I like Seth Godin’s blog I recommend you check it out. He writes daily, so it can be overwhelming, but there are really some good nuggets in there. Today was about identifying the hard part of a project. I think that’s important, but you should start with the hard part whenever possible. Tackle the biggest, ugliest part you can find. Better to get it done up front that sinking a bunch of time and energy into the project only to learn that you’ll be blocked later down the road when you get to the hard part.

In trying to understand something we can often fall into a pattern of mapping the new thing to something we already know. This is a great way to get a foundation for understanding but it’s a shortcut and it’s important to dive into the details for better understanding and more excitement. When you generalize that loses all the interesting parts. Look for what’s exciting and new in new things to learn and resist the attraction to generalize and blur the subject.

Recently Jason Taylor and I started a new side project, ReThink Security. The purpose is to share the insights that we’ve built up over the past two decades in the security industry. During this time we’ve spoken to countless people in the security industry, help move teams of individuals forward in security maturity and worked with organizations ranging from the largest in the world to weeks-old startups looking to minimize security missteps.

Recently I’ve noticed that I prefer to receive updates from my favorite blogs in email. If you feel similarly I’ve signed up with Mailchimp to deliver my posts via email. Of course I’ll never share your information with anybody else, and if you unsubscribe Mailchimp will handle that quickly and thoroughly. If you’d like to sign up for the newsletter you can do that here on mailchimp If you prefer rss, that’s still available here at the rss link.

There are very few things in life that require an immediate response. I wrote earlier about how you can Triage Decisions to try to undersatand how much effort you should spend on each decision. I would add to that only to say that however long you think you should take, you can almost always take more time. You can take a moment to collect your thoughts, to calm your emotions, or to see something from a different perspective.

Not all decisions require the same amount of time to think through, but some high impact decisions warrant your time, energy, and effort to make valuable decisions. To help understand how much energy you should put into a decision think about the impact it will have and the ease in which you can change it. If the decision will have wide reaching impact and cannot be easily changed do not make the decision on the spot in real time.

There’s a fine line between bragging and letting people know what you’re doing. Many times in a work setting it is important to make a little more noise about yourself than you think you should. Letting people know what you’re up to, especially bosses and peers can help build respect, trust and ultimately help your professional progress. Tell people when you’re proud of something, ask for help when you stumble, share knowledge that you find interesting, communicate more.

Habits are important, but restarting is more important. You will forget to work out, fail at your diet, upset a friend or coworker, or make a million other mistakes. The quicker you get back up and restart the easier it will be. The longer you wait the more painful it will be to start again. Next time you skip a run start get back into the habit quickly. If you make a mistake, own up to it quickly and start work again.

There’s a mental difference between thinking that something can be maxed out versus being constantly improved and developed. If something can be maxed out there is an end. This end can become a goal, which can be helpful, but it can also be limiting. If you feel you have maxed something out in your life if can also be a source of ego. Targeting maxing something out can be dangerous and ultimately discouraging.

Recently I noticed an old pair of pants were a little tighter than I remembered them being. It was easy for me to jump to the conclusion that I either needed to accept my new form and buy new pants or I needed to adopt a better diet and focus on my exercise. It’s easier to eat junk food and skip the gym, it’s tough to make lifestyle changes, but for me that was what I had to choose to do.

I realized in my first part of Asking for Help that I didn’t put a fine enough point on some of the points I should have made when asking for help. Alerting falls into a greater category of communication. Alerting, or maybe we can call it “Struggle Signaling,” can help others know that, while you’re not yet ready to call it quits and ask for help, things aren’t going as smoothly as you’d like.

You have experienced what it feels like to be at your best. Those moments when you are focused and clear-headed. Maybe you were on a deadline, got into the flow of work, or truly loved what you were working on. Those moments are your high water marks. Understanding what is possible and cultivating those moments is a great way to help capture more moments like that. Next time you feel at your best take note of what is going on and how you got to that state.

There are many questions that you can ask yourself to help frame the person you want to grow into. These questions can be standard ones like “Where do you see yourself in 5 years” and “What’s important to you?” There’s a difference between who we want to be internally, and how we want others to perceive us. Who do you want to be? For the first question, think about who you want to be in your core.

I recently had the privilege of having Montana Von Fliss give me some pointers on a talk I delivered to a client. She was there in another capacity, but never one to let an opportunity for growth slip by, I grilled her on what I could do to improve my presentation style. Hook the audience with a story Start with “So there I was…” Then drop into the middle of the story

When asking for help I always try to think about whether the person who I am asking can answer my question off the top of their head or if it’s something that will require them to do a bunch of research into. If it’s off the top of their head, ask immediately. Better to get yourself unblocked sooner rather than later. If it’s the kind of thing that you can do your own research for or come to the table with your own potential solutions for that makes everything easier and faster.

(image source Demchak) ZD net posted an article that talks about China intercepting internet traffic to collect data, which sources data from research done by Demchak. I think it’s reasonable to say that all traffic is being hijacked and logged. Assume the internet is a public forum and corporations, nation states, and other attackers are collecting every bit of information that is available about you. At the top you have advertising agencies like Facebook and Google tracking what you look at on the internet, and the bottom you have these types of attacks which look at the traffic at a lower level.

By default iMovie doesn’t recognize AirPods as a recording device. This probably has to do with Bluetooth latency or quality, etc. but if you want to force iMovie into using the AirPods as an audio in device you can do it by creating a new Aggregate Device with the Audio Midi Setup Tool. First launch the Audio Midi Setup app, and click the + in the bottom left of the window.

Decisions will be made — by you, or for you. You can either take active participation in those decisions and decide the direction of your future actively or allow them to happen without your involvement or influence. Not all decisions matter enough to your happiness or wellbeing to warrant the time and analysis that making an active decision requires. However, big things like the direction of your career, the people you spend time with, your health, and other areas of your time and life can make a big difference.

In order to make creating and publishing quicker and easier I created a couple of little shell scripts to help me along my way. I have a hard time remembering all the little switches and commands to publish and I hate making little mistakes each time I try to do something quickly. The answer is simple, automate the monotony away! The first script new.sh creates a new post in the post directory.

In my industry I’ve found that you can be successful by committing to being a specialist or by committing not to specialize. People stumble, struggle, fail, or get burned out when they try to do both or can’t transition from one to another. As people become more senior in their careers they naturally take on more and more responsibility, this is a great way of increasing influence and capabilities. Focusing on one thing and trying to learn that one thing better than anybody else is what a new employee will do to be exceptional at their job.

I recently learned about a new Exactis data breach. No passwords were compromised, but much of the information that would be used in a social engineering or phishing campaign was collected by Exactis and lost in this breach. The data breach included 340 Million records, so it is also likely that your personal information may be lost. According to haveibeenpwned: The leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data.

I started down a little bit of a rabbit hole when I wanted to optimize and scale the images on my site. As you can see there are a lot rather large images on my site, which I like the look of. I just don’t like that some of them were greater than 5MB each! I started out by searching for a basic bulk image processing tool. I wanted something that wasn’t bloated, janky, or broken.

I’ve recently added basic Google Analytics tracking to this site. This is just to give me a sense of how many people are looking at my site and to understand what articles and topics are popular. I’ve disabled Demographic and Interest Reports and other enhanced tracking features which can be invasive. In order to do this analytics I’ve included a snippet of JavaScript on the site, which you can find in the header of every page.

Safety, Security, and Privacy Safety, Security, and Privacy continue to be merged together as IoT increases its reach into new devices. IoT devices are being develope with little security in mind, these devices continue to be attacked successfully. I attended a talk at ZonCon by (Senrio) in which their VP of Research outlined the many, many issues they’ve discovered in connected medical devices. Microsoft released Azure Sphere which aims to help their customers build more secure IoT devices with easy Azure connectedness and a standard Linux based platform.

Lots of lost certificates 23,000 HTTPS certificates axed after CEO emails private keys | Ars Technica The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert, a certificate authority that acquired Symantec’s certificate issuance business after Symantec was caught flouting binding industry rules, prompting Google to distrust Symantec certificates in its Chrome browser.

Spectre & Meltdown Wow, this is a terrifying vulnerability, which honestly means that we have to decide between an attacker being able to read all the memory on their server, or a 20-40% increase in CPU load. This has massive implications for shared computing like servers, the cloud and other technologies like Docker. A co-worker of mine, Mick, wrote a great blog post on this: https://blog.securityinnovation.com/spectre-meltdown-vulnerabilities-cutting-to-the-chase AI/ML I’m still thinking a lot about AI/ML.

It’s no secret that more and more companies are jumping on the Bug Bounty Program band wagon, and for good reason, there is a lot of value to be had there. However, rolling out a Bug Bounty Program (BBP) before you have done your own due diligence can often cause more problems than it solves. Bugcrowd, one of the largest bug bounty program service providers touts that within the first two weeks a typical company with a new BBP will see 5 critical vulnerabilities, 70 unique vulnerabilities and 200 total vulnerabilities.

The cloud brings scalability, reliability and security features that allow companies of all sizes to run their online business efficiently. These powerful capabilities often bring a false sense of a “security is already done” mentality and organizations are prone to take a more relaxed approach to their security efforts. Additionally, while many of the cloud platform features are “built-in”, that doesn’t mean they are optimized for your organization out of the box – they still be analyzed in the context of a larger security strategy and re-evaluated frequently.

Being a manager is difficult. It’s sometimes difficult to know what tasks you should do yourself and what you should give to your team. I’ve adopted the Delegate then do methodology for myself. Delegate everything you can to anybody on your team who can accomplish the task. Do this by default. Give your team the benefit of the doubt, and give them difficult tasks that they’ll have to rise to the occasion for.

I get asked sometimes how some people on my team can become a better programmer. I think it’s useful to think in terms of different evolutions of the programmer. In the beginning there’s a scripter or coder and at the highest level you have an architect. There is much, much more to go into here, but this is a rough framework to plot your skills over time. Use this to fill in your current skills and to identify key areas of improvement.

This diagram is an approximation of how I think about iterating toward a goal to increase my likelihood for success. There are a few concepts that I’ve packed into this diagram, so I’ll try to explain here. I’ve also recorded myself drawing this diagram roughly in order of operations on youtube. here. Step 1: Set a Clear Goal Defining a clear goal and understanding what “Success” looks like is the most important first step.

Don’t short circuit a lesson because you think you know what the take away is going to be. Too often we try to map other’s experiences or recommendations to our own and we miss out on new opportunities to grow or learn. Next time you hear somebody describing something they just learned don’t interrupt with by saying “oh, I know where you’re going” or “I know something similar” instead do two things:

It’s important to Scale your solution to the problem at hand vs. trying to scale the problem to your solution. By analogy a master photographer knows when to pull out her iPhone and take a quick snap, edit it in-app and upload it to Instagram and when it’s appropriate to break out the $5k camera body and $5k lens, and wait for the perfect opportunity and use Photoshop to edit the photo to perfection.

I recently got interested in Digital Currencies, such as Bitcoin and others and decided to start learning about what they were, why they’re interesting, and how to invest. There’s a lot to understand about cryptocurrencies or digital currencies (DCs), and I’m just getting started learning about it. But if you want to learn more a good place to start is https://www.cryptocoinsnews.com which is just a place to learn about what’s going on in the cryptocurrency world.

Sorry biweekly, you’ve just been ejected from my vocabulary. I hate to be esoteric in my language and use a word like fortnightly, but when your definition from Merriam Webster has two directly conflicting definitions I simply cannot use that word. Fortnightly it is! From Grammar Girl: Semi- always means “half.” You can remember the meaning by remembering that semisweet chocolate is only half sweet, and semiannual sales happen twice a year.

Viral Game Highlights Calls Attention to Timeless Security Debate I want to run into traffic, fall into a pond, catch Pokémon while my wife is in labor, and find a dead body; let’s check out this Pokémon Go thing! Pop quiz: Is this a valid login screen for Google Account services? This is the first screen I see when I click login with my Google Account from Pokémon Go. It’s concerning because it offers no clear indication this is a valid page, no way for me to verify that I’m sending my credentials to Google, no SSL/TLS lock, and no security controls – just a white page that looks pretty legit.

I was pretty disappointed after reading Mary Ann Davidson’s blog post discouraging customers from reverse engineering their software for any reason. As CSO of Oracle, one of the largest software providers in the world, I expected her thoughts on security researchers and responsible disclosure to be more enlightened. Instead I saw a glib response that echoed sentiment from the turn of the last century. The post has since been removed from Oracle’s official blog, which shows that while this may be their internal policy and thinking, the company understands it isn’t popular to hold such opinions.

We’ve been getting a lot of Ruby on Rails Penetration tests and code reviews at Security Innovaiton, and I’ve been writing a decent amount of it myself. In general it’s a great framework, but like any other framework there are a few little gotchas that could lead to a security vulnerability. A colleague of mine, Arvind, wrote a great blog post on the Security Innovaiton blog in which he outlined a few of these check that out here.

I’ve wanted a record player for years now, finally after listening to me hem and haw about it my wonderful wife, Katherine, bought me a fantastic player for my birthday. I’ve been scrambling to build a record collection ever since and it has been wonderful. I haven’t done a fully blind test, but I do enjoy the physicality and process of the record over simply selecting a song from a playlist or iTunes album.

I am staggered and truly impressed by what the team at Code.org has accomplished in such a short period of time. When Hadi Partovi started conversations in May of this year with Technically Learning to merge our organizations he had huge goals: to get Computer Science into every school, to teach every american student how to code, and to do all of this in months, not years. We were, understandably, a bit skeptical, but Hadi has the credentials, passion, vision, and resources to accomplish great things.

By now, you’ve probably heard that LinkedIn’s passwords have been allegedly compromised. I first heard about this from a Norwegian website earlier today. Here is what we know now: LinkedIn has not confirmed the leak and currently doesn’t understand how the hack could have happened, but there is a 271 MB file of alleged SHA-1 hashes floating around with LinkedIn’s name on it. The hash digests are unsalted SHA-1 hashes.