Don Jones

Tech | Career | Musings

During the recent US Presidential election, some friends and I were in a bar watching a news story about a particular early-voting location in Clark County, Nevada, where I live. Being a bar, the sound on the TV was down, and closed captioning was on.

“Oh my God,” one friend said, “they’re going to invalidate all the votes in Clark County!”

“Um,” I said, “that’s a pretty strong conclusion to draw.

“No, that’s what it said right there!” he cried, pointing at the TV.

“No,” I replied, “it definitely did not. It said that they were challenging some of the votes cast at one polling location because they’re alleging it was open late, and the Secretary of State says all state rules were followed and nothing’s being done.”

This is one example observational skills, or lack thereof. Your observational skills tell other people a lot about you – what are you saying to them?

Continue reading

Categories: Life

Grab a copy of your company’s employee handbook. Chances are, it’s more than a couple of pages long. If you’re at a large company, it’s probably huge, and filled with rules – including complex time-off provisions, dress codes, policies, and more. You might, in fact, find some of it to be pretty ridiculous.

But every rule in that handbook – and indeed, most rules in most parts of life – are the direct result of some failure in the past.

Continue reading

The US government, in particular, is doing this a lot. “We have a big cyber initiative.” “We’re very concerned about cyber.” Cyber, cyber, cyber.

Online sex that loners engage in if they are too ugly and boring to get a real boyfriend/girlfriend.

Loner1: Hey wanna cyber?
Loner2: Sure, baby, let me virtually take my clothes off.
Loner1: This is so great.

by Ember November 10, 2003
So, yeah. If you’re not talking about your “big” online sex initiative, then it’s cyber security, folks. And if you’re concerned about online sex… well, okay. Me too. But also be concerned about cyber security, or, for the entire rest of the planet who isn’t pretending to live in a William Gibson novel, information security or infosec, which only vaguely sounds like infosex. 
Please point this out to people who try to engage you in “cyber” at work. It is harassment, and you shouldn’t have to put up with it.

My friend Lee used to work for a company that did Sales training. Sales is, at its very essence, about persuading people to buy something. Even if they need that something, you have to persuade them to buy yours, rather than someone else’s. And one of the big maxims Lee’s company would teach is that logic is not persuasive. 

And it’s true. I have my own version of the phrase: “Don’t drag logic into a conversation where she’s not invited.”

Continue reading

There’s an enormous problem inside some organizations where, whether this is just perceived or actually true, the InfoSec team “maintains” security by “just saying no to everything.”

Obviously, no business can survive if one component of itself is simply shutting down all initiatives willy-nilly. “No” isn’t a security position; it’s a death knell. And, if you work for a company where this is really, really true, you should maybe evaluate your career choices. It doesn’t make sense for good IT people to work at that kind of organization, and if the answer is always “no” anyway, they don’t actually need you. InfoSec should say, “yes – but.” Meaning, they should be taking the time to understand why something is necessary to the business, understand how it works and what its vulnerabilities are, and understand how to safely and securely introduce it to the business.

However.

Just as many IT Ops people are not experts in the InfoSec disciplines like auditing, forensics, pen testing, incident detection and response, and so on, many InfoSec people are not familiar with the intimate details of Ops technologies, what their business benefits might be, or how they work under the hood. This is why everyone needs to work as a team to make these decisions.

“Hey, we’d like to implement PowerShell Remoting. It uses WS-MAN.”

“Why?”

“It’s better!!!”

“No.”

Totally understandable conversation, actually. It should have gone like this:

“Why?”

“It’s massively lower-weight in terms of server overhead, and unlike RDP it’ll trigger less mandatory restarting of servers – so we get better availability.”

“How’s it work?”

“It runs over a single port, and we should have a requirement that that port be HTTPS. Credentials are delegated across that connection – no clear-text passwords! – and I can show you how we’d enable full-text auditing of everything admins do via that channel. It’s actually a lot more auditable and locked-down than RDP.”

“OK, let’s look.”

If you present a valid business case, and then can work together to understand how the technology works, then you’re doing it right. “We need to understand the encryption used” isn’t a challenge you need to defend. The proper response is, “yeah, we do! I don’t know a ton about encryption – can we dig into this together?” Encourage that teamwork. Nobody should be on the defensive or offensive – you’re all supposed to be working for the same team. Too many times, though, the Ops folks I’ve seen go down this road – with anything, not just PowerShell Remoting – aren’t taking a team approach, and they’re not making a business case.

And let’s say you do start the conversation right, with a business-level justification (with some numbers, please – businesses understand numbers). You do go in as a team player. If you still get needlessly rebuffed without even a fair hearing, and without a reasonable justification (“yeah, not now – we’re busy recovering from the 10M user accounts that were compromised last week, k?”), then…

Evaluate your career choices. Ask yourself why you’re so broken inside that you’d work for a dysfunctional situation.