Now that things have degraded to complete idiocy with regard to the Sony breach. I finally feel like I have to make a statement.
Of course, everyone is focused on a country using terrorist tactics to silence an ill-conceived work of fiction, and how quickly a large corporation caved in to threats.
But who really cares about that? The real story ... the one that everyone is being misdirected to ignore ... is how easily sensitive information was stolen.
There's absolutely no reason for Sony's data to have been stolen. There's even less reason that such an attack should have successfully acquired so much data. The fact that the criminals got so much information not only on Sony's products but also confidential employee information indicates that the breach was almost total in its scope.
Such a complete breach is only conceivable if Sony were blatantly ignoring best practices. Sony would both have to be refusing to implement layered security (i.e. "defense in depth") as well as proper intrusion monitoring.
If both of these security best practices had been followed, the attackers would have been slowed down enough by the layers for the intrusion monitoring to set off alarms. At worst, some limited amount of Sony's data would have been stolen before network administrators had noticed the attack and stopped it. At best, the attacks would have been stopped at the border, and eventually the attackers would have given up the effort as impossible.
Sony's failure to follow best practices isn't unusual. I can say from first hand experience over the past few years that most companies are making the decision to save money by avoiding perfectly ordinary security activities.
Sony's breach isn't really that bad, when taken in context. Imagine if the breach had been a bank, or a health care provider, or an insurance company. Imagine the number of completely innocent people whose personal data would have been compromised. Imagine waking up one morning to find that your identity had been stolen, your bank account emptied, and the most personal details of your medical history publish on a web site ... all because your employer decided to use a cut-rate HR provider that's not properly secured.
Impossible, you say? That's whistling past the graveyard. I can say, from first-hand experience, that there are numerous organizations with critical information that are not even beginning to secure it properly. This extends not only to private organizations, but also to government regulatory bodies; which means that in many cases, you don't have the option to withhold your personal information in order to protect it. The amount of unsecured information comprises tens of millions of people, and that's just what I've witnessed first-hand. It stands to reason that the trend extends far beyond my experience.
In the U.S., at least, the federal government is unable or unwilling to do anything about it. Sure, there are laws in place to protect people from negligence of this sort. But laws are useless in the absence of enforcement, and I've watched government enforcement agencies feebly fail to do anything useful toward effective enforcement, although I don't have the insight to know why. If I had to theorize, I would guess that the government is incapable of offering competent security professionals the sort of compensation that they can get elsewhere.
Private organizations aren't any better. Security professionals constantly have their efforts thwarted by high-level bean-counters who point out that proper security does nothing to improve the company's profits. Of course, with the lack of enforcement, there's no fear of fines or legal recourse, so the security professional is left with little ability to actually improve anything.
In the end, the state of affairs right now is that if your personal information hasn't been stolen, it's really just a matter of manpower. Simply put, criminals don't have enough time to steal all the information they could be stealing.
Here's hoping the Sony breach brings about some change.
Thursday, December 18, 2014
Tuesday, November 11, 2014
Why net neutrality isn't as simple as it seems
We're back to net neutrality being a big thing again. It seems to come and go depending on how bored people get with other issues.
Before I go any further, I want to point out that I am completely in favor of net neutrality. I am in no way defending Comcast's right to screw up my Netflix for bargaining purposes.
However, writing a law that guarantees net neutrality is not as simple as many seem to think. In fact, a poorly written law could actually make the situation worse.
I'm not a politician because I'm not a masochist. I'm a technologist, but I've frequently been involved in the development of policy, so I have some idea of how wrong things can go. There are a number of ways that a net neutrality law could make things worse, but there's one example that's pretty easy to explain.
The whole idea of net neutrality is that all data flowing on the network should be treated equally. The problem arises in the fact that it's impractical to treat all data equally.
Let's take an internet movie vs. an internet phone call. For our purposes, we don't care which companies are providing the service.
If the movie and the phone call are using the network at the same time and between the two of them, they are exceeding the available bandwidth, what should happen? Most people out there screaming for net neutrality will comment that both services should suffer equally -- that's fair, right?
Most folks with a technical background understand that's not the case. In the case of the internet movie, the design of movies is such that your device has downloaded several seconds, or possibly even minutes, ahead of what you're watching. In the event that the data transfer is interrupted temporarily, the movie will continue playing without interruption.
However, an internet phone call is real time. Even the most minor of network problems will garble the sound and/or introduce delay or echo into the conversation. (and when I say minor, I'm talking about an interruption lasting less than 1/2 second) An interruption of more than a few seconds will cause the call to be unusable, and quite likely result in a dropped call.
It's not so much that the result is different between the two, but the severity required to cause the result. In the worst case, the internet movie will also get dropped, but it would take several seconds or even minutes before the viewer would even notice, and even then it might just freeze the video for a short time before resuming.
In the case of the phone, a problem lasting even a fraction of a second will disrupt the call, and it won't take minutes of interruption for the call to get dropped.
So, any network administrator knows to prioritize voice traffic over everything else. In fact, a lot of network hardware does this by default these days.
Imagine the shitty quality of internet phone calls that would result if companies were legally required to treat all traffic the same? Remember when cell calls used to drop all the time? We'd be back to that.
It's not that net neutrality is a bad idea. It's just that it has to be legislated carefully to avoid making the problem worse.
Before I go any further, I want to point out that I am completely in favor of net neutrality. I am in no way defending Comcast's right to screw up my Netflix for bargaining purposes.
However, writing a law that guarantees net neutrality is not as simple as many seem to think. In fact, a poorly written law could actually make the situation worse.
I'm not a politician because I'm not a masochist. I'm a technologist, but I've frequently been involved in the development of policy, so I have some idea of how wrong things can go. There are a number of ways that a net neutrality law could make things worse, but there's one example that's pretty easy to explain.
The whole idea of net neutrality is that all data flowing on the network should be treated equally. The problem arises in the fact that it's impractical to treat all data equally.
Let's take an internet movie vs. an internet phone call. For our purposes, we don't care which companies are providing the service.
If the movie and the phone call are using the network at the same time and between the two of them, they are exceeding the available bandwidth, what should happen? Most people out there screaming for net neutrality will comment that both services should suffer equally -- that's fair, right?
Most folks with a technical background understand that's not the case. In the case of the internet movie, the design of movies is such that your device has downloaded several seconds, or possibly even minutes, ahead of what you're watching. In the event that the data transfer is interrupted temporarily, the movie will continue playing without interruption.
However, an internet phone call is real time. Even the most minor of network problems will garble the sound and/or introduce delay or echo into the conversation. (and when I say minor, I'm talking about an interruption lasting less than 1/2 second) An interruption of more than a few seconds will cause the call to be unusable, and quite likely result in a dropped call.
It's not so much that the result is different between the two, but the severity required to cause the result. In the worst case, the internet movie will also get dropped, but it would take several seconds or even minutes before the viewer would even notice, and even then it might just freeze the video for a short time before resuming.
In the case of the phone, a problem lasting even a fraction of a second will disrupt the call, and it won't take minutes of interruption for the call to get dropped.
So, any network administrator knows to prioritize voice traffic over everything else. In fact, a lot of network hardware does this by default these days.
Imagine the shitty quality of internet phone calls that would result if companies were legally required to treat all traffic the same? Remember when cell calls used to drop all the time? We'd be back to that.
It's not that net neutrality is a bad idea. It's just that it has to be legislated carefully to avoid making the problem worse.
Monday, October 27, 2014
The real reason bodybuilding is difficult
Not everyone knows this, but I've started moderately-serious bodybuilding. That is to say, compared to real bodybuilders, not serious at all; but compared to the average guy on the street, pretty serious.
Diet is the most important part of bodybuilding. Not many bodybuilders will argue that fact: you have to eat properly or your body just doesn't put on muscle. For me to have the maximum chance of building muscle without the calories turning into fat, I need to eat about 3000 calories per day.
That's HARD. I never expected it to be so difficult to eat a LOT. Of course, I could just eat greasy, crappy food and get the calories from saturated fat and everything else, but there's two reasons not to. The first is that I want to maintain overall health while building muscle.
The second reason is turning out to be a nightmare. In order to give my body the right fuel it needs to build muscle without putting on fat, I need to eat 175 grams of protein a day. If you've never done this before, you should look around at how much protein is in the various foods you eat. Go ahead, I'll wait.
Anyway, because the weather was so unseasonably nice today, I decided to take my bike out and ended up riding 17 miles. Lovely day for it.
Since I burned an addition 900 calories and it's a lifting night so that's on top of another workout I have coming up, I figured I'd treat myself for lunch. I went to Steak-n-Shake, because I really dig those jalapeno burgers they make. And I figured, it's a burger, it's got lots of protein ... right?
Bull. Check it out, a Steak-n-Shake burger has 25 grams of protein and 700 calories. Which means that if I eat nothing but them, I'll have to eat 7 a day to get my required protein, but will also be hitting almost 5000 calories. This is why you hear stories about bodybuilders eating nothing but boiled chicken all day long. It's not that they're avoiding fat or anything like that, it's just that it's really hard to get all the protein you need each day without making yourself sick. I mean, even ignoring the calorie surplus, who the hell can eat 7 burgers a day without being ill?
Working out is difficult. To build muscle effectively you basically have to repeat a specific exercise until your muscles can not do any more, then somehow force your muscles to do one or two more (this overload is what triggers the growth response).
But (for me at least) eating in a way that gives my body the correct materials so that it can actually build muscle once that growth response has been triggered has been way more difficult. When I started, I figured that eating 3000 calories a day would be fun ... hell, I'll be eating all the time! Fact is, I am ... eating almost constantly, and sick of it.
So, between trying to eat more than my stomach thinks is wise, and trying to get enough of that food to be protein to be effective ... well, let's just say I'm challenged.
Diet is the most important part of bodybuilding. Not many bodybuilders will argue that fact: you have to eat properly or your body just doesn't put on muscle. For me to have the maximum chance of building muscle without the calories turning into fat, I need to eat about 3000 calories per day.
That's HARD. I never expected it to be so difficult to eat a LOT. Of course, I could just eat greasy, crappy food and get the calories from saturated fat and everything else, but there's two reasons not to. The first is that I want to maintain overall health while building muscle.
The second reason is turning out to be a nightmare. In order to give my body the right fuel it needs to build muscle without putting on fat, I need to eat 175 grams of protein a day. If you've never done this before, you should look around at how much protein is in the various foods you eat. Go ahead, I'll wait.
Anyway, because the weather was so unseasonably nice today, I decided to take my bike out and ended up riding 17 miles. Lovely day for it.
Since I burned an addition 900 calories and it's a lifting night so that's on top of another workout I have coming up, I figured I'd treat myself for lunch. I went to Steak-n-Shake, because I really dig those jalapeno burgers they make. And I figured, it's a burger, it's got lots of protein ... right?
Bull. Check it out, a Steak-n-Shake burger has 25 grams of protein and 700 calories. Which means that if I eat nothing but them, I'll have to eat 7 a day to get my required protein, but will also be hitting almost 5000 calories. This is why you hear stories about bodybuilders eating nothing but boiled chicken all day long. It's not that they're avoiding fat or anything like that, it's just that it's really hard to get all the protein you need each day without making yourself sick. I mean, even ignoring the calorie surplus, who the hell can eat 7 burgers a day without being ill?
Working out is difficult. To build muscle effectively you basically have to repeat a specific exercise until your muscles can not do any more, then somehow force your muscles to do one or two more (this overload is what triggers the growth response).
But (for me at least) eating in a way that gives my body the correct materials so that it can actually build muscle once that growth response has been triggered has been way more difficult. When I started, I figured that eating 3000 calories a day would be fun ... hell, I'll be eating all the time! Fact is, I am ... eating almost constantly, and sick of it.
So, between trying to eat more than my stomach thinks is wise, and trying to get enough of that food to be protein to be effective ... well, let's just say I'm challenged.
Friday, October 17, 2014
The "misunderstanding" lie
There's an oddity that people are more likely to believe that "there was a misunderstanding" than to believe that one of the parties in a disagreement is lying.
I don't understand where this comes from. In my experience, liars are very common in the world, and misunderstandings generally sort themselves out pretty quickly.
"Misunderstanding" is a tactic used by practiced liars. They're going to tell you a lie that they know they can be caught in, but in the event that they are caught, they're going to claim "that's not what I said, he must have misunderstood me." It's a good tactic, especially when the conversation is verbal and the exact wording can't be proven.
It's also a good tactic when the third party in a disagreement wants to take a particular side, even though he knows that side is lying.
Take the following example: we have four parties, employees A and B, and a manager (X) who both of these employees report to. Y is another manager who is not directly involved with A or B, but has authority in such a way that B occasionally takes orders from him.
For both scenarios, let's assume that A is an honest, hard-working fellow; and B will lie whenever he thinks it's to his advantage to do so.
Let's assume that the manager has instructed B to assist A on a project and B doesn't want to help A for whatever reason. B tells A that he can't help because Y has him working on something important and he can't take time for anything else. This is a lie, Y doesn't have him working on anything at all.
This may seem foolish on B's part. The lie will be easy to uncover, right? Not really.
First off, B is assuming that A will just take his word for it and not talk to Y. This is unusually common, as many employees are intimidated by the thought of talking to a random manager. Some corporate cultures actively discourage it.
But let's assume that A is a persistent type, or for some other reason isn't intimidated by Y. He contacts Y, who informs him that B isn't doing any work for him. B is caught, right? Wrong, B still has a number of outs.
The first one is that a percentage of people won't bother to pursue the issue further. B and Y aren't being helpful, so A might just buckle down and work extra hours to do all the work himself, allowing B to get away with the lie.
But, let's assume that A is still the persistent type. For whatever reason he goes to their mutual boss, X, and reports the deception. B is caught, right?
Probably not. The typical manager will try to resolve this in the way that managers are taught to. He'll most likely get A & B in the same room (or on the phone) and ask what the problem is. This is where B pulls the "misunderstanding" card. There are two approaches he has to do this.
I don't understand where this comes from. In my experience, liars are very common in the world, and misunderstandings generally sort themselves out pretty quickly.
"Misunderstanding" is a tactic used by practiced liars. They're going to tell you a lie that they know they can be caught in, but in the event that they are caught, they're going to claim "that's not what I said, he must have misunderstood me." It's a good tactic, especially when the conversation is verbal and the exact wording can't be proven.
It's also a good tactic when the third party in a disagreement wants to take a particular side, even though he knows that side is lying.
Take the following example: we have four parties, employees A and B, and a manager (X) who both of these employees report to. Y is another manager who is not directly involved with A or B, but has authority in such a way that B occasionally takes orders from him.
For both scenarios, let's assume that A is an honest, hard-working fellow; and B will lie whenever he thinks it's to his advantage to do so.
Let's assume that the manager has instructed B to assist A on a project and B doesn't want to help A for whatever reason. B tells A that he can't help because Y has him working on something important and he can't take time for anything else. This is a lie, Y doesn't have him working on anything at all.
This may seem foolish on B's part. The lie will be easy to uncover, right? Not really.
First off, B is assuming that A will just take his word for it and not talk to Y. This is unusually common, as many employees are intimidated by the thought of talking to a random manager. Some corporate cultures actively discourage it.
But let's assume that A is a persistent type, or for some other reason isn't intimidated by Y. He contacts Y, who informs him that B isn't doing any work for him. B is caught, right? Wrong, B still has a number of outs.
The first one is that a percentage of people won't bother to pursue the issue further. B and Y aren't being helpful, so A might just buckle down and work extra hours to do all the work himself, allowing B to get away with the lie.
But, let's assume that A is still the persistent type. For whatever reason he goes to their mutual boss, X, and reports the deception. B is caught, right?
Probably not. The typical manager will try to resolve this in the way that managers are taught to. He'll most likely get A & B in the same room (or on the phone) and ask what the problem is. This is where B pulls the "misunderstanding" card. There are two approaches he has to do this.
- He claims that A misunderstood him. He never claimed that he wasn't able to help, he only suggested that A would have to ensure that Y didn't have any more important work.
- He claims that he misunderstood Y. And that he's sorry but he thought he was working on something for Y that he couldn't stop.
#1 is generally the go to excuse, because it makes A look bad for not paying closer attention, and it's nearly impossible to prove that the issue was actually a lie. But #2 works equally well, especially if B is concerned that A and X might have the kind of relationship that X would trust A's judgement.
Of course, you'll say that it would never work because Y could contest that there was no reason for any confusion, but you're missing the point that B is an experienced liar. He would never have chosen this tactic in the first place if he didn't know there was something he could hold up as a point of confusion: "What about project Z? I thought you said that was important?" Despite the fact that project Z was explicitly put on hold, it's extremely difficult to disprove B's claim that it was all a misunderstanding.
In the end, A's project is now behind schedule because he spent time pursuing this, manager X assumes the whole thing is just a misunderstanding (and possibly his opinion of A's communication skills has been lowered), and B is now smarter about A's behavior and knows to use a different tactic next time.
How could the problem be avoided?
- Don't communicate verbally with B. Insist that all communication go through email or some other traceable method, which avoids the "that's not what I said" argument.
- Manager X needs to keep track of these sorts of problems and look for patterns. If B is really a liar, the pattern will repeat.
Of course, one possibility is that B and X are on good terms and X is more likely to take B's side when the facts are difficult to prove. In such case, X can even be the one to initiate the claim of misunderstanding. If such is the case, A would be advised to seek a transfer; and if that's not possible, simply keep his head down to avoid raising X's ire against him.
Subscribe to:
Comments (Atom)