* Posts by mmccul

116 publicly visible posts • joined 10 Sep 2017


SolarWinds charged after SEC says biz knew IT was leaky ahead of SUNBURST attack


What really is clear from reading the actual SEC release on their charges is that the charges rely heavily on supposed warnings by a single individual. That creates the question, was the individual who issued the warnings a known worrywort, with a reputation for overstating risks and demanding disproportionate security for the analyzed risk? Just because they were right this time doesn't mean that a reasonable person, at the time, would have viewed the warnings by that person as realistic or appropriate.

I raise this point because I've been at shops where someone tried to demand completely disproportionate security to the threat profile, which would have exceeded the entire IT budget to address. I've also seen cases where risks were claimed in order to justify "security" tools that actually created more risk for the organization (I'm sure you know the kind I mean).

I expect we'll see a lot of expert witnesses arguing that not only were the warnings commensurate to the known threat profile at the time, but that they were willfully ignored rather than postponed due to other legitimate priorities.

CISOs' salary growth slows – with pay gap widening



Many shops I've gone (as a consultant), the "CISO" was actually doing the work of a security team lead, thinking they had a technical role in addition to a direct supervisory role over technical staff. Very few shops was the CISO given actual authority over building a strategy for the security program, the ability to craft a budget to execute that strategy.

Some of it was CISOs who refused to admit they were no longer in a technical role, but a managerial one. Other times, it was their own manager wouldn't give them the authority they needed to do their job. I've worked with CISOs who knew they were not a security analyst, not a security manager, or even director of security, but a CISO. It was very different in experience. I wonder, how many of these "CISOs" were doing the job of a CISO, how many were doing the job of a security team lead?

US government's Login.gov turns frown upside down, now smiles on facial recognition


Re: That's Just Great ... Photo Pleeez

It's identity assurance, not authentication. It's one part of many steps. It's saying "Instead of taking your fingerprints, we're willing to take a face photo as a part of establishing your identity."


Isn't that the case for oh so many contracts awarded to the lowest bidder, not just in federal space, but anything IT?

(Speaking as someone who worked for many years for a contracting firm that didn't try to be the lowest bidder. Sometimes the joke was we were who you called after you fired the lowest bidder.)


Identity Assurance is not Authenticator Assurance

A lot of confusion exists thinking that the facial recognition is 1. sufficient, 2. part of authentication. Neither is true.

The announcement states that facial recognition is being added to the acceptable list of biometric methods that is used to establish the identity. That's prior to issuing the authenticator to the individual. None of this has anything to do with authentication, it's all about identity proofing.

When you actually look at the rules for IAL2 (like I've done for far too many hours at a time), you realize that the biometric factors is one of many things involved in establishing the identity. Take out facial recognition for a moment. Instead, look at the problem this way. You are doing something sensitive, so you go to an office, present your picture ID and are fingerprinted. The fingerprint collection (the most common form of biometrics used for IAL2 and IAL3) is not just "do you have a criminal record", it's part of the overall process of establishing who you are. The fingerprints (or facial recognition in this case) help as part of the verification of the evidence presented, just like when one presents an ID, there are features checked to ensure it is a valid ID (e.g. a hologram being present on many US IDs).


Passkeys are authentication. IAL is identity assurance. Different problem space.

iPhone 12 deemed too hot to handle for France's radiation standards


"Apple unsurprisingly rejected the ANFR's claims. It told The Register that ..."

Apple actually responded to The Register?

Aerial cable tangles are still being strung up, but carriers are slowly burying the problem


Re: The problem with burying: you need a map..

That was part of the training. Ask the backhoe operator where they believed the cables weren't, check there first because the odds were good you'd find the cable at that exact spot.


Re: The problem with burying: you need a map..

Fiber cable coating typically carries a metal wrapping. When trying to locate a cable, the procedure is to apply a low voltage current of a selected frequency to it at one of the access points (e.g. a manhole, utility shed), then use effectively a metal detector aimed at the exact right frequency. The "line locate and protect" job also carries equipment that allows one to determine how deep the cable is.

Is the job faster with a map? Not really. Those maps are often off by half a mile or more.

(Yes, I had to be trained for line locate and protect once many years ago.)

Microsoft hits back at Tenable criticism of its infosec practices


Not sure what to think

On the one hand, it's bad if Microsoft (or any vendor) downplays legitimate vulnerabilities, but on the other hand, I've seen plenty of cases where "vulnerability researchers" glory-hound and try to attract attention by verbally attacking the organizations that the "researchers" claim have vulnerabilities for not moving fast enough.

Tenable isn't exactly on my good list for respectable behavior or quality vulnerability detection or analysis. I deal with far too many cases on a regularly basis of hilariously bad detection logic, invented vulnerabilities (without even a CVE or CVSS score but are "high severity") with the software to trust their research completely. That back history I have causes me to be less willing to trust them than many other vendors.

Microsoft, as a vendor, has plenty of motive to downplay or belittle the vulnerability report. While the Microsoft of today is nothing like the Microsoft of fifteen years ago, there is still some inherent distrust I have of them.

And no, I'm not willing to presume that the truth is "in the middle", because that just encourages one side to lurch dangerously to an extreme, arguing that the truth "must be in the middle" when they defined the middle by their extreme position.

Creator of the Unix Sysadmin Song explains he just wanted to liven up a textbook


Re: socket is still a socket...

I am the very model of an animated individual (Animaniacs) I think will also help keep the song alive.

Of course there's ObXKCD: https://m.xkcd.com/1052/

Microsoft kicks Calibri to the curb for Aptos as default font


Compared and found lacking

I just did a comparison of a few fonts. Calibri, Times New Roman, Bierstadt, Bierstadt Display and Roboto. I used the same text and 12pt size

Interestingly, Bierstadt was the widest of the fonts, with Calibri being the narrowest. None of the fonts passed the capital o vs zero test of being able to readily identify which it is without them being next to each other in a case where either would make sense.

Bierstadt and Bierstadt Display's lower case L was awkward and the tail bled into the next letter, especially apparent when the next letter was vertical as well.

None of the sans serif fonts knew how to differentiate a pipe character | from others except making the pipe a bit longer than the capital i.

Roboto "appears" to be the largest visually. Bierstadt Display and Calibri were easily the two smallest. I could not readily decide which of the two was smaller.

Times New Roman, despite being on the smaller side for apparent height, had the largest apparent spacing between words, causing (for me) the least bleeding of words into each other. The difference may not be real, but it looked that way to me.

Obviously, everyone has different preferences, mine tend to wider spacing between letters and words to make each letter easier to distinguish, as well as a more distinct visual display between each letter, but none of the "chunkiness" I find in some fonts.

My testing was similar to an eye doctor saying "is this larger/clearer, or is this one?" Looking at two lines first one, then the other, reading the whole text as well as examining selected letters commonly hard to distinguish.


Too small

I've always felt Microsoft defaulted to a font a touch too small. Every time, I've increased it to 12pt and found the size much more accessible to me. Over the years, I've found that people took the "12pt" default, clearly thought px == pt (they aren't) and set all web fonts to 12px, which is generally 9pt.

My main use of stylus has been to fix websites to force minimum font sizes of 12pt in everything. I'm also hardly alone in desiring reasonable standard sizes. If we could get away from the era of shrinking letters, that'd be nice. The only good news? Most people seem to agree that 4pt fonts are too small. (I remember a time when T&Cs were often printed below 6pt in size on websites and on paper, even when there was no space reason to suggest such except to discourage reading.)


The use of sizes under 12pt means that they clearly haven't, since 12pt is considered the minimum accessible font size in every accessibility guide I've seen.

First thing I do when working on someone else's document is boost the size to 12pt for the main body of text so that I can read it on my screen.

Fedora Project mulls 'privacy preserving' usage telemetry


Re: Stats please

What percentage of those "chrome" browsers are Brave or Vivaldi or other chromium based but not Google reporting?

Techie wasn't being paid, until he taught HR a lesson


Re: Unique keys

One of my coworkers has a two letter given name and three letter surname. They routinely have to add bogus characters to get past systems that "require" three or four letter given names. My own surname is often misspelled to add a space (it doesn't have one in my family, but I've met others where the only spelling difference is adding a space). I've had some that automatically insert a space into my name "because everyone spells names starting with "Mc" with a space" (or refuses to capitalize correctly).

And then you get into the whole "names never change" (and then a coworker of mine got married and gave up trying to change her surname for months at least because the system couldn't handle it.)

Malwarebytes may not be allowed to label rival's app as 'potentially unwanted'


I'm just envisioning the implications to firewalls that do threat detection and classification of websites based on such precedents, not to mention other, more useful tools in the anti-malware arena.

It would not be pleasant to say the least.

SF cops got warrant-free OK to watch protest via private security cameras


Okay, I must be missing something, because everything I'm reading explicitly states that the police must obtain permission from the camera owner. Yes, we can all imagine the permission clause being abused, but it's a pretty big barrier to certain forms of misuse, because a camera owner might very well withdraw said permission if they feel it is bad for them. Current culture that I see in the Bay area I've seen includes refusal to offer even non-real time view into the cameras to police even if a crime has been committed, so I don't see it as overly likely that many camera owners will cooperate unless they see it as explicitly to their advantage.

Dell reneges on remote work promise, tells staff to wear pants at least 3 days a week


I've trained new peers in my field regularly in person, remotely, hybrid, etc. I did it before zoom existed as a conferencing tool, and continue to do it today.

Each new team member is unique. The methods used for one person don't necessarily work for the next. Some of the people I've mentored, I had to kick them out of the office before they could be trained effectively. Others, I engaged in multiple one on one voice calls. Typically, I push to include some IM tool, because I have my job to do, I'm not going to just wait for them to ask a question. They need to feel free to message me at any time.

When I was in the office, sitting next to someone I was supposed to train, they were afraid to bother me, because I was head down working on my own job. Getting them to send me an IM made them realize that I'd see it soon enough and not to worry if I was in a meeting or not, talking to someone on an unrelated problem. What was important was for them to get their question out. Email isn't disruptive enough. I typically don't look at each email as it comes in, but I do triage my emails a few times a day and get to each of them every day. That isn't fast enough for training someone. They especially need a way to poke me with a question that they don't know how urgent it is, even if I'm in a meeting.

One method I used a lot recently on a multi-person project was the war room call. I'd book a multi-hour meeting where we'd all join the bridge and work together on a problem or project, one or two times a week. It created dedicated focus time for the time on that project, which in and of itself was valuable.

The one method I never use? Conference call with camera on.

Working from home could kill career advancement, says IBM CEO


Re: Everybody calm down

We are talking, however, about IT jobs with some specific mentions of their consulting division. Yes, a few IT related jobs are hard to do remotely, such as data center manager, but those tend to be rare. Recent trends have permitted even a surprisingly high number of servicedesk jobs to be done remotely.

I disagree (based on experience) with your premise that not seeing your coworkers face to face for two years is a very bad thing. One job I worked, I had a very close coworker, we worked together literally daily for over eight years. We never met face to face until I left the job and was moving to my new job, literally driving through the city he lived in. Absolutely no issues. Does it work for everyone? No. But don't presume it is necessary for everyone either.


Which office?

There's a certain irony to telling consultants to "come into the (IBM) office three days a week". What if the company they are consulting to wants them in their office instead in order to interact with the client? Do you penalize the successful consultant who is consistently on assignment, making their client happy, because they're on site at their client, earning billable hours? If the consultant is the only individual assigned to that client, you're saying that they can't get good performance evaluations and will be quietly shown the door?

I've seen things you wouldn't believe, like an atom about to photosynthesize



The LCLS system is actually a really nifty idea. "We know that if we shine a light on this, it'll destroy the sample, so let's shine a light ten million times brighter instead." Then they just have to collect femtosecond precision results to assemble the pictures. A lot of really interesting tech in it.

US Supreme Court snubs that guy who wants AI recognized as patent inventors


Re: Supreme Court rejection

Mark Twain had an off by one error:

Lies, damn lies, statistics and machine learning.

Techie called out to customer ASAP, then: Do nothing


Green Rabbit

Am I the only person who heard of this as "green rabbits"? It was described to me thusly: They're really really fast, but they're so green they can't do anything. Send someone quickly to the site, but they often don't even pretend to do anything except declare the SLA for a tech arriving onsite had been met.

Microsoft: Patch this severe Outlook bug that Russian miscreants exploited


Re: Crap Software R Us

Alas, kerberos (not just MS's version, Heimdal as well) is not much better. Before the torches and pitchforks are pulled out, here's what I mean.

I had to dig into NIST SP 800-53 rev5 compliance with IA-5 (1) on passwords and discovered that NTLMv2 and Kerberos do not salt their password hashes. I then found out that other implementations of kerberos don't salt their passwords either -- or if they do, it is a single fixed salt that is just the name of the realm. The reasons for this that I could find in writing went back to the way authentication worked in kerberos, and it was extremely difficult (I won't say impossible, but it might be) to have a unique, per hash random salt.

It's also important to remember that NTLM and NTLMv2 are distinct protocols and one shouldn't consider them the same thing. NTLMv1 (aka NTLM) absolutely should be disabled. NTLMv2 is notably better, though per Microsoft it still has vulnerabilities to various man in the middle and hash based attacks. Alas, I've yet to see a functional alternative that isn't full cloud.

Make Linux safer… or die trying


The problem is desktop components on servers

The recent trend on Linux in my experience is that an OS in theory aimed at a server comes with so many mobile end user system components, some of which are even harder to strip out than ever before that I feel like I'm running a laptop, not a server. I've done the exercise many times of sit down and justify every package installed or remove it on a few Linux distributions, and often end up stripping at least fifteen daemons, some of which are network related, that I couldn't justify ever existing on a server. (Yes, said systems ran in production for years in various functions without needing said packages re-installed.)

More recent trends in Linux only accelerate this tendency to treat the entire OS as a laptop, to the point that I've argued the people making the decisions for some Linux distributions are only using it on their personal laptop and think no one ever uses the OS on a server.

NASA infosec again falls short of required US government standard


Context missing

I've participated in helping to analyze organizations against the very scale in question. Very few organizations I've reviewed would get even a level 2 rating in most target areas I was asked to review, including some that thought they were "pretty good" in infosec before I got there. A lot of the specifications required just for level 2 are missing from the vast majority of commercial shops.

I'm not saying that NASA doesn't need to improve, but merely getting a "level 2" on several enclaves and categories doesn't necessarily mean they're much worse than I'd expect. The point of the maturity model is to help understand where you are so you can plan meaningful improvements over time that doesn't block the mission of the organization unnecessarily.

For example, the detect category may be considered level 2 only if there are identified gaps against some of the directives to collect and analyze certain data sources that I've almost never seen even attempted outside government organizations. For any example I give, I'm sure there are shops that do it, but a lot of shops don't, and that's the point.

From a process perspective, again, the level of detail required for a government shop is much higher than I see in the private sector. What we don't know from the article are the details of the gaps.

Overall, the piece feels like a lot of necessary context is missing to understand how they really fare compared to a moderately security aware non-government shop of a reasonable size.

Splunk alleges source code theft by former employee who started rival biz


Maybe reach out again for comment?

I see cribl has posted a response at https://cribl.io/blog/cribl-denies-splunk-allegations/ and I've been told they have fixed their email address for media inqueries. (No connection here with the company, I just know where to mention such things)

Businesses should dump Windows for the Linux desktop


Re: Real World...

There's been a shift over the past ten years or so on "what does admin rights mean on the desktop?" I've been watching it first in the macOS space, but a lot of the arguments over there apply equally well to the Windows side that the standard user rights already can do a lot of the key things an admin can, and lack of admin rights don't prevent some of the most critical damage types seen by attackers today who are interested in your data (exfiltrating or destroying). It doesn't take admin rights to copy files out of your documents library location, or your network file share, or to write to those locations either. It doesn't take admin rights to install a web browser plugin.

Before one talks about admin rights and removing them as a knee-jerk reaction, one needs to ask what can those rights do that cannot be done by a standard user? You might be surprised. That leads more naturally to going back to the questions of what are the risks, what is the threat model in question, and how do we reduce the likelihood of initiation or likelihood of adverse effect of said risk vectors.

Good security requires work, regardless of your choice of operating system. Reflexive operating system bashing is unproductive and I would argue, generally unprofessional.


Re: LibreOffice is not as good as MS Office

At work, the top feature I use of office is communal editing.

I have several word documents and excel documents. A team of four (or more) people are actively, throughout the day, editing these documents. We can't be emailing them back and forth, we need our edits to reflect immediately.

We need to be able to see a log of who changed what. We need good visibility of proposed changes and comments.

All of that, we have with the current generation of MS Office with the O365 plugins.

Are there alternate ways of doing some of this? Of course. But the technical barrier of entry is very low. I don't have to teach the less technical members of the team some tool to make things work or collect the data needed for status updates.

Never underestimate the power of an effective visualization. I spend a lot of time in tools like Splunk figuring out the right visualization to most effectively communicate to non-Splunk experts.

Bad news, older tech workers: Job advert language works against you


Re: Don't know about that

Disclaimer, I do a lot of writing for different audiences.

The rules of writing are not a single body. They differ depending on the audience. Use of hyphenated adjectives, expected for some audiences, gauche to others, being just one example. Starting a sentence with a conjunction, even if theoretically permissible in many cases, is considered sufficiently poor form as to be indicative of bad sentence construction by most audiences I work with, indicating that the sentence should be reworded.

I remember talking about some of the differences in expected writing styles of journalism versus literature once, and even core word choice and punctuation rules were quite different. In my job, I have to write very differently for standards language than I do for compliance language or run book language. Even something as basic as active versus passive voice, many forms of writing I work on professionally explicitly prefer passive voice.

Broadcom's VMware buy got you worried? Give these 5 FOSS hypervisors a spin


Beware the Oracle

I've seen companies issue urgent "remove all VirtualBox instances now" warnings, time and time again over the past several years. Turns out, Oracle loves to find companies using such, try and force an audit on them that will cost the company a lot of money even if they are in compliance, and if they find even one user who without thinking is using it commercially in a manner only licensed for personal use, hit the company with huge penalties. It was literally cheaper to buy alternatives for users than to go through such audits for a "free" software product.

Did ID.me hoodwink Americans with IRS facial-recognition tech?


NIST SP 800-63a issues

Having recently had to re-read NIST SP 800-63a, the Identity Assurance Level (IAL) tiers of what constitutes IAL-2, there is a small part of me that feels sorry for the IRS. More than likely, someone told them they have to meet IAL-2 for online access to taxpayer data. That's hard. A lot of what I've seen around the id.me stuff has been, if not something to make me feel good, at least something I can sort of understand in the context of IAL-2.

Section 4.2 statement 10 actually encourages the organization to conduct a fairly vaguely described fraud mitigation mechanism. I'm not overly conversant on the fine details of SP 800-63a, so I can't say that id.me followed the additional rules in it. But I can at least feel some understanding for what's going on. When someone I knew went through the id.me process some months ago, we compared each requirement of id.me back to the document and couldn't find any case where they weren't following a plain reading of the rules, even the steps that made us concerned were clearly listed as things they were supposed to do. I won't say I'm happy about what happened, but if we want to prevent such things from recurring, we need to understand what rules may have caused people to select a certain approach, or the next company to come along will do much the same thing, just with slightly different marketing.

Microsoft makes account switching easier in its web and desktop apps


Browser profiles?

Instead of using a guest profile, why don't more people use persistent browser profiles? Especially on my work computer, I use multiple profiles so that it feels like just a separate window of the browser logged into different accounts. Side benefit is I get different sets of cookies that are persistent, so other vendor websites or services can be bound to the correct account automatically.

IBM deliberately misclassified mainframe sales to enrich execs, lawsuit claims


Re: Now we have hybrid cloud

Not defending IBM, but NIST actually has a fairly clear definition of different cloud models in NIST SP 800-145. They do define hybrid cloud there as well.

I started referencing the NIST definitions of what cloud means and the various models recently, ended a lot of potential arguments.


Not just publicly traded companies.

"We need to maximize revenue in category X!"

Answer: Shift several projects having nothing to do with that category into it, then declare that category strategic and everything else "legacy" (and therefore an area to get out of, even if it makes lots of money for the company).

I've seen it at all kinds of companies. If it isn't about propping up stock price, it might be about pumping up perceived value for private equity firms.

Half of bosses out of touch with reality, study shows


Re: Easing?

Two kinds of managers. Those that manage up, and those that manage down.

I've had great upward managers. They described their job as basically blocking all the flak sent our way. They'd find out priorities from on high, push back on things that would cause us grief, and if they did their job well, we'd never know how much they successfully resisted, because it wouldn't come near us. (Until the casual conversations weeks later where they'd mention what was going on earlier).

Downward managers are the ones who look down at the team a lot more and provide day to day direction more.

When I have more senior teams, that's when I usually want an up focused manager. I don't need their daily help, I need them to stop the nonsense, prevent little griefs from being big ones.


Re: I don't know about anyone else

Around fifteen years ago, when I had a guaranteed 100% WFH tech position, I estimated I was saving around $5000 per year in costs I could clearly articulate. A significant amount of that cost (but hardly all) was based on the IRS mileage rate for driving myself to and from the office. Approximately 230 days of work per year (50 weeks (two weeks of standard holidays) -> 250 days, but take off 20 or so for vacation days and sick days and a few random days to get a nice round number), it was right around $0.52/mile, so ~$240/mile from the office per year. At the time, I lived around 20 miles from the office, so $4800 just for wear and tear, gas, etc. expenses of the commute.

Today, I'd calculate my hourly rate and add in the cost of that to the commute for the estimate and yeah, if someone offered me $7500 less per year for a guaranteed "work anywhere in the country"? I could see a lot of people going for that. If they wanted $10k less? I'd probably consider it a negotiation point and go from there -- if I really wanted the position.


Re: Bollocks statistics

I never understood how people took an hour for "lunch". Had one employer get upset at me for not working 45-50 hours/week. Their excuse? "You have to take time for lunch". I pointed out that I brought my lunch every day, took under five minutes to heat it if necessary, returned to my desk and kept working. I never agreed to a split schedule of mandatory "really working but pretending not to work for an hour or more every day".

(Side effect, I saved a lot of money each year by not purchasing an overpriced meal from the corporate cafeteria that really wasn't that good for me anyway).


Re: Bollocks statistics

I've successfully resisted this culture. One way I did is emphasizing every year in "annual goals" that my number one goal is "Maintain gainful employment without significant adverse effect to health or family." When I send someone an email outside what I know their standard hours, I'll put an explicit "When you get in" to emphasize that I do not expect them to respond to the email before their standard day.

As a consultant, I keep track of my hours and tell the client "I'm going to hit 40 hours billable at such in such time Friday, so I'll be leaving then." I don't ask, I tell. If a client has a problem with it, they can ask the next week if I would be willing to work overtime.

People with a certain seniority need to lead by example. You may not be a "manager", but if the company values your time and you start emphasizing the work life separation (not balance, separation), others are more likely to follow your lead.

Scam, pyramid scheme, environmental disaster: Vivaldi boss shares his thoughts on crypto-coins


Re: Wall Street?

Regarding signing of vaccination status, check out the smart healthcare card format (SHC). Some areas already use it to issue digital vaccine statements that are cryptographically signed by a known entity (e.g. the state of California). No blockchain required, just ordinary cryptographic public key signatures of an agreed data structure.

'IwlIj jachjaj! Incoming LibreOffice 7.3 to support Klingon and Interslavic



The libressl team, in the wake of heartbleed which spawned the project, eliminated tens of thousands of lines of code in the first few weeks of the project existing. That code was never going to come back.

Yes, software (OSS or COTS or custom build) can get smaller, but it does take some discipline, something that is often lacking in any codebase (not just OSS).

Spruce up your CV or just bin it? Survey finds recruiters are considering alternatives


Coding is not the end

Coding interviews miss the point. How does the candidate work with the team? Do they demonstrate an awareness of process? Can they demonstrate an understanding of ways to juggle competing requirements for the code? I used to say that the job was at most one third technical skills. The other two thirds were general problem solving and people skills.

Who knew, hiring is hard.

Cisco requires COVID-19 shots for all US staff – even remote workers


Re: how to prove it

In California, all COVID vaccinations are reported to the state vaccination database, even the pop-up clinics, and you can download a cryptographically signed smart health card (QR code) that includes name, date of birth, and vaccination data. The database already existed for all other vaccinations, what changed is a website for end users to obtain the evidence (at IAL-1 level) of an individual being vaccinated. That QR code saves directly to both android and Apple mobile devices for production readily, and there are also apps that can display the code readily in forms used for travel (as well as test results).

After looking into the SHC technical specification, I was pleasantly surprised at it. A lot of things were well thought out.

Doesn't help those not vaccinated in California, but for many people? It's a nice thing.

Customers warn Gartner of AWS's high-pressure sales tactics in latest verdict on public cloud providers


Sales pressure

Gartner has a strong reputation for engaging in behavior that if you are feeling exceedingly polite and generous, would be called high pressure sales tactics on companies to be included in their listings as well as "improve" their ratings. For them to warn about another company engaging in high pressure tactics feels more than a little ironic.


Re: Public?

Gartner has credibility still?

The common factor in all your failed job applications: Your CV


Re: CV's top tips

Last time (many years ago) I was interviewing for jobs, I got asked why I wanted a given job, and I told the recruiter they needed to convince me I should take the job, I was interviewing them at least as much as they were interviewing me.

Yes, I was offered the position.

Train operator phlunks phishing test by teasing employees with non-existent COVID bonus


Re: spelling mistakes, a really obviously bad url

Actual phish emails I analyze haven't been typo riddled in a year or more. I get more typos and grammatical mistakes I see in the legitimate emails.

Also, spearphishes are very often crafted quite well, including personal references.

Don't train people on the exact wrong indicators.


Re: spelling mistakes, a really obviously bad url

The standard is any email from outside the corporate email system that is legitimate needs to have at least three business days in advance, a warning from the appropriate group inside the company, warning that the outside email will occur, including a description or mockup of the email to be received. If the emails are going to be regular/common, then state that in the warning email. If there is a response required, then that will be highlighted in the mail system, often with a second path warning of the coming emails that doesn't go through email, such as a notice through the supervisor.

If the email came from the corporate email system, then it was a bad test.

Modern phishing training that is any good does not talk about spelling mistakes or "obviously fake domains". They instead emphasize external sources, artificial sense of urgency and lack of corroborating emails from the official corporate email system.

Yes, I've worked at shops that implemented that rule, and it significantly cut down on the phishing damage.

US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day


Air gap can be hard

Several times, I've heard of supposedly air gapped systems that were connected to a command and control network, legitimately, which was connected to an administrative network, with all the sysadmins knowing that, but that admin network was connected to the ... and eventually, to the public network. Each link seemed appropriate in isolation, but not together, and no one realized the overall chain of links until something happened to demonstrate it.

It's not a new problm, and it doesn't have to be malicious incompetence. Air gapping a single server is easy. Air gapping a network of systems that need to talk to each other to do their primary function is much harder.