Network Security Blog

The thoughts and ramblings of Martin Mckeay

Page 2 of 2

Lucky Break

One of the things I do from time to time is throw out an open ended question on Twitter.  Sometimes I’m making a point, sometimes I just want to amuse myself, but mostly I’m honestly curious about what other people think. The answers almost always surprise me.

Yesterday afternoon, I asked a pair of related questions:

What piece of luck had the biggest effect on your career?

What did you have to do to be prepared to take advantage of that piece of luck?

Here’s a list of the responses I’ve received so far.  If you’re on the list and want to have your response removed, just let me know.  I figure if you said it on Twitter, you already think of your comment as public, but I’ve been wrong before.

I know and have met less than half the people who responded.  It’s always interesting to get a little insight into the backstory of your peers and the people around you.

—————–

apiary?

Getting hired as a part time contract worker doing recruiting work for a security company. It was enough to get my foot in the door. I leveraged my previous customer support experience to get full time work, and went from there. I had to be prepared to learn everything.

Dan_Rowinski?

This is a bit of the sadness and reality of the human condition. When I was a junior sports reporter on the Bruins beat in Boston, the senior reporter got pancreatic cancer at the beginning of the season. Thus, I was thrown into the job as the full time beat reporter …

It was an opportunity presented through the saddest of circumstances (he passed away less than a year later). But I had no choice but to take advantage the situation by learning to become a fully fledged and competent sports reporter. Study day and night. Work on craft etc.

Wim Remes

getting fired from my first job turned out to be the best thing that ever happened to my career. – Martin: I have had a similar experience

Gisele Ellis

Finding a theater that would take an inexperienced teenager as a volunteer. Gave me a foothold to build a resume that got me into MIT. It took a lot of calls to find that role, but once I did, I did everything I could, never assuming I couldn’t because of age or gender.

Jody T?

I worked retail back when you had to enter everything in by hand at register and my 10-key speed was wicked fast. I switched to lowly data entry job and was so quick I had extra time on hands. I volunteered for anything/everything computer related. #hustle

chort ?????? Abolish ICE

Someone I knew from playing video games online was a director at a hot dot com and got me a job there. All I had to know was how email works. The rest is history.

SleepySecurityNinja

I boarded an airplane late (last one on). My seat had been taken by a mother/daughter pair, I didn’t make them move back. I sat in the middle seat, next to the director of consulting at my next job. My passion for IT and my hobby projects likely left a good enough impression

Dustin Collins?

Moving from the Midwest to Boston and getting a lucky break with my first job at Carbonite

Dan Sneddon

I once went above and beyond for a field office, in spite of the fact that I knew before they did that the field office was going to be shut down. The IT manager at the field office then offered me a sweet job at Apple when he became a manager there. It pays to be helpful.

Andy Ellis

Rescheduling my flight from Boston to LA off of September 11. – Martin:  This is one of the few responses I consider to be ‘pure luck’.  There’s a lot of backstory to this short tweet. 

Joseph Pierini – OG Twizzlebit

Helping out in a booth at a PCI Community Meeting and saying Yes/No/Please, I Changed My Mind Can I Still Take The Job?

ACotonio

Luck: Out-processing my last day in the #USAF, and headed to retire with a pension and nothing lined up (not for a lack of trying). Bumped into a friend I hadn’t seen in awhile. Chatted, she asked for a resume. Her boss offered me a stellar job/salary on the phone that night.

Prep: During my service, I worked on multiple things to get ready. AAS and BS in Business, BS and MS in Infosec, 15 security certs, and years of pen testing/hacking exp. I wanted to be *ready*. Now that I’m settled in the perfect dream job, I’m chasing my DSc in Cyber 🙂

dandels?

A near relative needed extra hands in his small company, and over time I became an important part of the dev team. My prior IT experience was just gaming and using the internet for years. The most important thing was being technically literate and good at googling problems.

ftobloke???

A casual conversation with a fellow student on the first night of my 3 year part time Masters degree.

Nick Selby

Someone in a position of authority at the place I’ve wanted to work my whole life (but had never done anything about it) stumbled across a blog post I’d written about a problem he was having that very day. This led to the series of events that got me my job there. – Martin:  An early career interview with Nick was one of the things that got me thinking I could be more than just a system admin, though I didn’t take the job at the time.

/bin/bash/Allen -Baranov

Not sure if it was “luck” but at the consultancy that I worked at, the whole security team (three people) quit on one day and I was the only one with both networking and Unix experience. So I quickly became the “security expert”

Spying pressure mounting worldwide

Martin in 2022: Originally posted in 2015, it’s scary how far we’ve come in the last seven years. I continue to be amazed at how we allow our governments to nibble away at our privacy every day.

It’s been an interesting ride ever since Edward Snowden came out with the revelations about NSA spying efforts two years ago.  There was a huge public outcry at first, both from the side who believes spying on your own citizens is necessary and from the side who believes spying on your own citizens is a vital tool in protecting them.  Both sides of the argument have been trying to sway public opinion, with varying degrees of success, but it’s been the spy organizations that have been getting their way as judges and lawmakers side with them for the most part.  But that’s slowly changing and there’s additional pressure mounting on both sides of the argument.  It’s only a matter of time before the pressure seeks an outlet and it may be explosive when it does.

The first problem with spying by intelligence agencies in the US was that it was so secret that most courts couldn’t even get enough information about the practices to determine who had a right to sue for relief from the situation.  You can’t sue the US government unless you can prove you have standing in a case, that you are affected by the action, but you couldn’t prove you were one of the people who were spied upon if the information is too secret to be released even to the court.  So for nearly two years, that venue of combating governmental spying has been stymied.  As of last week though, that’s started to change as the US 2nd Court of Appeals in Manhattan declared that Clause 215 of the Patriot Act did not give authorization for massive collection of phone data.  The ruling also gave the ACLU standing in the case, enabling further legal action, but stopped short of declaring the spying efforts unconstitutional.  In a move that probably didn’t surprise anyone, multiple Senators and Presidential wannabe’s called for new laws to give the NSA and other agencies the power the court just denied them.

Abroad, there’s also a lot of push back against not only American spying, but against the national organizations who are cooperating with American organizations.  Germany’s Federal Intelligence Service (BND) had been cooperating with the NSA for years, feeding the American organization information directly from their telecoms and ISP’s, enabling the NSA to track German citizens in ways the BND might not be able to.  This got mostly overlooked when it was revealed that the US was listening in on Angela Merkel’s phone calls, but recent activity and the NSA’s refusal to give justification for the information they’re asking for has caused the BND to stop cooperating with the NSA and is creating quite an uproar in Germany.  Merkel’s political party has been under a lot of pressure because of the information the BND has been providing and there have even been calls for the resignation of the German Interior Minister.

That’s the recent wins on the anti-spying front.  On the other side, advocates of spying continue to push in all sorts of ways, from asking for golden keys in encryption technologies to calls for more power from legislators and less oversight by the judiciary.  Last week’s elections in the UK have emboldened Home Secretary Theresa May to call for the re-introduction of the so-called “Snooper’s Charter” in the country.  GCHQ already has significant powers within the UK and abroad, but the Draft Communications Charter Bill would extend these powers considerably and lessen any oversight on law enforcement agencies.  The good news is that even members of her own party are critical of the bill and might not be willing to back her call for further power.

Proponents of spying powers have nearly religious respect for the governments need for these powers and the government’s restraint of their use.  Theresa May seems to believe that any judicial oversight is too much and that the government can’t be restrained or the terrorists will win.  In the US, Supreme Court Justice Antonin Scalia has long held similar beliefs and has been very vocal about it.  Last year he presented to a Fordham University class on law, strongly stating that such powers are needed and cannot be limited.  This year when he went to present, the professor had given his class a new assignment: using only publicly available information, create a dossier on Justice Scalia.  The 15 page document was presented to the Supreme Court Justice and included extensive information about his financial information and family.  Rather than take this as an example of what the NSA or any other organization has at their fingertips and a warning as to why this might be dangerous, Justice Scalia blasted the teacher and his students, questioning their ethics and judgment.  It seems that it’s okay when an impersonal national agency does it, but not when a small group of students research the Justice.

And adding to the pressure cooker of the spying argument, China and Russia have signed an agreement not to hack each other.  It’s probably more accurate to say they’ve agreed not to get caught at it, but this means that their considerable resources will be at least partially turned away from each other and to different projects.  There’s probably not many people who won’t identify the US as the primary target of the freed up hackers, but there are plenty of other places they can put their efforts.  In a lot of ways, it’s like to gangs agreeing not to horn in on each other’s territory while they deal with a third gang.  Add in Russia’s upcoming data localization laws and things get very interesting, very quickly.

“May you live in interesting times.” certainly applies.  There’s pressure from all sides, some wanting to increase spying, some wanting to curb the capability of Western law enforcement agencies.  Both sides have valid points, but it’s a trade-off between the security that such spying might provide versus the damages to civil liberties and personal freedom that it causes.  There’s been almost no proof that spying by international agencies makes us safer, but by the same token it’s hard to express clearly how spying damages the lives of average citizens.  In many ways this is going to be one of the defining issues of the early 21st century and will determine the future of our civilization.  Do we defend our liberties or do we give governments the power to protect us from ourselves?  Only time will tell.

Impostor Syndrome

Martin 2022: This is another post I wanted to keep, based on the feedback I’ve received from multiple individuals. “You are not alone.” has long been a message I felt was important to share. I hope this short essay continues to resonate with readers for a long time to come.

What am I doing here?  When are they going to realize I don’t know what I’m doing?  How long until they fire me for faking it?  I don’t belong with these people, they’ve actually done something, while nothing I’ve done is remarkable or interesting.  I’m not worthy of this role, of being with these people, of even working in this environment.  I’m making it up as I go along and nothing I could do would ever put me on the same level as the people around me.  How did I end up here?

I know I’m not the only one who has these thoughts.  It seems to be common in the security community and not uncommon in any group of successful people.  It’s called ‘impostor syndrome‘ and it’s often considered a sub-set of the Dunning-Kruger effect.  Basically it’s a form of cognitive dissonance where a successful person has a hard time acknowledging his or her success and overemphasizes the many mistakes everyone makes on a daily.  To put it simply, it’s the thought we all have from time to time that “I’m not good enough” writ large.

It’s not hard to feel this way sometimes.  In security, we create heroes and rock stars from within our community.  We look at the researchers who discover new vulnerabilities and put them on a stage to tell everyone how great their work is.  We venerate intelligence, we stand in awe of the technical brilliance of others and wish we could do what they do.  We all tend to wonder “Why can’t I be the one doing those things?”

It’s easy to feel like this, to feel you’re not worthy.  We know the mistakes we made getting to where we are.  We know how hard it was, how rocky the road has been, where the false starts and dead ends are and all the things we didn’t accomplish in getting to where we are.  When we look at other people we only see the end results and don’t see all the trials and tribulations they went through to get there.  So it’s all to common to believe they didn’t go through exactly the same road of mistakes and failure that we did.  As if they don’t feel just as out of their depth as we do.

I don’t think there’s a cure for impostor syndrome, nor do I think there should be.  We have a lot of big egos in the security community and sometimes these feelings are the only thing keeping them from running amok.  The flip side of impostor syndrome, illusory superiority, the feeling that you have abilities that far outstrip what you actually have, is almost worse than thinking your an impostor.  And I’d rather feel a little inadequate while working to be better than to feel I’m more skilled than I am and stop working to get better.

If you feel like an impostor in your role as a security professional, I can almost guarantee you’re not.  The feeling of inferiority is an indicator that you think you’re capable of more and want to be worthy of the faith and trust those around you have put into you.  You might be faking it on a daily basis, making things up as you go, but the secret is that almost all of us are doing the exact same thing.  It’s when you know exactly what you’re doing day in and day out that you have to be careful to fight complacency and beware of illusory superiority.  It’s better to think you’re not good enough and strive for more than to think you’ve made it and are the best you can be.

Mt. Gox Doxed

Martin 2022: How many people even remember Mt. Gox? Did we learn any lessons about digital currency from this? Nope, not really, though I’ve become even more cynical about most aspects of block chain since then.

I’ve never owned a bitcoin, I’ve never mined a bitcoin, in fact I’ve never really talked to anyone who’s used them extensively.  I have kept half an eye on the larger bitcoin stories though, and the recent disclosures that bitcoin exchange Mt. Gox was victim of hackers who stole the entire of the content in their vault, worth hundreds of millions of dollars (or pounds) have kept my interest.  I know I’m not the only one who’s smelled something more than a little off about the whole story and I’m sure I’m not the only one.  Apparently a hacker, or hackers, who also felt something wasn’t right on the mountain decided to do something about it: they doxed* Mt. Gox and it’s CEO, Mark Karpeles.

We don’t know yet if the files that hackers exposed to the internet were actually legitimate files from Mt. Gox and Mr. Karpeles yet, but this isn’t the only disclosure the company is potentially facing.  Another hacker has claimed to have about 20Gigs of information about the company, their users and plenty of interesting documents.  Between the two, if even a little of the data is valid, it’ll spell out a lot of trouble for Mt. Gox and it’s users.  If I were a prosecutor who had any remote possiblity of being involved in this case, I’d be collecting every piece of information and disclosed file I could, with big plans for using them in court at a later date.  

In any case, I occasionally read articles that say the Mt. Gox experience shows that bitcoins are an unusable and ultimately doomed form of currency because they’re a digital only medium and that they’ll always be open to fraud and theft because of it.  I laugh at those people.  Have they looked at our modern banking system and realized that 99% of the money in the world now only exists in digital format somewhere, sometimes with hard copy, but generally not?  Yes, we’ve had more time to figure out how to secure the banking systems, but they’re still mostly digital.  And eventually someone will do the same to a bank as was done to Mt. Gox.

*Doxed:  to have your personal information discovered or stolen and published on the Internet.

Newer posts »