Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that:

“Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica)

Now, I’m sure being in the government and trying to defend against phishing attacks is a hard problem, and I don’t want to ignore that real frustration. At the same time, GAO found that the government is having trouble hiring cybersecurity experts, and that was before the SF-86 leak.

Removing people’s clearances is one repsonse. It’s not clear from the text if these are phishing (strictly defined, an attempt to get usernames and passwords), or malware attached to the emails.

In each case, there are other fixes. The first would be multi-factor authentication for government logins. This was the subject of a push, and if agencies aren’t at 100%, maybe getting there is better than punitive action. Another fix could be to use an email client which makes seeing phishing emails easier. For example, an email client could display the RFC-822 sender address (eg, “<>” for any email address that that email client hasn’t sent email to, rather than the friendly text. They could provide password management software with built-in anti-phishing (checking the domain before submitting the password. They could, I presume, do other things which minimize the request on the human being.

When Rob Reeder, Ellen Cram Kowalczyk and I created the “NEAT” guidance for usable security, we didn’t make “Necessary” first just because the acronym is neater that way, we put it first because the poor person is usually overwhelmed, and they deserve to have software make the decisions that software can make. Angela Sasse called this the ‘compliance budget,’ and it’s not a departmental budget, it’s a human one. My understanding is that those who work for the government already have enough things drawing on that budget. Making people anxious that they’ll lose their clearance and have to take a higher-paying private sector job should not be one of them.

Virtual assistant services?

I’m getting ready to announce an East coast book tour. In planning my Silicon Valley tour, I learned that between scheduling, getting the details needed out, making sure I knew where I was sleeping, there was a large amount of administrative work involved. So I’d like to hire someone to take care of all that for me next time.

I think the tasks will include:

  • Engage with companies/venues interested in having me speak to work through scheduling & logistics, including ordering books
  • Scheduling (including travel time, setup, speaking, signing)
  • Travel coordination including hotels & trains

Do you have recommendations for a virtual assistant service that you’ve used for something at this level of complexity?

Alternately, convince me that I want a specialized book tour operator? My experience in Silicon Valley was that most venues were companies, and many were good enough to buy the books for their employees. So I don’t think I need someone specialized.

Follow your passion?

Growing up, we were told by guidance counselors, career advice books, the news media and others to “follow our passion.” This advice assumes that we all have a pre-existing passion waiting to be discovered. If we have the courage to discover this calling and to match it to our livelihood, the thinking goes, we’ll end up happy.

As I considered my options during my senior year of college, I knew all about this Cult of Passion and its demands. But I chose to ignore it. The alternative career philosophy that drove me is based on this simple premise: The traits that lead people to love their work are general and have little to do with a job’s specifics. These traits include a sense of autonomy and the feeling that you’re good at what you do and are having an impact on the world. Decades of research on workplace motivation back this up. (Daniel Pink’s book “Drive” offers a nice summary of this literature.)

(“Follow a career passion?” Cal Newport)

It may be confirmation bias, but I’m feeling a real sense of relief from these career articles in the New York Times. Growing up, I had a series of plans that I was forced to make. Many of these were foisted on me by well meaning folks who wanted to ensure that I avoided defaulting to petroleum transfer engineering. The experience of these guidance counselors was that if you don’t have a plan, you end up at wits end. There was a series of random events that took me off the path that I’d planned, and brought me where I am today.

As a silly example, if someone had told me that going to an intrusion detection conference in Belgium was going to lead to me writing a book 5 years later, I wouldn’t have even laughed. I would have just shaken my head.

The idea that job satisfaction comes from things other than painting by numbers is important. For a great deal of human history, most people worked on their farm or someone else’s, and received little in the way of cash payment. The idea of the organization man required organizations big enough to stick around for your entire life. Professionals worked for themselves, or really, whoever walked through the door on a given day.

More and more folks are working independently. Some of that is by choice. Avoiding the mind-numbing meetings, politics, and co-workers you don’t like can be rewarding. Focusing on projects, where you can see an outcome and a deliverable can be clarifying. On the other hand, a lot of people are getting forced there, and for a lot of people, it’s a rough place to be. I think much of that roughness relates to the unpredictability (where’s my next job coming from?) BUt i also think a lot of it comes from believing that a successful person is painting by numbers. That they’re following a preset plan. And if you’re “just” consulting or contracting, you are not doing that, and therefore, you’re not successful.

What emerges over the course of a life is hard to predict. Demanding that it be both awesome and according to plan is a much harder expectation to meet than just accepting the awesome which comes your way.

Rejecting the chaos of interesting and random opportunities that came along would have made for a different career for me. Would it have been interesting? Probably. Would it have been as rewarding? It’s hard to say. But I doubt it.

So next time you’re thinking about a career choice, try rejecting the paint by numbers approach, and embracing the emergent chaos that might come from looking for more of a chance to build and flex your skills, to have an impact on the world, or to find co-workers who you can learn from.

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students:

There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift for their birthday or whatever and it was a paint-by-number set or a connect-the-dots book.

So with the paint-by-number set, you know ahead of time what it’s going to look like. Then, by contrast, with a connect-the-dots puzzle, you can only guess at what it might look like by the time you finish. And what you notice about that process is the further along you get, the more clear it becomes. It might be a beach ball, or a seal in a Sea World park or something. The speed at which you connect dots gets faster as the picture starts coming into view.

You probably get the parallel. This isn’t about what’s right and what’s wrong. This is about getting it right for you. Parents often want you to paint by numbers. They want it so badly because they have a perception that it’s lower risk, and that’s the encouragement they’re going to give you. They’re going to push you down this road, and faculty members will, too, because they want you to deliver on what they taught you. It doesn’t make it wrong; it’s just that there’s a bias in the system. You have to decide for yourself. The earlier you actually get it right for yourself, the faster and the better that picture is going to look.

And the more time you spend on paint by numbers when you’re a connect-the-dots person, and vice versa, the harder it’s going to be. (Mark Templeton, quoted in “Paint by Numbers or Connect the Dots“)

When I got started in information security, there were a lot fewer jobs. They were less categorized. There might have been degrees in information security, but there certainly were not “Centers of Excellence” churning out graduates. (It turns out “degree” is one of those terms, like “hotel” or “mesothelioma” that’s so heavily SEO’d that it’s a pain to search that history.) Because there was no “paint by numbers” path, people entered the field from a wide variety of backgrounds. Everyone was connecting the dots as we went.

Anyway, I like the analogy, and think it explains why a lot of career advice fails to help its intended recipients.

Fascinating Job at PayPal

Someone reached out to me about a job that looks really interesting:

The Director of Security Experience, Education & Research (SEER) will be responsible for defining the customer-facing security strategy for PayPal , define product roadmaps to enhance feature security and usability, drive customer security best practices adoption throughout our industry, and drive customer security education and engagement in coordination with PayPal’s marketing and global operations teams. The SEER Director will also play a leadership role in helping set the authentication strategy, research agenda, and lead a team to establish a customer-centric culture …

I think the hiring manager has put together a fascinating set of tasks, which, combined with Paypal’s reach, that has a real potential to make the world a better place, and so wanted to help him find the right candidate.

Emergent Chaos endorses Wim Remes for ISC(2) Board

Today, we are sticking our noses in a place about which we know fairly little: the ISC(2) elections. We’re endorsing a guy we don’t know, Wim Remes, to shake stuff up. Because, really, we ought to care about the biggest and oldest certification in security, but hey, we don’t. And really, that’s a bit of a problem. And it seems that Wim wants to make things better. And so we’re encouraging all four of our CISSP-holding readers to go vote for him, because we think that a whole lotta shaking going on would be, at worst, a not-bad thing.

How’s that for a heartfelt endorsement?

Ok, more seriously. ISC(2) offers up a certification in information security. There’s a big infosec community that doesn’t take that certification very seriously. That’s a problem that I’ve never had a motivation to try to solve, but Wim does, and I wish him the very best of luck. I think that that CISSP could do substantially better, and the first phase of that is to elect some outsiders to communicate a message that change is needed. What’s more, Wim is not a joke candidate, and he’s campaigned effectively for the role, getting lots of endorsements from people who are both worth listening to and who take this seriously enough that they wouldn’t open with a jokey lead.

And so Emergent Chaos is endorsing Wim, and hoping that some chaos and other worthwhile things start to emerge. You can read his statement on Jimmy Blake’s blog, and vote here.

Punditry: Better Security Through Diversity Of Thinking

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon.
From her post (which I quoted in mine as well)

It is my experience that unless you push yourself really hard to stay away from your sweet spot comfort zone of I-Know-All-I-Need-To-Know-And-I-Feel-Very-Comfy-In-This-Job/Kitchen-Thank-You-Very-Much, and move kitchens or chefs or hire people who are much closer to your level than you feel comfortable having them, you will become stagnant in your baking skill and knowledge.

True for security as well. See my post for more.

Ten Years Ago: Reminiscing about Zero-Knowledge

zks-logo.jpgTen years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who can’t say that.

We struggled with the tremendously hard problem of privacy. We did it for something bigger and more important than ordering your groceries online. We didn’t succeed at the first business plan, or the second, but we plugged away at it, listened to prospective customers and partners, and the company is still in business and going strong as RadialPoint.

We learned an awful lot. We learned that people are awfully passionate about privacy. Hundreds of thousands of people signed up to try our software. We had a guy who called support after buying a new computer to get privacy. I remember the woman who took his call telling me how sad she was she had to get off the phone and take other calls. And we learned that what we meant when we said privacy wasn’t what other people meant.

I think too much of today’s privacy debate is wrapped up in a similarly nebulous term, identity theft. It’s hard to address a problem that’s so vague. But that’s a post about today, not about ten years ago.

We hired a lot of great people who I knew. I met a lot of great people, too. Went to work with one of them, Dave Clauson at another startup, Reflective. Work with some of them again (Hi Christian! Hi Stefan!).

For me, the key lesson was to really drink deep of your prospective customer’s pain. To accept that they may have a label that you really understand better than them (“privacy”) and that it doesn’t matter. What matters is how they see it, and how they understand your solution. Zero-Knowledge made me skeptical of great technology as a problem solver, when the customer is asked to understand it or care. Your customers never care about your technology anymore. They care about what pain it solves.

I’d love to go back and tell myself ten years ago to love the customer better. There’s other lessons. I’d love to seized the day and some of its opportunities better. But in the end, that flight to Montreal put me on the path to where I am today.

So a huge thank you to all of our customers and prospective customers. Thank you to Ian for introducing me to Austin. Thank you, Austin and Hamnett for offering me the job. Thank you to all of my co-workers, employees and friends of the company.

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read:

The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….”

Senior programmers getting a quarter-mil in “comparable firms”? Comparable in what way? Other multi-billion Ponzi schemes that stole from rich suckers and charities alike? Is this another thing to be angry at AIG for? (Cue rimshot.)

I know it’s a tell-all, but tell more, tell more. Another intriguing morsel can be found in:

The employee was part of a trading group, which was able to break a security code that he says led them to a site that was supposed to be seen only by the Madoff family. It showed the profits and losses of the legitimate businesses.

The group broke the code? The person broke the code? And do tell more. Perhaps the author, Lucinda Franks, has some more details for us. Or maybe she’s saving them for a second Pulitzer.

The Twain Meeting

The twain meeting

Some time ago, was on an extended stay in Tokyo for work. When one is living there, there are things one must do, like make an effort to live up to being a henna gaijin.

I must disagree with those who translate that as “strange foreigner.” The proper translation is “crazy foreigner.” I’d never heard henna softened to strange before visiting Maiyim-Baron-sama’s web site.

One of my co-workers there was an American chap who spent at least part of his childhood on Okinawa, married a Japanese woman, and was living permanently there. He helped greatly in my craziness.

The term isn’t precisely an insult, and it isn’t precisely a compliment. If you came to lunch and two Japanese on extended stay were discussing Marlowe, Sheridan, and The Great Vowel Shift in their comic stereotypically bad accents, you’d see a bit of what henna gaijin means. Being a henna gaijin is a bit like being a dancing bear. The people watching you throw yourself into their culture are amused, a bit admiring, a bit repulsed, and a bit piteous that you might think enough you could succeed at any degree of assimilation.

It’s harder for a Brit to be a henna gaijin than an American because part of the craziness is the things you get wrong. Brits won’t get into the wrong side of the car or look the wrong way when crossing a street. Having to do a right-left shift along with everything else adds to the dancing-bear-ness of being a henna gaijin. Having to re-learn to read and write is also a lot of it.

However, I knew my place and threw myself into the craziness aspects. Since it’s impossible to blend in, I dressed to stand out. It was winter, so I wore a long black coat and a white silk aviator’s scarf. I came in to work in the morning with a breakfast of sushi rolls and heated cans of oolong tea (which I used as hand-warmers in my coat pockets, having left my gloves back in New England). I’d go do traditional things natives never did, such as go to the Kabuki theatre. I’d sign my name in a mix of kanji and (shock horror) hiragana.

Most importantly, I’d point out other things that were crazy. I would playfully suggest that actually “gaijin” means “barbarian.” No, no, no, no, they’d insist. I’d be amused, because it isn’t true, but the disdain gaijin get makes it closer to barbarian than a culture that has no irony is comfortable with. Brits will find themselves asking forgiveness for ever suggesting Yanks don’t do irony. Japan is an irony-free zone and when you forget this you must follow through or cause your hosts to lose face. Do not say anything like, “Oh, that sounds the the perfect way to spend a Sunday” because you will be spending your Sunday in precisely that way. If you mix irony and natto, you will get a side-spitting tale you can use for the rest of your life.

My fellow henna gaijin and I would refer to each other as firstname-kun and our colleagues as lastname-san, partially for effect (the ostentatious use of -kun) but also because gaijin call each other by their given names rather than surnames. How henna.

I also insisted that *I* was the Easterner, and they were the Westerners. My proof was simple. What direction did I go in when I came to Tokyo? East. And what direction did they go in when they went to Boston? West. Therefore, while Japan may be the land of the rising sun, that’s because it’s in the far west rather than the far east. If it weren’t in the west, the sun couldn’t rise in the east. If it were in the far east, the sun would rise overhead. QED. (And yes, the sun does rise overhead in Boston. If you don’t believe me, come find out for yourself.)

Henna gaijin.

Write Keyloggers Professionally!

keylogger.jpg has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security:

I am delighted to announce that Crispin Cowan has joined the core Windows Security Team!

For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor. I’ve known Crispin for many years, and have nothing but the utmost respect for the guy. He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot!

Let me add my own welcome. Crispin and I have collaborated on a couple of projects, and I look forward to working with him more, and seeing what happens when he applies himself to Windows security.

[A clarification: Crispin is joining Microsoft, not Emergent Chaos (today, anyway). I remain the only MS employee blogging here, and my comments do not represent my employer. I was simply excited and wanted to share the news.]

Looking for a challenge? Life dull?

If you need a change in your life, consider this job posting:

Title: IT Security Architecture Manager Needed

Company: TJX Companies

Location: Framingham, MA

Skills: Very strong technical security background in both the mainframe and distributed environments.

Term: Full Time

Pay: DOE

Length: Full Time


TJX Companies is seeking an IT Security Architecture Manager who has at least
6 years experience in Information Technology and certification related to the security profession (CISSP, CISA, CISM) preferred.

Read on. If you like being the sheriff who cleans up town, this could be for you!

Movie Plot Threat No Longer a Metaphor


Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.”

On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how you greet your friend John.

But on the other hand, is the US government really filled full of so many beady-eyed, mouth breathers with brains the size of cashews that it takes five hours to clear this up? And in Los Angeles, of all places? Dear God, click on the link above. It’s a Google search for “Mike Figgis.” All ten links on the first page point to the director, celebrity, and film maker Mike Figgis. Link #1 (IMDB), link #3 (, and link #5 ( all have pictures of him.

Admittedly, IMDB says he was born in Cumbria, England, and (link #4) says he was “Kenyan-born.” Hmmm. Highly suspicious. But filmbug says,

Born in Carlisle, England, Figgis moved to Nairobi, Kenya as a baby. He lived there until his family relocated to Newcastle in the north of England when he was eight.

And that seems to clear it up a bit. Mooviees tells us: Born: Saturday, February 28, 1948
(Carlisle, Cumbria, England, UK), and that seems to let us know that Carlisle is in Cumbria, and hey, there’s a date that might be on his passport! Wikipedia (link #2) agrees with that date, but says, “Cumberland” instead of “Cumbria” and unless you’ve taken Latin, that might look suspicious as well.

So what happened? Did the dates not match properly? Did he cut the curls and go all Bruce Willis? Surely there must be some reasonable explanation. Maybe they really hated Leaving Las Vegas. Or perhaps it was that Sopranos episode. Maybe he called the Immigration agent “Sugartits.”

Tip of the hat to 27 B Stroke 6. Original article from The Guardian. Photo of the perp along with Saffron Burrows shamelessly stolen from IMDB, whom I would have linked to if they’d made it easy.

Update on 31 May 2007: This story is apparently too good to be true. Boing Boing got told by people in the know that it’s not true.