* Posts by Roundtuit

12 publicly visible posts • joined 20 Jan 2015

Say what you see: Four-letter fun on a late-night support call


Re: The joys of the phonetic alphabet

Everyone knows it's L for leather, A for orses, F for vescent ...


Re: How to deal with calls

We IT auditors walk among you, Earthlings

If your org hasn't had a security incident in the last year: Good for you, you're in the minority


Breach is such a loaded term

It's almost as bad as "cyber". Both are bandied about like, and worth as much as, election promises.

Good on El Reg for hitting the nail on the head though: "Details of exactly what constituted a "breach" were not made available by Carbon Black, which, like all vendors peddling these surveys, has a vested interest in talking up how insecure the online world is in order to sell more products and services."

And for those of us genuinely trying to hold back the tide in infosec, their rampant, selfsh, crass commercialism is doing us a disservice. Marketing tripe dressed up as "surveys" is a modern-day scourge.

Second-hand connected car data drama could be a GDPR minefield


Re: Rental Cars

I wonder how many buses, trains, planes, taxis and Uber cars have shlurped down passenger info?

IoT needs security, says Microsoft without even a small trace of irony


Re: There are good security people at MS

What a back-handed compliment!

It would be easier for the security people if Microsoft became an ethical IT company, instead of a marketing company.

Electrician cuts wrong wire and downs 25,000 square foot data centre


Re: Wrong odds

Nope. There are permutations, combinations and variations e.g. cut neither wire; cut one only; cut the other only; cut one wire then the other; cut the other wire then the one; cut both wires together; fail to sever a wire completely; ... it's really not hard to think of many more possibilities.

It was a mistake to quote a probability figure, and a further mistake to ignore the business consequences ... and it's hard not to think of more mistakes in this scenario, with the benefit of 20/20 hindsight (or is that 50/50?).


I carry spare fuses in case some annoying twonk has removed/lost them from the fuse panel ...

Researchers say they've cracked the secret of the Sony Pictures hack


If the hackers were subtle & sensible, they'd have gone to ground as soon as they got in to the network, immediately concealing their activities, going deep, and meddling with the security logs, alarms and alerts. Having done that, they could sit there for an indefinite period waiting for the logs of their initial access to be overwritten or discarded, and quietly watching for any signs of proactive security response. Then they'd have free rein, knowing that their activities were being neither monitored nor logged ...

7/7 memories: I was on a helpdesk that day and one of my users died


Abiding memory of 7/7

Aside from the grizzly images and sheer horror of the whole event, the thing that sticks in my mind about that day was watching an amazing performance from the police commissioner (? The Top Dog anyway) giving a press conference live on TV before the dust had settled. He was immaculately dressed, and spoke coolly and calmly about the incident before the assembled mob of journalists, in a press room that I guess had been set up in advance. An astonishing oasis of calm if you think about the chaotic scenes and all the work that the emergency services were doing at that very point.

If YOUR organization had experienced anything on that scale, do you think your Top Dog, advisors and support krew would have been prepared to deliver such a virtuoso performance so quickly and efficiently? I still use this as an shining example of how crisis and incident management can/should be done.

I believe there had been an emergency exercise in central London just a week or two earlier, so all the emergency services were as ready for the incident as they possibly could be - another worthwhile lesson arising from an otherwise devastating mess.

Think server vulns are the IT department's problem? Think again

IT Angle

Re: Nothing new here...unfortunately

An excellent way to hone up on business skills and speak the same language as the MBA types is, of course, to study for an MBA and become an experienced manager. I consider my MBA the best information security qualification I hold. I also heartily recommend CISM from ISACA which emphasizes the governance angles of our job, plus risk management, compliance, business continuity and other stuff that IT security (and "cybersecurity") pro's tend not to appreciate. There is MUCH more to being an effective information security pro than knowing about vulnerabilities in IT systems.

[By the way, "death management ears" tickled me. Freudian slip?]

WW2 German Enigma machine auctioned for record-breaking price


What is so bizarre about using the post to reach Paxman? Does he lack a letterbox? Is he 'unlisted'?

Sony hack was good news for INSURERS and INVESTORS


"Co-chairs" might just be the root cause

If there's one thing I've learnt in life, it is that multiple bosses == bad news. Well, to be more accurate, it's not the bossing that matters, but the dilution of leadership and clarity of direction. If in fact the "co-chairs" were spookily aligned, why did SPE need them both? My guess is they were hedging their bets.

The reason that top brass are paid so highly is that (a) they have that rare combination of proven qualities (such as capabilities/expertise, experience, charisma, drive and motivation) to make good decisions more often than not, meaning that they are in high demand; and (b) they demand the $$$$$$ in return for their personal accountability when, almost inevitably, like gamblers they eventually make a seriously bad decision.