poor business call on letting this go out, and didn't plan for the risk coming to pass (e.g. with pre-staged replacement devices, prepared messaging, etc)
I've seen it increasingly over the last few years, shortcuts on testing in order to get an update/new product out the door. This is short sighted. In a year, noone is going to remember it took you a week longer to get it out the door. People WILL remember if you brick all your devices.
"Darling! This is the Industry! The really creative people are the accountants. A big studio got over half the profit, after setting breakeven at about three times the cost, taking twenty-five percent of income as an overhead charge, and taking thirty percent of income as a distribution charge, plus rental fees, and prime interest on what they advanced." â" John D. MacDonald, Free Fall in Crimson
I find the electronics side stuff to be in better shape although that might be more because of the circles my daughter fell into by accident of my profession.
Snap circuits aren't bad as a 100 in 1 replacement, a bit dumbed down but essentially replaces spring terminals and jumper wire with coat-button snaps.
Beyond that, I owe the crew in the hardware hacking village at Defcon a big debt of thanks for teaching a 5 year old how to solder and giving her kits to put together each year she went down there. Aside from being a good way to learn some electronics skills, the self-image of being a kid who can solder provided her with armor against society's attempts to pigeonhole her. She defines her own self-image and screw everyone else. You should hear her rant about toy stores with Girls sections and Boy sections. She shops happily on both sides.
Citation needed. The apparent attack happened in Cuba, it does not follow that it was perpetrated by the Cuban authorities, any more then an attack on a diplomat on US soil is assumed to be caused by the CIA. It might be, but at this point it appears to be he-said, she-said.
At the end of the day it was a damned-if-you-do, damned-if-you-don't situation. If they'd let it lay, they'd have opened themselves up to hostile work environment accusations from female employees, lawsuits, federal attention, as well as the associated good will damage.
This route they open themselves up to a lawsuit, as well as the associated good will damage.
Looks like Google took the action that lowered their risk, assuming corporate legal sees it the same way. That drives a LOT of business decisions. Remember at the end of the day the folks who own this decision answer to the shareholders. They have a duty to act in the best fiduciary interests of the shareholders. Left vs Right matters a lot less (I won't say nil, as culture has a value too) then what the most probable outcome looks like in terms of $$$s. I expect they will quietly buy off the lawsuit with a confidentiality clause in the settlement for a lot less then they figure the hostile work environment suits would cost them.
I can remember a few passwords. I can't remember a 24 digit random alpha-numeric-symbol string.
You know what I do when I get one of those "Geez, sorry guys, we hashed our data with md5 and posted it on our fridge and someone got all your passwords. Change them quick!" emails form SecurityWazzat.org? Giggle as I imagine someone chewing up cycles trying to dehash my random gibberish... Hope they enjoy waiting forever for my password to turn into something readable. Oh, and since I use a different random password for each site it doesn't matter anyways.
Now I'm in the infosec industry and some of my passwords protect other people's data, and I have a responsibility to keep your data safe, but let's not be so dismissive of other people's security practices. If HorseBatteryStaple is secure enough for your risk tolerances, that's awesome, but it won't be for everyone else's.
Oh and I'll leave this here for anyone interested in a more indepth review of password security:
And any infosec job. From my first training course:
Instructor: "What's the first duty of an Infosec professional, the thing you should do every single day?" Student: "Check the firewall logs?" Instructor: "Wrong. The thing you should do every single day is update your resume, because your most critical organizational function to be the one to get fired WHEN, not IF, something goes catastrophically wrong. This is because the bad guys need to get lucky once, you have to be good EVERY TIME."
I think that's overstating it a bit. As can be seen by following your first link, the findings of the tribunal are public (unlike the national security ones on either side of the border, which I'll grant you, are egregious, although at least on the CND side, they've been getting a bit more transparent, ( http://ca.reuters.com/article/... ). We'll see how it works out.
On a personal note, I don't mind the CND hate speech laws. In cases where I've had the stomach to review the actual objectionable material that has been found to be in violation (and there have been cases where the tribunal found that it wasn't hate speech too) I wouldn't personally say that it was an indispensable part of the social commentary on the subject, and I was just as glad to have it judged as such.
"Students Are Better Off Without a Laptop In the Classroom" is the very definition of a sweeping claim. Adding 'average' or 'most' might change that fact.
Slashdot Mirror
Proving you should NEVER trust me to make tech predictions, upon seeing Mosaic, I will forever be remembered as saying "Who'd ever use that, Gopher is WAY more efficient"
Oops.
Min
One of my better hires was a poli sci major...
This. One of my best promotions ever was a woman who had started in the call center. She knew all the ins and outs of the software and every fraud trick in the book. She also had a technical mindset. When I resigned, I recommended her for my old position, and she's rocking it.
CyberSecurity IMO is about 50% technical chops, and 50% soft/social/psych skills, outside of some narrow entry level positions. Even a technical pentester needs to be able to put themselves in the shoes of the developer and ask themselves "If I were them, where might I have taken a shortcut".
That's why it's so difficult to hire for the position.
Min
90% of my interview candidates can't articulate the difference between public key and symmetric encryption. I'd probably hire them if they could play Zork, and knew the difference between the two.
The Matrix was a great movie, too bad they never made any sequels!
Interestingly there might be deep reasons why men are more prone to autism and aspergers
Actually - it turns out that diagnosis presents differently in girls/women and that many (high functioning, although that term has been dropped from the DSM-V, I still use it to differentiate the set of people who have enough social communication skills to 'pass') ASD women get misdiagnosed, or go undiagnosed.
There is some legitimate debate in the medical community if there is a biological basis for the difference in expression of the symptoms in autism in women, or if it comes form the fact that society, when faced with a non-socially-conforming female puts into place a social training regime that would make most intensive behavioral invention programs jealous, which works to lower the observable impact of the symptoms. As in most things, it's probably a bit of column A and a bit of column B.
Since we don't know what causes Autism, it's difficult to say how prevalent it is in women. It's worth noting that the prevalence of diagnosed cases in women has increased over the years though, which absent a causal factor to increase its expression in women suggests that we are still coming to grips with the different symptoms in women.
Some background reading for those interested:
http://onlinelibrary.wiley.com...
http://www.autism.org.uk/about...
Source: I'm the father of a newly diagnosed ASD daughter, and research is how I deal with life. Please, if you have a child, male or female, and you suspect ASD, get them tested. If it's significant enough that you suspect it, it's also impacting their lives.
My daughter was diagnosed years late because her pediatrician mistook the symptoms for shyness, and it wasn't until she was seen and tested by a specialist that we got the correct diagnosis.
Min
Backyardigans was a favorite at our place for exactly this reason, it didn't make us want to run away screaming.
Then the point of greatest vulnerability becomes whatever is protecting whatever keys or passwords that the password manager uses. A password manager adds no additional security by itself, and only is superior to using individual passwords in that it can be more convenient to use, but it is certainly not any more secure (arguably, it may be less secure, because all of your passwords are stored in one place, and if that is compromised, you have to change *ALL* of your passwords).
The big advantage for me is that when one of the hundreds of sites I log into gets compromised, that's it. Compromising site #1 tells an attacker nothing about site #2 (and if site #1 has done ANY hashing at all, I can smile as I imagine someone trying to determine when they crack my hash, as they'll just get more randomness)
Also, my password manager gives me u2f protection so I can get some of the advantage of 2fa even on sites that will never get it.
So I'm left with my windows/linux password, my password manager password and my bank card PIN to remember. My windows and my password manager are both ~30 characters, alpha/num/symbol. My password manager also requires a 2FA auth. Working on windows/linux.
My bank card is chip+pin so have fun with the smartchip. :)
As always, security is risk based, this works for my risk profile, yours will be different so you'll have different security needs.
Like with all of these questions, it depends.
My daughter was borrowing one of my IPs on a VPN provider when she was 5. Why? She was following me to hacker conferences, and we wanted her traffic to be encrypted (5 is too young to end up on the Wall of Sheep!)
If your 14 year old is politically active in a repressive regime, (I'll leave it as an exercise for the reader to determine if their regime is repressive) hopefully they already have one.
If they want to roll their own as a project, I'd be like "sure!" - Mind, I'm realistic that if mine decided she wanted to access the internet unfettered she'd go to a friend's place, or outsmart dear ol' Daddy (can you think of a way to get data out of your work network? Your kid can likely come up with a way to jump your firewall too...)
So best to teach them safe habits and cross the fingers. The 'great firewall of China' strategy's time has gone.
Min
Get ready to change. There's lots of roles in IT that tend to prefer more experienced folks, the type of role where "Ya, I've seen that 5 times before, here's what we're going to do about it..." is the order of the day. Architectural roles of all stripes, infosec in general, etc. I've moved roles a few times in the last 25 years, (network monkey -> Mgmnt -> infosec -> infosec architecture) and I always find a new fun challenge every time I have.
You're probably in technology because you can adapt to change, not because you're scared of it. Embrace that.
Min
Add to to this - It's not exactly 'normal' for the CSO level to be exposed to the level of detail of "Hey boss we have this Apache Struts vulnerability in these servers. We're gonna punt this down the road a bit... now moving down to decision #343 made by people below you in the last week"
CSO level conversations are more of the sort "Hey boss, ass you can see on the dashboard, we have 124 vulnerabilities that have breached our maximum time to resolution according to the policy. Can we get another headcount for vulnerability management next budget cycle?"
CSOs are forward looking and strategic, not tactical. Large companies deal with small breaches "Shit, Joe clicked the link! Quarantine his system till we can clean that up." all the time. Companies can't afford enough CSOs for them to have enough time to have the visibility for this breech to be laid at their feet.
So I doubt if she had a phd in Bruce Schneiderness coupled with a minor in Chuck Norisness, she could have stopped this CNN moment.
Now on the other hand, the question of how the hell you could have an impending CNN moment and anyone can say the CSO sold stock a day before and didn't know anything with a straight face strains credibility.
Min
44 (AKA old enough that I had to break out calc to work that out :)) and ditto. You can apparenlty teach an old dog new tricks, although I'll NEVER understand my daughter's love for watching other people play games on Youtube she doesn't wanna play herself! I'll watch her watching someone play a game on youtube and offer to get it for her on Steam. "No it's OK Daddy, I just wanna watch play".
Kids these days!
I've always found this puzzling - the concept of anti-american values. As a Canadian, I find it hard to imagine telling anyone who is not waving a Nazi flag around that they have anti-Canadian values. Frankly anything I'd classify that as are anti-Human values too.
I realize that was probably a rhetorical question, but I'm gonna be that guy and answer it seriously anyways.
In a way, that's the tough one. You NEED someone to be the 'risk champion' just like someone in the 3 of you needs to ensure the bills get paid. And maybe Mr AC is right and it should be you as you've at least shown the interest to get involved in my conversation. In a small company, your ability to recover from a risk event is very limited, but your chief asset is the ability to take risks, so you need to carefully decide which bets you're going to take. Also, one of the key dangers in a small group like yours is echo-chambering. Having someone whose job it is to look at risk in a structured manner is one of the best defenses against group-think in my opinion.
They tend to be the folks who raise their hand and point out that doing a major project release on the day most of your customers are doing their end of month, when you're a key piece of that process is likely not worth the benefit of releasing a week earlier. (I literally once saw a release control meting go from all yes with one no to all nos in exactly that scenario).
In most companies I've worked in, *you* don't decide. You raise the risk to your risk management team, who breaks the bad news to the people who get paid to make the 'hot seat' decisions.
So failure analysis suggests one of the following happened, all of which fall under the "QA" side of the business processes::
1) QA was not thorough enough to detect that this firmware update would have enough of a worse failure rate to raise business risks to an unacceptable level.
2) Risk management wasn't doing their job
or
3) Management made a poor business call on letting this go out, and didn't plan for the risk coming to pass (e.g. with pre-staged replacement devices, prepared messaging, etc)
I've seen it increasingly over the last few years, shortcuts on testing in order to get an update/new product out the door. This is short sighted. In a year, noone is going to remember it took you a week longer to get it out the door. People WILL remember if you brick all your devices.
Yep, simple fix - no more http://tvtropes.org/pmwiki/pmwiki.php/UsefulNotes/HollywoodAccounting
"Darling! This is the Industry! The really creative people are the accountants. A big studio got over half the profit, after setting breakeven at about three times the cost, taking twenty-five percent of income as an overhead charge, and taking thirty percent of income as a distribution charge, plus rental fees, and prime interest on what they advanced."
â" John D. MacDonald, Free Fall in Crimson
I find the electronics side stuff to be in better shape although that might be more because of the circles my daughter fell into by accident of my profession.
Snap circuits aren't bad as a 100 in 1 replacement, a bit dumbed down but essentially replaces spring terminals and jumper wire with coat-button snaps.
Beyond that, I owe the crew in the hardware hacking village at Defcon a big debt of thanks for teaching a 5 year old how to solder and giving her kits to put together each year she went down there. Aside from being a good way to learn some electronics skills, the self-image of being a kid who can solder provided her with armor against society's attempts to pigeonhole her. She defines her own self-image and screw everyone else. You should hear her rant about toy stores with Girls sections and Boy sections. She shops happily on both sides.
Min
Cubans did
Citation needed. The apparent attack happened in Cuba, it does not follow that it was perpetrated by the Cuban authorities, any more then an attack on a diplomat on US soil is assumed to be caused by the CIA. It might be, but at this point it appears to be he-said, she-said.
Min
As a parent of an up and coming geekling, it annoys me immensely how difficult it is to get a hold of chemistry sets contain, you know, chemicals!
90% of them are reduced to baking soda and vinegar, which you have to supply. They include the safety goggles tho, sheesh.
Min
America
One thing a lot of people are missing is that America is not the majority of customers for Google.
Min
At the end of the day it was a damned-if-you-do, damned-if-you-don't situation. If they'd let it lay, they'd have opened themselves up to hostile work environment accusations from female employees, lawsuits, federal attention, as well as the associated good will damage.
This route they open themselves up to a lawsuit, as well as the associated good will damage.
Looks like Google took the action that lowered their risk, assuming corporate legal sees it the same way. That drives a LOT of business decisions. Remember at the end of the day the folks who own this decision answer to the shareholders. They have a duty to act in the best fiduciary interests of the shareholders. Left vs Right matters a lot less (I won't say nil, as culture has a value too) then what the most probable outcome looks like in terms of $$$s. I expect they will quietly buy off the lawsuit with a confidentiality clause in the settlement for a lot less then they figure the hostile work environment suits would cost them.
Min
I can remember a few passwords. I can't remember a 24 digit random alpha-numeric-symbol string.
You know what I do when I get one of those "Geez, sorry guys, we hashed our data with md5 and posted it on our fridge and someone got all your passwords. Change them quick!" emails form SecurityWazzat.org? Giggle as I imagine someone chewing up cycles trying to dehash my random gibberish... Hope they enjoy waiting forever for my password to turn into something readable. Oh, and since I use a different random password for each site it doesn't matter anyways.
Now I'm in the infosec industry and some of my passwords protect other people's data, and I have a responsibility to keep your data safe, but let's not be so dismissive of other people's security practices. If HorseBatteryStaple is secure enough for your risk tolerances, that's awesome, but it won't be for everyone else's.
Oh and I'll leave this here for anyone interested in a more indepth review of password security:
https://diogomonica.com/2014/1...
Min
And any infosec job. From my first training course:
Instructor: "What's the first duty of an Infosec professional, the thing you should do every single day?"
Student: "Check the firewall logs?"
Instructor: "Wrong. The thing you should do every single day is update your resume, because your most critical organizational function to be the one to get fired WHEN, not IF, something goes catastrophically wrong. This is because the bad guys need to get lucky once, you have to be good EVERY TIME."
Min
secret tribunal
I think that's overstating it a bit. As can be seen by following your first link, the findings of the tribunal are public (unlike the national security ones on either side of the border, which I'll grant you, are egregious, although at least on the CND side, they've been getting a bit more transparent, ( http://ca.reuters.com/article/... ). We'll see how it works out.
On a personal note, I don't mind the CND hate speech laws. In cases where I've had the stomach to review the actual objectionable material that has been found to be in violation (and there have been cases where the tribunal found that it wasn't hate speech too) I wouldn't personally say that it was an indispensable part of the social commentary on the subject, and I was just as glad to have it judged as such.
Min
"Students Are Better Off Without a Laptop In the Classroom" is the very definition of a sweeping claim. Adding 'average' or 'most' might change that fact.
Min