* Posts by chuckrman

12 publicly visible posts • joined 16 Nov 2016

Snowflake CISO on the power of 'shared destiny' and 'yes and'

chuckrman

"Security Teams can never be the team of no."

I understand your sentiment, but that is really not applicable. Or rather, it should not be applicable.

To directly address the your email as userID comment; we need to get past userID/password as a login method on its own. Time and again this has proven to be something fairly easy to compromise. MFA is the way to go. Getting a userID is typically fairly trivial because we need it to be something the user can recall. userID is not really the state secret we pretend it to be.

Security teams really should not be the team of no. It should be the team of "this is how we can do this securely" when asked to implement something. We need to focus on turning it around so that it a) meets the business need, b) is practical, c) is scaleable. There may be more that others may want to add to this list, but it is a good start.

In general, security is a supporting organization (some exceptions for if security is your line of business and etc). In security we need to remember this. And we need to remind our customers/business owners as well. We are performing these tasks in the interest of supporting your business and lowering the risks to your business. This is of course easier said then done, but it is very important to not get lost in the battles so much as to lose the objective.

At the end of the day the customer/business owner makes the decision. I won't sign off on anything I can't stand behind. However, I can't stop the customer/business owner from ignoring me at their own peril. It may, of course, be the signal to freshen up the resume/CV.

US Transpo Sec wants air traffic control rebuild in 3 years, asks Congress for blank check

chuckrman

Re: Compatibility always drags these types of projects on and drags out the time requirements

This may very well be a lack of knowledge on my part. Let me try clarifying what I was intending to communicate. In terms of changing so large a system that has to be used by all aircraft (effectively worldwide), you need to have a baseline standard that works with all systems. I assume there is always an analogue method for emergencies that will always be handled a standard way regardless of the airport's actual capabilities.

So when guided landing was brought into play, the airport that first implemented it could not stop using the old method of landing planes until all planes could use that new system. And each time we add a new capability the airport, the system(s) needs to continue to support the older standard in addition to the new. This may be done by running parallel systems or by introducing something to an existing system (additional cost and complexity = time). At a certain point the old drops off as it is no longer in use but by the time this happens something more modern is coming online. This cycle will continue until the end of time (or at least as long as we have air travel).

My point was that there are logistics behind this and due to a variety of factors which vary from airport to airport this may very well mean generational gaps where one airport is N-3 and another airport is N (N equals current generation). I mentioned airplanes because airlines have to be able to keep up with N and given the time lapses between maintenance cycles I suspect that the only way to do it would be to update over the air (physical time limitation). From a safety standpoint I could not see over the air being practical. So slowing down the change to allow the entire chain to update would be required. This is not likely to be something that is a known variable to plan for but might be estimated (high risk to overrun schedule).

This is pretty universal against all major systems when change occurs. A sufficiently large enough system will need to stagger updates requiring the updated system to be able to operate at the lower standard while it waits for the rest of the chain to catch up or run two systems in parallel. Something that an airport may not be funded to do in either case (Hence N-3 I mentioned above)

<- IT guy but not in the airline/air travel industry

chuckrman

Compatibility always drags these types of projects on and drags out the time requirements

What I always see as the biggest problem with these types of projects is the necessity to support the legacy system because you can't switch everything all over at once.

It is always a logistical issue even if you develop the silver bullet that otherwise solves all the problems. In this case it is more of an issue due to the necessary changes as dictated by geography, culture, and availability of utility services (and probably things I did not think of or know). Throw in the variance of the different airplanes themselves and you cannot build a single template or series of templates that will fit all scenarios. Each site is its own custom job and while you may be able to come up with concept level standards there will be variance. Meanwhile you have to continue to support the lower standard of the current existing system.

This means by default you have to support older standards in addition to the ones you want to got to. You can't with a flip of a switch convert a flying plane to a new standard. Maybe in the future as we progress we can include soft updates but I always fear any solution that requires an always on connection. Mother nature is a Mother and you need to be able to function offline.

So any "modernization" has to be done in planned steps worldwide. These gradually drop legacy out of the equation. That will never happen with any great speed.

Nearly every AMD CPU since 2017 vulnerable to Inception data-leak attacks

chuckrman

Re: Just when I thought about upgrading...

Part of the problem is the cross sharing of IP with Intel and AMD. x86 is Intel IP and x64 is AMD. So often times because the basic architecture is the same x64 on x86 you will see similar holes in both manufacturers (there are nuances that separate them). The only way this really changes is if we can come up with a new standard away from x86/x64. However that means backwards compatibility and no one wants to kick that hornets nest for fear of sales loss (my opinion).

Don't touch that dial – the new guy just closed the application that no one is meant to close

chuckrman

Re: As a young broadcast engineer, unschooled in IT at the time

Agreed. A lot of what we take for granted as part and parcel of operations had to be learned from mistakes. Institutional knowledge is a thing which is why I think companies/governments/etc. are struggling right now with all the outsourcing. No matter how much documentation you provide me when I come on board, I can't digest it all and be the perfect employee day one. In the mean time you have a gap that the position I was hired for was intended to fill. Throw in the tight budgets reducing or eliminating redundancy of staff capabilities and you are treading a fine line of failure and success.

Risk management was not taken as seriously say 20 years ago as it is now. and I am sure this was an incident that caused change (as was related at the bottom of the article). Was the change perfect? Not likely but you have to start somewhere and re-architecting a tried and true process is NOT something done over night. And may be deemed too risky versus improvements to the existing process.

When the IT department speaks, users listen. Or face the consequences

chuckrman

Re: Beautiful

I agree completely. IT is here to support the business and is not the business itself (unless IT services is your business). Now given the limitations of the technology at hand I can understand that sometimes you have to rely on the user doing "the right thing" but, in general, I would have measured this as a risk and would have looked for a compensating control. Perhaps a script that was run once a day to copy the contents of the "My Documents" directory to the mapped home drive as these should be known variables. As someone earlier in the comments mentioned OneDrive, a nice aspect of this service in locations with the appropriate enterprise agreements and infrastructure you can use GPO's and have directories directly replicated up to the OneDrive as appropriate. While we can't hold the end user as having no responsibilities, we should be looking at common risks and trying to address them as commensurate with the value of the loss.

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

chuckrman

Can't say that I agree at all

The point of the scoring system is to draw attention to the bloody obvious. In general it works for reasons already stated in the comments. Because it is simple enough to understand.If your organization actually takes risk management seriously, it has in-house staff to do the the scoring in the context of how it affects the organization. Risk and threat modeling is not something I would expect someone outside my organization to understand as far as it applies to my organization because they lack the information to do so. I would not expect any agency or a third party organization to do a valid scoring for my organization as a general rule (auditing etc not included). They can't and even if they could it would not scale to try and keep such a vast library up to date. The simplicity scales.

Greatest threat facing IT? Not the latest tech giant cockwomblery – it's just tired engineers

chuckrman

Re: Some weird comments on here...

Some of the pride may be a result of for whom and why. I have pulled 100+ hour work weeks I am very not much proud of because it was just a band aid over a problem and I just burned out. Other times I have pulled those weeks because there was a legitimate concern or event that no one had thought of and the risk of failure was high. It is those days that I take pride in being part of team that really brought things together under extreme circumstances. The former was often due to lack of staff, sudden departures of poorly treated staff, or just really bad planning. The others had to due with what fall under the "acts of God" sort of thing, On those cases we had follow-ups and lessons learned which prepared us for next time.

Samsung pulls sheets off costly phone-cum-fondleslab Galaxy Fold – and a hefty 5G monster

chuckrman

Everything is worth what its purchaser is willing to pay for it

I feel this gadget falls into the category you have so marked. It is not directed at a specific need (that I am aware of) but is an expensive toy to me because it is not in my budget range and does not offer a feature that I would need over my existing phone.

/rant

However, I feel that you are incorrect in making the statement "so much for so little" without context. The use of "so little" is subjective without any qualifications. Someone may find that the increased screen size is worth every penny spent. This is because their qualifications are different from yours. I dislike the idea, particularly on a tech site, that it is too expensive or doesn't meet the need when neither have been defined as a qualification. It is merely something on offering and it would appear that it is not targeted as a device for everyone but a "premium" device. It is fine to make a prediction like "I don't expect this to sell well because its cost is high compared with most phones in the general population" as that is including a qualification to demonstrate why you have your point of view. Nothing wrong with having one but just making a broad statement without backing it up does not contribute much to the discussion. It is these types of devices that can open up new use cases or demonstrate an idea that needs maturing. I often hear the complaint that I wish my screen were bigger when the people around me are using their smartphones. While finger gestures allow in some cases to easily magnify something it may simply be too troublesome to use on a larger document or picture (such as a comic). Using a different device with a larger screen size may not be so practical as the smartphone is so portable and readily available because it goes everywhere with you. This is an attempt to try something different though it is not clear if it solves the problem. Cost, more room for screen clutter such as in app Ads, device longevity, and battery life are all valid concerns. It might not do the job. However you can't say for certain without trying. The attempt alone can yield value in the form of knowledge gained.

/end rant

Spies still super upset they can't get at your encrypted comms data

chuckrman
Big Brother

Different view/tinfoil hat warning

What if the whole point of the backdoor is to mask decryption capabilities. In my view point (you may decide otherwise) encryption is *always * a temporary measure. The value of encryption is to conceal information until it is no longer useful. It does not prevent something from being unknown forever. The race between encryption and decryption pretty much guarantee's that at some point an encrypted bit of information will be deciphered. However, if you start putting mandatory backdoors the question of how you got through the encryption becomes more murky. Was the encryption broken or was there a backdoor? This makes it a little more difficult for the intelligence community (of any given entity) to determine risk. Was it a product issue? Was it an algorithm issue? Was it a leak? Think of it on a lower level such as a divorce proceeding where one spouse is hiding information from the other. Does not have to be at the nation state level. This I think opens up doors on a lot of levels.

Who do you want to be Who? VOTE for the BBC's next Time Lord

chuckrman

Re: Hugh Laurie ?

I rather like him as a choice.

UK warships to have less firepower than 19th century equivalents as missiles withdrawn

chuckrman

Always an interesting topic regardless of Nation

I have often wondered why Naval Fire Support (NFS) is often poo poo'd. It seems to me that it is often forgotten and added as nostalgia in the form of a single relatively small caliber gun mount (5" or smaller). I have often thought that there should be a role for NFS appropriate to the planned operating environment. NFS should be a combination of large bunkerbuster calibur types and small secondary types of which are currently the primaries on most ships. They don't need many mounts given what automation can do.As was pointed out by a previous poster, failures happen. Have some redundancy (more than one mount). Keep in mind the enemy can shoot back.

Additionally, I rather think fighting pirates and similar missions ought to be left to the smaller ships using guns but capable enough to supplement the fleet as escorts. As such should be blue ocean types. Small ship threats can attack a fleet/cargo ship/tanker/etc anytime really. Why not adopt the approach the Somali pirates are using? A mothership (can be the NFS platform) carrying the "coastal types" as interceptors. Your interceptors are basically patrol boats with small (squad/fireteam?) troop levels and the mothership provides any big guns needed should you need to put troops anywhere. No missiles necessary (except maybe CIWS type stuff) as that is the job of the escorts.

NFS seems to be a capability gap in most of the large navies. Bullets/Shells are *a lot* cheaper than missiles, planes, aviation fuel, and etc.