Van Halen: Hacker Guitarist

I’ve always been a big Van Halen fan. The music is, among other things, a remedy when my depression is running hot, especially during the winter darkness. The songs capture all the feelings of summer, giving my brain the necessary jolt to keep going through the cold.

Reflecting on that in the days since Edward Van Halen’s death, I’m reminded of something else I loved about the legendary guitarist: He reminds me of people I admire in the hacker community. Part of the hacker’s craft involves breaking technology to find and fix security weaknesses in software and hardware. They inspire me endlessly — one of the things I love so much about working in the security industry.

Just as they break things and develop innovative fixes on the fly, Eddie Van Halen was famous for destroying a lot of guitars and amps in his quest to turn the tones in his head into reality.

There is perhaps no better example than his Frankenstrat. He crafted the instrument using parts from Gibson and Fender guitars because he wanted to combine the sound of a classic Gibson guitar with the physical attributes and tremolo bar functionality of a Fender Stratocaster. 

Image of Eddie Van Halen's Frankenstrat on display.
Eddie Van Halen’s Frankenstrat

He ripped a humbucker pickup from his Gibson, potted it in paraffin wax to reduce microphonic feedback and bolted it onto the guitar in the bridge position, at a slight angle to compensate for the different string spacing between the Fender bridge and Gibson pickup.

He removed both tone controls, wired the pickups in a simple circuit and placed a knob marked “Tone” on the volume-control pot. He then covered over the controls with a pick guard made from a vinyl record he cut up. 

He screwed a quarter into the body to stabilize the Floyd Rose tremolo system he used in place of the original Fender tremolo.

Closeup of the quarter screwed into the Frankenstrat.

One of my favorite stories is about how he hacksawed one of the horns off his Gibson SG so he could hit the high notes of the song “Dirty Movies” with his slide:

Eddie Van Halen's Gibson SG guitar with the right horn hacked off.

For a deeper dive into many of Van Halen’s guitar innovations, I highly recommend this Popular Mechanics article from a few years back, in which he describes a lot of what he was doing at the time. It includes a breakdown of some of his patents.

There’s been plenty of debate over the years about Van Halen: Did Eddie really invent some of the things he claimed to invent? Which was better, Roth-era or Hagar-era Van Halen? (I loved both.) I have lots of friends who love the band, and many who hate it.

I also suspect some of my security friends will beat me over the head for comparing what Eddie did to what they do. Fair enough. But I can’t help but see the parallels.

In a rotten year like 2020, where Van Halen’s death is just one more cherry on top of a shit sundae, getting lost in the music and tinkering that defined the man has been a welcome source of mental shore leave these last days.

We need constant reminders that there’s still joy in the world, and this gets the job done for me.

Thanks, Eddie.

An older Eddie Van Halen at a workbench working on a guitar. His Frankenstrat sits on the bench in the foreground.

3 Chilling Books to Help Us Face COVID-19

In my cybersecurity career, I’ve learned it’s best to prepare for any scenario, no matter how scary or improbable. The current pandemic is certainly the former and was considered the latter by many people even a few short weeks ago.

I’m no fan of needless alarm and believe fear is an inconsistent teacher. But to truly prepare for whatever may come, one must peer into uncomfortable truths. Then we can adapt and, from there, thrive.

Recently I’ve read three books that present stark, sobering scenarios and offer lessons to help us face down COVID-19.

This first book is all about the science and politics of a pandemic. Barry paints a terrifying picture of the 1918–1920 Spanish Flu pandemic. He digs into the history of medicine itself, explores the myriad ways governments and communities failed to take the proper steps to contain the contagion and, most importantly, explores the heroes and medical advancements that came about during and after the event.

I see us making a lot of the same mistakes amid COVID-19 — mixed messages from government officials, lack of preparedness and people who waited too long to take it seriously. But I also see us doing a lot of things better, particularly in the social distancing department.

Warnings: Finding Cassandras to Stop Catastrophes
by Richard A. Clarke  and R.P. Eddy

Warnings covers pandemics and other potentially unthinkable events involving terrorism, AI run afoul and cyber warfare.

As the authors write:

In Greek mythology Cassandra foresaw calamities, but was cursed by the gods to be ignored. Modern-day Cassandras clearly predicted the disasters of Katrina, Fukushima, the Great Recession, the rise of ISIS, and many more. Like the mythological Cassandra, they were ignored. There are others right now warning of impending disasters, but how do we know which warnings are likely to be right?

The book starts by outlining a method to separate the real Cassandras from tin-hat hyperbole. It then spotlights experts who, at the time the book was written, had warned of future disasters involving everything from artificial intelligence to bio-hacking and, yes, deadly contagions and crippling economic contractions.

None of the people in this book fit the crazy alarmist criteria. All were highly experienced in their fields with rational reputations. We ignore the Cassandras at our peril.

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age
by David E. Sanger

The Perfect Weapon covers cyber warfare, including the Stuxnet malware used to sabotage Iran’s nuclear program, North Korea’s attack against Sony over a Seth Rogan movie and Russia’s interference in the 2016 presidential election. It’s a favorite because I remember writing about these events as a journalist; now they’re part of an epic history.

Since Sanger writes for The New York Times, its review of the book is pretty self-serving. But having read the book, I find it aligns with what’s delivered:

The great value of The Perfect Weapon is less in its specific policy prescriptions than in its being the most comprehensive, readable source of information and insight about the policy quandaries that modern information technology and its destructive potential have spawned.

One thing I can tell you from my day job: Some of the bad guys outlined in this book are currently taking advantage of COVID-19 — targeting the VPNs, videoconferencing platforms like Zoom and messaging applications companies now rely on.

Business leaders can ground themselves in facts to steer their companies with using the publicly available content my company has been producing on the subject.

Zoom: Security Problem or Social Lifeline?

One thing I’ve learned from a career in the information security industry is that any big global event has security implications — elections, hurricanes, earthquakes, matters of war and peace, you name it.

The dots that connect infosec to COVID-19 were apparent from the beginning. I saw the virus becoming the main preoccupation among attendees at the RSA Conference — the last in-person event I attended before all hell broke loose.

Since then, it’s been the main concern among clients my company serves. (It bears repeating that I’m grateful to be doing work that matters during this crisis.)

As we all hunker down and work from home, videoconferencing has become a front-and-center security challenge. Malicious hackers have set their sights on these platforms to cause disruption and steal our personal data.

Amid this, Zoom has become the poster child for the technology’s security holes. Zoom CEO Eric Yuan has addressed the problems — vulnerabilities that enable such things as “Zoombombing,” when intruders hijack video calls and post hate speech and pornography.

“‘If we mess up again, it’s done,’ I thought a lot last night,” he told The Wall Street Journal.

There has been a rising chorus of security professionals warning people not to use Zoom, especially for business meetings. There are many other, more secure options for videoconferencing, they say. There’s some validity in that. I’ve also seen reports of similar security holes in other video platforms. That’s a vulnerability management issue corporate security teams must stay on top of.

But for the larger population, I don’t see Zoom going away, nor should it. Yuan is right — his company needs to get a handle on this. But there will never be 100 percent security. There never is with anything.

I also don’t believe the security challenges should diminish our gratitude for what has become a critical lifeline during the pandemic.

Personally, Zoom has allowed me to stay connected to friends, family and industry peers. Without it, I can’t say for certain that I’d be managing my emotions as well as I have. I’ve even made new connections that I’ll be learning from long after this crisis passes.

I suspect many of you could say the same.

My takeaway: Keep using Zoom. Just be mindful of the security risks and take the necessary precautions. Some people I collaborate with in my day job have offered some useful advice.

It’s also worth noting that some of the smartest security minds on Earth continue to use Zoom for things like virtual happy hours. If they still feel safe using it, so do I.

I’ll end with some perspective from my friend Dave Kennedy, founder of Binary Defense and TrustedSec, along with Amit Serper, VP of security strategy and principal security researcher at Cybereason, and Russ Handorf, Ph.D., principal threat intelligence hacker at White Ops.

Together they have written about concrete security steps all users can take. I recommend you read it all. As they note in the article:

The Internet, and especially infosec twitter is full of hot takes and attempts to generate sensational headlines and alarmist news items. It’s important to remember that “not all that glitters is gold”. Vulnerabilities exist in many programs and no piece of code is immune to such issues. Not every vulnerability or exposure is critical and creates an unmitigated or dangerous risk. Knowing what your threat is and applying careful thought to threat modeling is a crucial part of understanding the problem and determining its true effects.

4 Tips to Beat Fear and Anxiety at #RSAC2016

The first time I attended RSA in 2005, fear and anxiety threatened to consume me. I feared the flights, the crowds and the prospect of failing professionally.

Fast-forward to 2016: I’m a veteran infosec journalist who has been to too many conferences to count. I can’t say that I’m done with fear and anxiety, but I’ve brought it largely under control.

I’ve met a lot of people who suffer the same debilitating anxiety I used to experience over conferences, especially RSA. I’ve watched them worry endlessly over which evening events they needed to attend. I’ve seen them recoil at the waves of humanity wafting through the Moscone Center. I’ve seen them succumb to the temptation to drink every last drop of the free booze at vendor parties.

To some, this all sounds too dramatic. These are not life-or-death situations. But that’s the thing about fear and anxiety: They make situations look scarier than they really are.

This stuff isn’t specific to infosec, either. People go through this in any industry. But infosec is my industry, and I want to direct this at my peers.

Here my tips for surviving RSAC 2016:

  • Vendor keynotes aren’t mandatory. For a new attendee, the keynote sessions can be big and scary. The crush of humanity crowding around waiting for entry can be overwhelming, especially on the morning of the first day. If you’re absolutely dying to hear what the opening keynotes are about, you gotta suck it up. But veteran attendees have learned that it’s rarely, if ever, worth it. Find some industry pals and go have a good chat over coffee instead.
  • Don’t let the exhibit floors get to you. People working the booths will hound you aggressively to see their slide deck or hear the pitch. If you’re not careful you could easily get sucked into things that aren’t going to help you. The loud displays can induce major headaches. Skip the Monday-night opening of the floor; it’s the loudest time to go. For the rest of the days, wait a couple hours after the opening before going in. Things are usually calmer by then.
  • You don’t have to venture out at night. There’s always a huge expectation that an attendee must go to all the vendor parties in the evenings. If the day has been too much and you need to be at full strength for the next day, there’s nothing wrong with retiring to your room for the evening.
  • Focus on the reason you’re here. Looking to forge a new business partnership? Or maybe you’re there for education? Then just focus on those things. The keynotes are chaotic, but a lot of good talks happen in smaller rooms throughout Moscone. If your number-one goal is to make a deal, collaborate on some research or strike a partnership with another entity, then focus on making those things happen and ditch the rest.

I know it’s easier to talk about how best to proceed than it is to do it. Nevertheless, I hope you find some of this helpful.

RSA 2015 Crowd Shot

Potential Positive of “CSI: Cyber” at RSA Conference 2016

The information security community is losing its collective mind because actors from the much-maligned CSI: Cyber TV series are on the keynote schedule for RSA Conference 2016. Dave Lewis, writing as @gattaca, captured the sentiment:

A lot of analysis has been devoted to RSA’s decision. I like the suggestion Violet Blue makes about how maybe, just maybe, RSA is playing a clever joke on us:

What if RSA’s ongoing keynote stew of disconnect and incompetence is part of something way more thoughtful and complex than we’re giving it credit for?

Jericho wonders in this post why anyone would be surprised, since, he believes, RSA has been a joke for years already:

It’s the party everyone shows up to, and the one you want to be at, to “be seen” and “catch up on the gossip”, even though you hate it. In our industry, it is the embodiment of reality T.V. in many ways. On the flip side, this conference hasn’t actually been relevant to our industry for a long time, where reality T.V. is sadly relevant in the worst ways.

He’s not wrong, though as I’ll note shortly, it’s not really as clear cut as that.

Crowd scene from RSA 2015

My thoughts:

  • There are many other keynoters. Though CSI: Cyber is getting all the attention, the agenda is crammed with a lot of people who practice infosec in real life, including Intel Security Group senior VP and general manager Christopher Young, Snort creator Martin Roesch and the annual Cryptographer’s Panel.
  • TV personalities have keynoted RSA before. And you didn’t see the kind of stink being raised today. To be fair, much of the ill sentiment is because CSI: Cyber sucks so badly, failing to portray our business accurately and fostering FUD (fear, uncertainty and doubt, for the uninitiated).
  • It’s always been what you make it, anyway. Jericho is right that people attend RSA to see and be seen, hating it all the while. But my personal experience has always been that you get what you put into it. I haven’t attended a keynote in five years. Most tend to be the same old vendors pitching the same old message wrapped in whatever that year’s buzz topic is. I get far more value from the conversations. Reconnecting with peers I haven’t seen in a while. Meeting new people I can learn from. That’s what matters to me. I also believe it’s healthy to be in an arena where you have to keep selling what you bring to the table, be it the technology your employer sells or a side project you care about.
  • It’s an opportunity. What if we used the CSI: Cyber appearance as an opportunity to put the feet of the show’s writers and actors to the fire? If we stand up and tell them why their show offends us, maybe their shows stories start sucking less.

OK, probably not. But it was a nice thought.

I’m going to RSA because I’ve gotten much from it in the past. I also have a report to tell people about. My team worked hard on it and we believe it will provide value.

Cheer up, everyone. Have a song:

https://youtu.be/21ewvNVAYUw

4 Problems with Krypt3ia’s Krampus List

I like Scot “Krypt3ia” Terban. The security researcher has a crotchety communication method I enjoy, and I read his posts a lot. I especially enjoy when he goes after security vendors for FUD (fear, uncertainty and doubt).

So when he released his annual Krampus List — a naughty list for the security community — I read it and laughed a lot.

But as I read through it, I found some of it mean spirited. By the end I found myself in a familiar quandary: How could I laugh and be disgusted at the same time? My brain has always been a mass of contradictions, and this is just another example.

There’s a razor-thin line between good-natured jabs and outright venom. From my perspective, picking on Boris Sverdlick because he “took his third job in two years and moved his family across the country for the third time” was a good-natured ribbing. He has switched jobs a lot and there’s nothing wrong with that. You gotta go where your heart takes you. But when his adventures are chronicled on Facebook, his friends — myself included — like to pick on him, as good friends often do. He gives as good as he gets.

Picking on Kelly Lum (@aloria) for narcissistic drama and a lack of contributing to the community? That was pretty shitty. Sure, her posts can be dramatic, but the same can be said about most of us. Hell, my posts have been all about family deaths and unfinished family business all year. I’m sure some of you don’t like it, but that’s what has been on my mind and you’re welcome to unfriend me any time. Kelly has been open and honest about dealing with mental illness. She’s done her day job well despite all that and has set a good example for the rest of us. Whine all you want about her not contributing to the community. In my book, the example she sets is a big contribution.

But there are bigger problems with Scot’s list:

  • It’s made up of anonymous submissions. It’s easy to rip on someone when nobody knows who you are: You don’t have to back your comments up. You don’t have to worry about being attacked in kind. That’s awfully convenient — and cowardly.
  • People who make the comments almost certainly spread their own drama. The worst hypocrisy is the kind where the hypocrite doesn’t show their face.
  • People love to bitch about “a lack of contribution” to the security community. I find that odd, because if you’re doing your job well, you are contributing to the community.
  • Terban endorses all the comments. Though it’s made up of anonymous submissions, Terban collects them and distributes them, essentially endorsing the mudslinging. When a lot of people are criticized for talking shit and spreading drama, Terban is spraying bullets inside a glass house.

Infosec is hard. The people it attracts can be difficult to work with, myself included. Since we’re connected to each other by Facebook and Twitter, we’re exposed to each other’s personal drama. None of us are perfect. We all have different ways of contributing to the community, and what’s useless to one person is valuable to another.

Laugh all you like at the Krampus List. But if you don’t see some of yourself in there, you might be part of the problem.

Cyber Krampus Logo

These Squabbles Make Us Small

Some of you asked why I don’t write as much as I used to. Partial answer: My real job and a lot of family business leave me with less time and motivation to do so.

But there’s something else, and it’s had a bigger impact.

Mood music:

The squabbling on social media has gotten so childish that it’s not worth commenting on anymore. This is especially true in infosec.

My job used to be writing about the security community and its research. Now I’m part of the security community, working and writing alongside researchers. Instead of hearing and writing about the challenges of incident management and compliance, I’m living it. No complaints there; it’s what I wanted.

It’s made me realize that it’s more important to keep learning and doing the work than to opine about every instance where my peers get their underwear in a twist. People once used social media to build up the security community. Now they’re using it to tear vast segments of it down. I see more bickering about tactics and positions than discussion about how we can do better. You’re either right or you suck.

For example:

  • Someone says they don’t like getting hugs at conferences. The people that do like hugs take offense.
  • Someone makes an off-color joke. The ensuing conversation revolves around people’s triggers being set off. Then people with those triggers get pissed on for having triggers in the first place.
  • Someone takes a position that’s unpopular. A cabal of naysayers question that person’s right to exist.

Now people are denouncing the whole idea of a security community. They’re suggesting the industry and community are two different things. The community, they say, is a collection of cliques — the so-called cool kids and posers — whereas the industry is where all the grownups are.

Like most things in life, it’s hardly that simple.

The problem isn’t that people pine for the idea of a community. It’s that too many people lack understanding of what a community is.

Communities are a mix of people with different beliefs. They’re places where people can come together for the greater good while still arguing about smaller things. Real communities are not offense- or trigger-free zones.

Infosec isn’t unique, either. These communities exist in many professions, and people behave in them much the way they behave in the infosec community.

I could write a post suggesting people stop being so ridiculous. I could suggest some of us stop getting so offended about everything. And before this year, I probably would have.

Right now, though, I have more important things to do.

It’s not that I’m personally offended by it all. I just don’t have time for it anymore. The challenges we face are big, and the squabbles make us small.

Boxing glove hitting boxer's face

Schooled By a 14-Year-Old on Good (and Bad) Passwords

This is about an information security practitioner getting schooled by a 14-year-old about something as basic as an iPhone PIN number.

Mood music:

https://youtu.be/Lj3bCXViNNM

Since I work in information security, family expects me to be THE expert. And sometimes I ask for trouble when I try to teach people a lesson — like grabbing phones and writing on the owners’ Facebook walls to demonstrate the value of having a security PIN on the phone.

One day my oldest son decided to give me a taste of my own medicine.

He had been watching me punch in my PIN for some time, and when the opportunity arose, he grabbed my phone, correctly entered the PIN and wrote on my Facebook wall.

“You should be ashamed of yourself,” my son said. “You’re Mr. Security in the family, but you let yourself get hacked by someone who can’t even drive a car.”

Fair enough.

The lesson: No matter how much experience you have in security, you’re still an easy target if you get lazy. In my case, I was lazy about regularly changing my PIN.

I don’t think he’ll guess what it is now. But I’ll change it again soon, just to be safe.

iPhone-passcode

This #BSidesLV 2015 Panel Captures How I Feel

While I was away on vacation last week, some of my good friends in the InfoSec community did this panel at BSidesLV 2015. They discussed the importance of doing over talking, and captured the problem of trash talking in the community more eloquently than I have up to this point. The problems they touched upon are some of the things I found in myself when I wrote this post about the “InfoSec Rock Star” complex.

Please watch the whole thing:

Thanks, friends.

t-shirt

Cut Mary Ann Davidson Some Slack

These last two days the infosec community has been consumed by a blog post Oracle CSO Mary Ann Davidson wrote. In that post she railed against security researchers who reverse-engineer Oracle’s code and nudge the database giant with their vulnerability findings. (Oracle removed the post, but The Wayback Machine captured it and it’s been distributed far and wide anyway.)

Mood music:

Davidson argued that Oracle does just fine finding and fixing its vulnerabilities and that outsiders who butt in are messing with end-user license agreements and overall company sovereignty.

Having reported on Oracle vulnerabilities for years, I found her position flawed. I’ve seen time and again how researchers find flaws and Oracle leaves them unfixed, sometimes for years. That tells me the company doesn’t have a handle on its security problems. I also think it’s important that companies welcome the help of outside researchers. In the fight against the bad guys, companies can use all the help they can get. Google and Microsoft understand this, and their bug bounty programs enhance their overall security.

Oracle took the post down, saying it doesn’t accurately reflect the company’s view of customers. If you’re Davidson, that’s gotta sting. Her not responding to the criticism makes the situation worse. I suspect Oracle has muzzled her, and the company itself isn’t returning reporters’ calls. Not that the company has ever been good at returning calls. It was a closed-off culture when I was reporting on its security flaws a decade ago.

We can disagree with Davidson, but we should remain professional rather than stoop to childish taunts.

She forcefully argued her position, and the relationship between security researchers and tech companies is an important, ongoing topic. I’ve seen a lot of people criticizing her position respectfully, which is good. But I’ve also seen the usual vitriol-laced pile-on. Hundreds of people are ripping her to shreds, often doing so with the same amount of snark they criticized her for using in her post. With these debates people can get mean, and that’s too bad.

I’ve known Davidson for a long time. We haven’t always seen eye to eye, but she’s a good, intelligent person and I respect her a lot. It’s sad to see her character unnecessarily killed in an online, public execution.

I hope she gets through this. I suspect she will.

Finally, it’s worth noting that those of us who write are always going to get it wrong from time to time. I’ve had my share of stinkers. We’re all human and emotion does funny things to the brain. That’s what I’m trying to keep in mind during this latest infosec firestorm.

Disagreement is good. But when you remove kindness, it turns to poison.

MARY ANN DAVIDSON