Category Archives: Ze Rest of Ze Ztuffm

Insecure Social Media, Russians, and US Elections

For social media companies, insecurity is an integral part of their business model. It’s all down to how they work. They want to sell advertising and their rates are determined by the popularity of the pages where the ads run. More popular pages means higher ad rates, so anything that boosts popularity also boosts revenue for the social media companies.

Of course, when accounts that are liking and following are found to be fraudulent, advertisers cry foul and demand a purging of those fake accounts and also a reduction in their ad rates. This creates an incentive for social media companies to obscure account ownership so that fake accounts are less likely to be discovered. There’s also an incentive to engage in clickfraud, but I’ll pass over that for now. Instead, I’d like to focus in on how those fraudulent accounts can do more than just hike up revenues.

The Russian intelligence agency Федеральная служба безопасности Российской Федерации (ФСБ) – FSB to English-speakers – has made use of misinformation and agitprop since it was the FSK, and before that the KGB, and before that the MGB, and before that the NKVD, and before that the NKGB, and before that the Cheka, and before that the Okhrana. One could say that misinformation and agitprop have been hobbies of Russian intelligence agencies for about 130 years. What is new for this age are the avenues available to the FSB to spread its poison messages.

Before social media concerns, Russians wishing to whip up extremist political movements and create internal discord in Western democracies had to buy their own presses and pay for their own mouthpieces, which could be quite expensive. If one of those were unmasked, then the expensive operation would be compromised and that expense and effort would go to waste.

But with FaceBook and Twitter and blogs, the FSB now has drastically reduced costs and much higher levels of cover. It’s Agitprop as a Service! Consider how easy it is to run multiple fake online accounts, compared to hiring multiple agents. These accounts generate interest and activity on social media, so they drive up ad rates – the firms that would be policing them in an authoritarian regime are protecting them in a capitalist system.

Even better for the FSB, the ability of extremist groups – particularly the far right – to sequester themselves from other news sources means that, once a message is injected into their media echo chambers, it will be repeated often enough so that, in the observation of Josef Goebbels, it will be held up as a truth. What shows up on RT.com will be tweeted and retweeted by FSB accounts active in far-right forums and will soon be heralded as non-fake news in outlets such as Fox, ZeroHedge, and Breitbart.

Back when ZeroHedge was more focused on the financial misdeeds of large banks in the wake of the Panic of 2008, I was an avid reader of stories posted there. But something changed over time, particularly in the run-up to the 2016 election in the USA. It went from examining financial issues as its primary focus and slid deep, really deep into pro-Trump positions with lots of posters on its boards echoing comments that could be classified as pro-Russian, anti-Semitic, racist, neo-fascist, and/or a combination of the previous.

The slide in bias was obvious to me. I’ve been a follower of non-corporate media since the 1980s, and I know the difference between an investigative journalism piece and a partisan propaganda paper. ZeroHedge had definitely lost a lot of the former and had gained a lot of the latter. As the onslaught of Russophilism, antisemitism, racism, and neofascism increased, I felt a need to get out of that news source and seek out alternatives. In so doing, I did a lot of searching. In those searches, I was stunned to see how many other outlets were parroting the sludge from ZeroHedge, like they were sheep from Animal Farm bleating out “four legs good, two legs better!”

From all this agitation in stirring up the far right, Russia knows it is destabilizing America. The heads of the FSB know that the American far right will prove Pushkin right at every turn: it will reject ten thousand truths in order to cling to the lie that justifies itself. This is how I know Judge Moore is highly likely to win the Senate election in Alabama. The Russian Twitter choir is singing his praises and millions of far-right users of social media are echoing those sentiments, actively and belligerently.

Judge Moore, of course, is a hand grenade being lobbed directly at the US Senate. The man has shown a pattern of serial sexual predation against minors. If he wasn’t running as a Republican for the Senate, he’d be the focus of a true crime show right now. Russian tweets and far right echoes claim falsely that his accusers have either forged evidence against him or recanted their claims. Those lies allow his supporters to push hard for his election. If Moore is elected, it will roil the Senate as many senators will demand that he not be seated and that Alabama send a different favorite son to the Capitol. Each house of Congress can do just that, accept or reject the people sent to it – and Moore is ripe for rejection.

If Moore is rejected, it will split the Republican party even deeper. The Republicans are already incapable of putting together a coherent legislative agenda. With a Moore rejection, it will be practically open war between the different halves of the Republican party.

If Moore is not rejected, it will split the Republican party even deeper, but in a different way. Instead of Moore’s supporters repeating Russian propaganda that they were robbed, it will be outraged moderates, unable to stomach being in the same political caucus as a sexual predator. Bear in mind that the stalking of multiple daughters of single women, all around the same age, all in roughly similar ways, is an actual pattern of sexual predation. We have documentation of this. We have multiple testimonies to this effect. This is a sexual predator that the Russians, through insecure social media, are helping to force down the GOP’s throat.

When we look back to what happened in Georgia and Estonia in the decade prior to 2016, we see exactly the same thing. We see the social media misinformation. We see the political manipulation of extremists. When we look at Ukraine after the USA toppled a pro-Russian government there, we see even Russia providing armed assistance to extremists there. That fact chills me, especially in light of how many on the far right hinted at taking up arms if Trump wasn’t elected in 2016.

I doubt if they actually would have taken up arms on their own, but if they were whipped up by their social media echo chamber and shipped a few thousand AK-15s, maybe they would cross over that tipping point. If that were to happen, I have no doubt that a US Army would crush that insurrection… and then spend decades dealing with low-level guerrilla warfare, all fueled by continued echoing of Russian lies in social media echo chambers.

While there is increasing agitation on the left in the form of the antifa movement, there just isn’t as much militancy in the American left, especially after the legacy of peaceful, antiwar protests. These are not minds that will have much fertile soil for violent rhetoric. They’re also more likely to turn out one of their own if he or she is found to have feet of clay. Witness their abandonment of big donors found to be serial sexual harassers. Witness their pressure on their own political caucus to resign from office, rather than persist in running for it or remaining in place.

No, the fertile ground is in the neofascist mind. The Russians make those pushes in Greece, in Germany, and in the USA. And while I find Steve Bannon to be more of an Austrofascist than a Nazi (the strong affinity for Catholicism is a dead giveaway for Austrofascists), I don’t think such fine details matter either to the Russians or to the minds the Russians poison every day with their lies.

So how do we solve this problem? The market won’t solve it. In fact, the free market will fan these flames because the business model of Twitter and other outlets is to spread misinformation if that means more ad revenue. But in a world of multiple email addresses, how do we limit a person to just one Twitter account? In a world of VPNs and tor exit nodes, how do we keep too many FSB-driven accounts from affecting social media? When these fake accounts actually started out years ago with softer agendas, and have loads of historical content, how do we build an algorithm that can identify a friend from a foe? Or a friend from a foe yet to reveal itself?

Hamilton 68 http://dashboard.securingdemocracy.org/ is a project that, instead of looking for the artillery shells of propaganda, seeks out the guns. While it does not claim to have discovered all sources of Russian disinformation on social media, it has found some significant signals amidst the noise. There’s some hope yet in the intel they are able to derive from extensive signals analysis. This is what any good intel agency does: read all the news to see where stories originated and how they are disseminated.

Right now, the Russian social media barrage is striving to elect Roy Moore to the US Senate. But, merely by getting the Republicans to cling to him like a piece of driftwood in a shipwreck, they’ve already demonstrated their control over that political faction. In the days and weeks to come, be certain that the Russians will continue to tug on that leash and the far right will follow every jerk and tug.

Insecure Social Media, Russians, and US Elections: Agitprop as a Service.

IT Network Managers: Give the Gift of Linux to Your Engineers

‘Tis the season and all that. I have a short holiday message to all the managers of Networks and Network Security: Give your engineers a Linux box this year, and they will have the merriest of Diwalis, Christmases, Hannukahs, and/or other Winter holidays, as appropriate.

Give this Linux box permission to log on to your network devices, install scripting tools on it, and send your engineers links to websites where there are network configuration scripts for the downloading. They will be responsible and won’t run scripts without testing them first on a switch or three in the lab. But they’ll be ever so happy to have these tools!

The real struggle will be to ensure that the Linux scripting box is under proper management. Secure it so it can only be accessed via a jump host that’s used to access most everything else on your network. That’s easily done. An even bigger struggle may be to introduce a server that’s used almost exclusively by the network and network security teams. This means possible exception documents to file, meetings with the server and/or VM managers about patching and maintenance routines your teams will need to be aware of, and other managerial things of that sort.

After all, isn’t that why managers are called managers? They… manage… resources for the good of the firm. That Linux scripting host is a major IT resource, get on out there and manage away until your charges have one!

There are many Linux distributions out there – ask your engineers which one they’d like if your firm hasn’t yet standardized on a distribution. Once the distribution issue is settled, be ready to fight battles over making sure your engineers have appropriate levels of access and so the Linux box itself will be able to have the access it needs to get its scripting job done.

And what a scripting job it *will* do! Multivendor-aware scripts! Version-aware scripts! Little or no expense on annual licensing! Happy engineers learning how to use scripts to do all their work faster and with fewer errors – and what errors do crop up, what do you want to wager they’ll be fixable via other scripts? I’d wager rather a lot, but it would be at low odds, because that’s how things are done, you know.

I’ve seen Linux scripting boxes do things that proprietary config management utilities have failed to deliver, and that’s a huge deal. Even if you already have a proprietary solution, this Linux scripting host is going to complement that proprietary solution and give you so much more flexibility. The business case is here, I just wrote it: copy and paste and modify as needed, that’s my $HOLIDAY gift to you, O Network Manager!

If you read this article on your own or if you got this forwarded to you by your direct reports, please make this holiday season one of the best your firm has ever seen. Take a look at the image below:

That’s what a network engineer looks like after he’s gotten the paperwork finished that authorizes a Linux scripting host for his team to use. He’s so happy now that he knows that the configurations on those switches and routers and firewalls and all kinds of gear are going to be standardized and, hence, more secure. Why, he could even write a script to parse for unauthorized changes… his joy knows no bounds.

Be that manager this year. Be the person forever remembered as the manager who gave the gift of Linux.

Invasive Species and Security

I just read an article about how invasive species are presenting severe threats to the wildlife in the national parks here in the USA. It’s not just a problem in the USA: regions around the world have to face the consequences of a more interconnected world when those connections bring in a non-native species that begins to take over the environment, destroying delicate ecosystems in the process.

Of course, my thoughts made a connection to IT security. So, I’m going to write about my thoughts. 🙂

What makes an invasive species so invasive and dominant is that it doesn’t have a natural predator in the new region, so it is able to reproduce and consume resources without limit, until the land can’t support them any more. But, at that point, they’re pretty much dominant in that region. If a natural predator of that species is brought in, it could wind up being invasive in and of itself, wiping out other species that were already threatened by that first invasive species.

In IT, we have systems that are created and maintained to provide a particular level of service with a particular level of security. We expect those systems to maintain equilibrium – employees are typically told not to bring in other devices and IT staff have to comply with standardized purchasing and acquisition processes to bring in new gear, typically chosen carefully to work well with all the other systems.

An invasive species in IT is something, be it a hardware platform, a website, or piece of software that allows employees or other users of IT resources to evade security, go around processes, or even to create systems of their own that exist outside IT standards.

Once introduced, there’s no stopping these invasive IT elements without some drastic measures. Consider a scenario in which a company wants to improve productivity by blocking YouTube and Facebook on both employee and guest networks. Mobile devices become an invasive species, as employees bring those in and use LTE networks to access the prohibited material. If an employer wants to stop those mobile devices, it’s looking at introducing discipline for their users – which would destroy morale – or introducing cell phone signal jammers – which will destroy morale and possibly violate local laws.

While I’m aware that many would want to argue with the wisdom of blocking YouTube and Facebook, we can all agree that employees deciding to start using resources outside of IT’s control on a regular basis is an eventual trouble spot. What if there is a way to access company data in the cloud via those mobile devices? Then it’s possible for the data, now on those mobiles, to be shared outside the purview of any dlp software that exists on the company-managed laptops and desktops. It’s easier for the employees to share data – properly or improperly – and they’ll keep doing it. Is there a way to shut down cloud access to just company-owned devices? If so, does that then put a negative impact on the flow of business, overall? Does this introduce another layer of complexity, and will this new scheme be stable? Scalable? All the other questions we ask about the viability of a solution? Certainly, it’s an additional cost – is it worth it to implement, or does the company just abandon the cloud or DLP solutions altogether?

Abandon DLP? I’m sure some of the readers of that phrase would react with shock, horror, and disappointment. But, if we think like an executive, we have to ask the question, “Why should I pay for something that’s not able to get me what I want?”

When I was a high school teacher, I saw these invasive IT species all the time. I confess even to participating in their spread. I was a user, then, not part of IT security, so I had other concerns on my mind – getting my job done, for example.

We all had to use software purchased by the school district to provide class information. The software allowed for teachers to post links to online resources, contact information, class calendars, notes, and a discussion board. The software was also difficult to use and constantly crashed. I posted the bare minimum of information, never updated it, and ran a discussion board on my personal website that had some solid uptime numbers, if I say so myself. My students used it constantly and pretty much didn’t even look at the district system. After the district canned that system after 2 years and got another similar one that didn’t allow for teachers to port over their content from one to the other, that’s when the rest of the faculty revolted and either did the bare minimum, used an outside resource, or both.

My school district also blocked YouTube and Facebook. In the days before mobile devices, students using school-provided PCs would go for proxy buster sites. As fast as the district security could block one of those sites, another one would be discovered and quickly utilized. When I wanted to show a documentary on YouTube to my classes, it was much easier to go the route of the proxy buster than to submit the link weeks in advance for an official review. I knew the documentary on economics didn’t have any objectionable material in it, so I just went around the proxy server, just like everyone else did.

When the district just blocked YouTube on district networks, that’s when I brought in my personal PC, joined it to the unscreened guest wireless network, and plugged that into my display projector. Other teachers used their district-issued laptops, but connected them to mobile hotspots, making for the dreaded bridging between the Internet and office networks.

All along, I wasn’t trying to do anything evil. I was just wanting to get my job done. Any end-user facing a choice between finishing work or security is going to choose finishing work, and that can mean the introduction of an “invasive species” that gets adopted by many other users, once word gets out about how it lets them do their work.

Not all invasive species in IT are themselves IT. How many times have those annual security trainings been foiled by lists of answers for the test at the end of the training? Given a choice between paying attention to the training or just clicking through it while getting real work done, nearly all employees are going to click through with the sound off and then go CBBADECCAE for the test at the end, just like the answer list tells them to do. Jumble up the questions? Not a problem, as the list of letters is annotated with notes like, “Question about mouse hovering – C”. Jumble the answers? “Question about mouse hovering – different link revealed.” Give them an honesty affirmation at the start? That gets clicked through, too, if the pressure is high enough to get stuff done.

So how can we deal with invasive species? All I can think of are proactive measures. Make sure that the only way to interact with the corporate network is with a corporate device, be it through NAC or VPN, or both. For situations where employers want to control online activities of employees, perhaps the solution lies with human resources and one-on-one meetings instead of proxy servers and firewalls. When employees complain about how lack of IT response isn’t letting them get their jobs done, listen to them and respond to their satisfaction. Once those complaints stop, it’s too late – they’ve found the invasive species and your security posture is likely compromised, with a high chance it’s a severe compromise.

There are reasons why nations highly dependent upon agriculture will fumigate your checked bags before you’re allowed to collect them. They don’t want any invasive species. We can’t fumigate our employees, so we instead have to be sure that security policies and practices don’t create a need for an employee to introduce an invasive IT species.

Understanding Security: The Spy

First of all, let’s take a look at an actual spy:

That’s John Walker, who was a US Navy Warrant Officer from 1967 to 1985. 1985 was when the FBI found out he had a second career passing cryptographic information to the USSR. And you know what they say about moonlighting without telling your employer…

And you know what, he looks like one of us! This is not James Bond, not Austin Powers, not Jack Ryan, not any of those guys. This is the AIX guru that sits two cubicle rows over. One of us.

The difference between Walker here and a security guy is only in what information is gathered and who it is passed on to. That’s what a spy does, after all. All that Hollywood stuff is just that – make believe for the movies.

If you want a real spy movie that shows the security side of things, watch a 36-minute US Army training film from 1969 about counterintelligence work. It’s set in West Berlin and goes through the steps of gathering intelligence and then using that intelligence to develop operational plans. https://www.youtube.com/watch?v=E3hAUTGm1D8

I watched that short film and it totally clicked with me. The heroes of the film are guys that look like me and my co-workers, doing things me and my co-workers can do. Namely, gathering information and following up on leads. To be sure, the baddies, like Walker up there, also look like me and my co-workers… after all, it’s the admins that outsiders want to turn to working for them, right? But I digress. Gather information, follow leads, document everything, that’s us.

An important note in the film is that an intelligence operation in which information is passed up to a superior is a successful operation. Think about that. We may think what we have discovered may require immediate action, but it’s not always our call to make. We inform the decision makers and leave it at that.

For what it’s worth, the film underlines the importance in gathering information in such a way as to not alert the target – this helps me to deal with the urge to act immediately. Now, there are routine checks that we do for compliance and such, and I’m sure clever attackers will learn to avoid those patterns, but when we run a check and find something out of the ordinary, we report on the details and then coordinate with other groups to see what kind of follow-up is needed.

In current terms, coordination with other groups often means coordinating data from different systems. Putting all the data together helps to build a complete picture of activity. Packet captures, DNS traces, all that fun stuff – assemble it to show the whole story as far as we can tell. That’s what counterintelligence agents do… and what we do in security.

It’s pretty easy to take old-school information and translate it into updated ideas, especially since the core best practices and procedures remain the same. There are plenty of other training films out there to watch where you get to see how any person, with proper training and expectations, can do security work. You don’t have to be James Bond and you’re not fighting Dr. No. Everyone involved is human.

Thanks to these old training films, when I hear the word “spy”, I don’t think of James Bond. I think of me.

My Musical Use Cases

My recommendations are mostly instrumental because I find vocals often interrupt my train of thought. Every now and then, though, there are words that act as spells in a way, and they help me to focus my mind on the task at hand.

So, my list:

For the Attack:

“Tune Down” by Chris Joss… this is a slow, methodical piece that I first saw on “Better Call Saul” as Mike Ehrmentraut set up surveillance of a target house. This is the kind of music that goes with cracking safes, passing information with sleight of hand, and other devious things. Chris Joss’ catalog has lots of songs in this category that really help me cook up plots and plans. In the same vein, I’d also recommend…

“Danger Musicians at Work” by Syd Dale… it sounds like an action theme from the 60s because it IS an action theme from the 60s! Syd Dale was one of a few composers who worked with the BBC to create stock programme music. You can find his work in compilations, along with other gems that make you sound like a cool spy or cunning criminal. Now, if you want something heavy, might I recommend…

“King of the Road” by Fu Manchu… the lead track from their Hell on Wheels album. It has a great beat, drives forward like a massive engine with very little soloing to distract you from its ultimate delivery. Stoner/desert rock is great in this regard, as it lets a body think as the music plays.

For the Defense:

“Hang Up Your Hang Ups” by Herbie Hancock… this is music for street cops in NYC in 1975. It’s music for tracking down and catching up with hustlers, jive turkeys, and crooks in general. You want the big funky horns to keep up your spirits and the driving guitar and percussion to keep you methodical and meticulous. You’re looking for clues, so you need the right tunes to get your head in the right space. Which reminds me of…

“Strong Arm of the Law” by Saxon… for the headbangers out there. You know you want to shout out to the red team, “STOP! GET OUT! We are the strong arm of the laaaaaaaaaw!” Yeah, bust those punks! Now, if you don’t want to go metal, there’s always…

“Relevee” by Delia Rodriguez and Gavin Russom… Very electronic, very trance, very good for moving through the matrix and busting Mr. Anderson. I swear, this song gives me the ability to connect to the network through my keyboard and I get gigabit speeds to my mind…

For Vendor-Induced Rage:

“Policia” by Sepultura… nothing like Brazilian punk-metal for getting your voice up, ready to tear into the salesweasel that sold you a product that is failing miserably as it falls far short of its marketing-fueled hype. Sepultura’s “Crucificados Pelo Sistema” is another great growler of a tune. Now, if you prefer something more industrial, might I show you to…

“Attak Reload” by KMFDM… yeah, this one’s angry… opens with “We’re gonna make you sorry / For every word you say” and goes from there. You may have to work with that vendor’s product, but it doesn’t mean you have to *like* it. If you need something softer than the above two, perhaps you might try…

“Chale Chalo” by AR Rahman, from the Lagaan soundtrack… this one is about channeling anger into victory. If you’ve ever seen Lagaan, you know exactly what I’m talking about. And if you haven’t seen Lagaan, you should. On the surface, it’s about a British officer that is trying to triple the tax on an Indian village, but it’s really about trying to cancel a contract with a vendor or risk having to break the budget on a professional services contract. Seriously, watch it that way if you can’t get into it with the standard plot.

For Building Systems:

“Master of the Universe” by Hawkwind… get the live version from the Space Ritual album and spin it on constant repeat. Like stoner/desert rock, Hawkwind’s pioneering space rock epic drives the mind forward with the music creating a space where the brain can work magic in summoning up demons to bend to your will. I find this music particularly helpful when creating and troubleshooting VPN issues, along with PKI work. If Lemmy’s bass playing isn’t your thing, then let’s listen to…

Goa Trance (multiple artists, tracks come and go, can’t recommend one track in particular)… Sparse instrumentation, constant beats, phased transitions, this is the dark chocolate of electronic music, and it’s stayed true to its core competency since it first emerged about 20 years ago. It’s also great stuff for taking on mountain roads, just sayin’. But if you want something analogue, there’s…

“Machine Ma Bwindea” by Ekambi Brilliant… You can find this guy along with some other great funk musicians on the Africa Seven page at Bandcamp. If you like this one, be sure to also check out Tala AM and Sookie, two other great African bands. This one’s a lyrical piece, but because I don’t speak a word of Congolese, they don’t distract me. And that chorus is just so fun to sing along with!

For that Plane Trip:

“Gimme a Sign” by Nigel Hall… heck, get the whole album and treat yourself to an authentic musician who knows how to interpret a song, whether or not he wrote it. You want something that has a good beat to it, so you can follow along in case you’re like me and can’t wear headphones for long periods of time and those plane noises get into the mix. If you don’t want funk, then there’s always…

“Jet Airliner” by Steve Miller… a good, familiar song is great on a plane because the mind already knows where to fill in the notes and tones that get blocked by plane sounds. And, hey, this one’s topical! I like it because it’s a song about being on the road and enduring those times when we can’t be exactly where we want to be. But if you want to be more adventurous than classic rock, how about…

“Kerosene Dreams” by Drive by Wire… my hat goes off to this Dutch foursome with a great female vocalist. It’s a band in the stoner/desert vein of music, so it also does well for other tasks. But if you think the bands these days can’t rock like they used to, then you need to head to Bandcamp and check out bands like Drive by Wire and their fellows. You’ll be pleasantly surprised.

When You Have to Write Reports or Documentation:

I like to every now and then start off with a random prison work song. In the Southern USA, prisoners were segregated by race and then made to go work at clearing land, breaking up rocks for a road, or other intensive manual labor. The black work groups would make up songs to work to. In the songs, they could vary the speed so as to help out workers that were having trouble keeping up with the initial pace of the song. Look a few up on YouTube and find your favorite for that hard task that you just have to do. I suggest “Hammer Ring” or “Grizzly Bear” as good starting points. Now, for the more conventional tunes…

“Deacon Blues” by Steely Dan… this band always helps my writing flow. I can put on just about any of their albums and get into a writing mood, but Aja and Gaucho do the best job. Writing is a contemplative thing for me, so I need something not so hard or intense as what I may have suggested previously. Which brings me to…

“Spaceman” by Journey… before Steve Perry was brought in, Journey was a great rock band that delivered some beautiful instrumental-heavy tunes on their first three albums. This one is from their third album, Next. If you think they sold out on Escape, you should go back to the albums without Perry for a much less commercial set of truly deep cuts. If you want an even deeper cut, then there’s…

“Joy” by John McLaughlin and Shakti… it’s a fast instrumental with John McLaughlin doing some amazing acoustic guitar work. You’ll have to listen to all 18:12 of it, but it’s an incredible piece that is well off the beaten path, musically speaking.

When You Have to Build a Slide Deck:

“Lost Highway” by Wo Fat… some heavy blues-metal from my home town of Dallas. While I have to think to do documentation, I have to argue with my “productivity suite” when I build a presentation deck. Friggin’ text boxes! Yeah, I need something that shouts and growls along with me as I suffer through marketing-mandated branded color schemes, and this tune is one of the best for it. The whole album is great, in case I slip and just let things keep playing. Speaking of anger management tunes, I also got…

“Fast Love” by Honeymoon Disease… Swedish bands have a way of always finding a pop sensibility to slip into whatever music they’re doing, and I love what Honeymoon Disease can do with 70s-vintage hard rock. Think Heart meets ABBA for a short visit and then heads over to Motorhead for drinks and that’s this band. Great for me against the machine. I’ll complete my trio of rebellion with…

“Sabbath Bloody Sabbath” by Black Sabbath… the riff at the beginning says it all and I’m ready to tackle the stupid image that pasted into my presentation all wrong.

After Dealing with Another Stupid User Trick:

“Fight the Power (Part 1 & 2)” by The Isley Brothers… the first line is, “Time is truly wasted…” and that’s how I feel after I get off a call where we spent hours going in circles because someone lied, didn’t know what they were doing, or simply refused to reboot the system. I had to turn off security protections “just for troubleshooting” and they didn’t do a damn thing to get that root cause… “Time is truly wasted… you got to fight the powers that be…”

“Volver Volver” by Vicente Fernandez… a song of love, lost love, and a burning desire to return, even though you know it only means pain and loss when you get back to your desire. That’s this mariachi epic, and it’s how I feel as I go back over and over to do the same troubleshooting on the same system that can’t be patched because of crappy production code. I know the Spanish, so it works for me. But if you need something in Russian, there’s…

“Вот и Все Дела! (Now That’s All!)” by Валерий Александрович Кипелов (Valery Kipelov)… a song of love, lost love, and good riddance. The chorus ends with lines that translate, “I’ll go the left, you go to the right, that’s the end of it!” Great guitar solo from Сергей Константинович Маврин (Sergei Mavrin), formerly of Aria. Trust me, it’s worth putting the lyrics into Google Translate and singing along with them. By the end of the song, I’ve finished the documentation to close the case and that’s the end of it!

For Relaxation and General Unwinding:

“Every Picture Tells a Story” by Rod Stewart… a great song for exhaling, and the drum break after the first stanza is priceless. After that, it’s time for…

“Ooh La La” by The Faces… this track features Ron Wood on vocals, and even though they’re rough sounds, they’re perfectly suited to the song. You may have heard it in recent commercials or at the end of the Wes Anderson film, Rushmore. It’s another song for sitting back and closing your eyes for a short while. Then, we have…

“Fire and Water” by Free… so sue me, all the tracks from this section come from early 70s British rock, but they all are my go-tos for letting go. Paul Rogers’ vocal and Paul Kossoff’s guitar work take me away and send me sailing, I like it. But, OK, if you want something different, I’ll stay in the same time period and give you something American…

“Post Toastee” by Tommy Bolin… it’s always the right time for this song. I never, ever skip over it when it comes up on my shuffle. It’s so fun and friendly and comfortable, I don’t want it to end, but I understand as it fades away. So, yes, include this one on the mellow playlist. If you need something from this century and *not* a rock song, then I’ll add in…

“Manbai” by Natacha Atlas… Atlas’ vocals are enrapturing on this very chill, liquid drum ‘n’ bass track, masterfully mixed by Nitin Sawhney from Transglobal Underground. So what if it’s in Arabic? It’s great for relaxing, and you said you wanted something different, didn’t you? 🙂

Security for All Sizes: How Big Are Your Vendors?

There are some amazing ideas out there in vendorland, but not all ideas are backed by the same kinds of companies. This impacts how those ideas, those vendor products, will fare in your environment.

Of course, I’m going to sort vendors into three size categories: small, medium, and large. How they intersect with customers that are small, medium, and large will also come into play. Here goes!

Small vendor, small customer: Small customers tend to also mean “small budgets”, so they’ll go with a small vendor if it looks like it can *almost* deliver the performance of a more expensive product from a bigger vendor. If it can match the big guy or beat it, even better. Price is king in the initial purchase decision. After that, there’s a good chance that the small company gets some excellent tech support – it’s likely that the entire development team is also taking turns fielding support calls. Now, there may be features that never get implemented and the product may never stretch to cover additional areas or integrate with other products, but in a best case, it’ll be a stout little mountain pony that gets the job done.

Small vendor, medium customer: Maybe someone heard good things about the small vendor and wanted to try it out in a bigger environment. Here, there’s an expectation that it will play well with other apps and systems. While the small customer may have re-done some things about its environment to accommodate its budget-friendly solution, the medium sized customer will not have that much flexibility, as it’s likely other systems are dependent upon things staying exactly as they are for them to function. If that vendor’s product can’t fit into the bigger environment, it’s out. There’s also the consideration of scalability. Is there a management dashboard for the product? Does it integrate with syslog? What are the upper limits of the vendor’s software and/or hardware? How many widgets are needed to make all this work, and will all those widgets work with each other?

Small vendor, large customer: Is this vendor on the list of approved vendors? If not, will it still be around after that process is completed? For the large customer, the vendor has to be something that looks to be capable of being around for the long run. Large customers don’t like having to buy a different solution in the middle of a system lifecycle because the vendor went out of business. Can the vendor provide follow-the-sun coverage? Can the vendor produce features that are required for specific customer environments? How big is that dev team, anyway? The product may be amazing and best in its class, but if it can’t scale its internal resources to meet the demands of the large customer, it’s not even a consideration as they choose products.

Medium vendor, small customer: This vendor may still be budget-friendly, but it’s unlikely that any special requests from the small company are going to be incorporated by the vendor unless other companies are asking for them. It’s also likely that the small company may have enough for the initial purchase, but might decide to not renew support until there’s a major outage – meaning that small company may be using an unpatched version of that gear because it is forced to accept the risk due to budget concerns.

Medium vendor, medium customer: The vendor is no longer small, but an up-and-coming firm that’s maybe ready for prime time. If so, maybe it “dropped its pants” in purchase negotiations in order to break into a larger tier of customers. Your firm, possibly with a handful of other firms, is commanding all the attention of this vendor – until it can land a larger customer. The good news is that it may very well answer all your questions about integration and interoperability. The bad news is that it may possibly be peaking out at this point and won’t be able to mature its product properly to keep up with your business.

Medium vendor, large customer: This can happen from time to time… and it’s usually to get leverage on a larger vendor during contract renewal negotiations. If it performs well enough to not only beat the big guys at their own game, but also well enough to justify a purchasing decision that can ruin the discounts the firm may be getting on other gear from that bigger vendor, then it’s a keeper. If that happens, the medium vendor may be poised to get a lot bigger, but it will also be pounded with requests from that large customer to develop features that take it beyond being a cool tool and into becoming an enterprise solution. This might break the medium vendor if it can’t keep up with the demands from its biggest customer – as those demands may well mean leaving behind the founders of the company and their culture.

Large vendor, small customer: What I said for the medium vendor/small customer applies here as well, with even more emphasis on the small customer’s lack of voice and likelihood of coasting along with unpatched gear. The big vendor always has a bigger customer, and that’s the one that’s going to dictate how development team hours are allocated.

Large vendor, medium customer: Nobody ever got fired for buying the large vendor, but they do cost a lot for support, don’t they? Is this where, in order to have the features and power of the large vendor’s gear that the medium company has to contemplate outsourcing in order to keep a handle on costs? It doesn’t matter if it was a small company that got big or a big company that stayed big – the costs will increase. At the same time, your firm may as well be a small firm as regards its ability to leverage new features. So, yes, it does everything you might need it to do now, but that may well be that.

Large vendor, large customer: Here’s where the large vendor meets its match in terms of demands for scalability and support and new features. The challenge to the large vendor is whether or not it’s able to move quickly enough to deliver to those demands. It’s a large firm, itself, and can’t move as quickly as it used to do. It’s also got so many customers that it’s inevitable that when it releases a new feature, it’s bound to break something, somewhere. Maybe that medium-sized vendor can deliver a solution that won’t break things for its largest customer, but there are no sure things if your firm is one of a vendor’s largest customers. Test carefully and upgrader beware…

So, just as most of you suspected, those great little apps you see in the tiny booths on the fringes of the security conferences may stay in those tiny booths or eventually vanish. It breaks my heart, but I’ve even seen some firms that had medium-sized booths fade from the scene. They might keep a small and dedicated group of customers, but they’re also victims of how those customers themselves might fade away. Once a company can rise above the churn of the violent waters where small and medium sized companies swim, it risks becoming a dinosaur that can’t adapt itself to changing long-term trends. Just let someone who did IT from 20+ years ago get to talking about Banyan Vines, OS/2, Sun Microsystems, Digital, and Novell, and you’ll realize that no firm is so big that it can’t crumble away.

At least with the bigger companies, you have a better shot at getting a complete product lifecycle before they totally fade from the scene…

Getting Good Information About the Recent Pandemic

Is it safe to use ibuprofen to treat a fever? Is it safe to use marijuana during this outbreak? These are just some of the questions going around and we should all know how to find answers for them. There’s conflicting information from various sources, so we all have to learn how to hit multiple sources to see what’s going on. Right now, studies are going to be limited due to the recent nature of the outbreak. That being said, health professionals globally are going to share ideas with each other and some of that chatter may spill over into the media reports – and not all reporters know how to report science.

What we *do* know is that anything that stresses the lungs will leave a person more susceptible to damage from the SARS-CoV-2 virus, which causes COVID-19. Right there are two good keywords to use in searches. Everyone’s calling it “coronavirus” in the popular media, while scientific communities are using SARS-CoV-2 to identify the virus and COVID-19 to identify the disease. Using those keywords gives a better shot at getting quality results.

Next, when we see the site providing the information, examine the website itself to evaluate its accuracy of information. Local news stations, those are good for reporting things like what’s open and what’s closed and how many people locally are in the hospital, but not much more. National news outlets will have a higher degree of accuracy, but can still get a few things wrong. Websites with a strong political bias may be victim to Russian trolling – yes, the Russians are taking rumors and amplifying them on various websites that are much more political than they are scientific – so disregard those entirely as providers of scientific information. Entirely. Their information may actually prove harmful, which is why I say to disregard them entirely.

Websites affiliated with medical institutions, particularly medical research, will have the best quality information. Learn how to read their information carefully and patiently, as the more technical sites will use specialized terms and expressions to convey meanings. The specialized definitions themselves are not hard to learn – but they must be learned, so part of your reading of specialized articles will involve looking up words you don’t quite understand. Once you get the meanings, though, you’re able to better understand the next article.

As regards ibuprofen, the WHO has walked back an earlier statement cautioning against using that drug as a fever suppressant. That’s another thing to mind – conditions can change, so we need to be ready to change with them.

For marijuana use, the cautions are as regards to impact on the respiratory system and any activity that involves communal sharing of drugs or their delivery apparatus.

What about other questions? I just apply the above methodology to get the answers. In particular, I use those keywords SARS-CoV-19 and COVID-19 to deliver better results in my searches.