The Military Has Given Me a New Coping Tool

Through my work in the information security industry, I’ve come to appreciate a decision-making cycle created by military strategist and U.S. Air Force Colonel John Boyd called the OODA Loop (observe–orient–decide–act).

Mood Music:

It was designed as a combat operations process but has become more widely applied to commercial operations and learning processes. The basic idea is to use agility to overcome the raw power of opponents.

I’ve been fortunate in getting to know some super-smart people who use it for cyber security and, in the current environment, operations in a pandemic. The OODA Loop site, operated by OODA LLC founders Matt Devost and Bob Gourley, has become daily reading for me.

Lately, I’ve been taking this to the meta-personal level, trying to apply it to how I conduct myself daily and keep steady as a guy living in uncertain times with a mind sometimes hobbled by OCD, anxiety and depression.

I’m not sure if this is even a logical path. I’m hoping my friends in the OODA Loop realm will have comments about it after reading.

I’m using it against the raw power of the depressive and anxious effects of the current lockdown, which has fueled the potentially destructive side of my OCD and threatened to cripple me within the mental battlefield.

Observe: Since early January, I’ve kept a daily eye on the infection, recovery and death rates, as well as geographic spread. I’ve opted for emotionless data points from the likes of Worldometers. As the data has painted a picture of trajectory, my feelings have ranged from disbelief and denial to fear and uncertainty. Along with the useful data points are myriad articles that make predictions based on information that varies widely in levels of emotion and accuracy. This makes useful observation tricky.

Orient: By late February, as the data points showed a clearer picture of what by then was, to me, an inevitable pandemic, I started to work on adapting my brain to the idea that this would be a daily reality and that I’d have to keep being my best self as the world spiraled out of control. I doubled down on my exercise and food regimen, went from an originally planned 60-pound weight loss to 75 pounds (just about there now), and started to shift my daily research efforts to anything that would help clients stay running amid lockdowns and mass working from home (WFH).

Decide: About two days before my company moved to full WFH mode, I decided to quarantine from the office, at least. I had been to the RSA Conference in San Francisco a couple weeks before and news had just arrived that a couple attendees had contracted the virus, one of whom was gravely ill (he has since recovered, thank God). I was just shy of the two-week mark of returning home but didn’t want to chance becoming a risk to co-workers. In doing so, I was making a choice to hunker down for the long haul.

Act: Since then, I’ve done my damndest to stay healthy physically and mentally. I walk each morning and take afternoon drives. I’ve strived to do my job in the best ways possible, focusing on clear, step-by-step guidance to help clients protect the platforms and tools they currently rely on as everyone works from home — VPNs, videoconferencing, messaging — and I’ve used this blog to help keep the public discourse rational and hopeful while making note of coping mechanisms for those predisposed to mental disorders. I’ve stayed connected to friends through Zoom “happy hours.” I wear a mask and gloves when I have to go out.

When the constraints of being homebound make my temper boil over (I’m ashamed to admit I yelled and angrily slammed my iPhone down one night because a restaurant left something out of our takeout order — not my finest hour when dealing with a trivial, first-world problem) I’ve sought ways to release the pressure.

I’ve always favored hard rock music but in recent weeks my choices have veered to the heaviest end of the spectrum — including battle music from different TV shows and films. Today’s mood music is one example.

And I’ve found a simple, fun way to grind out feelings of angst. Erin got me a manual coffee bean grinder for Easter and I’ve found it’s good, aggressive fun to pace around the house while grinding beans.

I guess we’re never too old to learn new coping mechanisms, especially when sanity depends upon it.

Though I’m not at all certain I’m using the OODA Loop as intended, it has at least given me another way to keep fighting. I’m grateful.

Zoom: Security Problem or Social Lifeline?

One thing I’ve learned from a career in the information security industry is that any big global event has security implications — elections, hurricanes, earthquakes, matters of war and peace, you name it.

The dots that connect infosec to COVID-19 were apparent from the beginning. I saw the virus becoming the main preoccupation among attendees at the RSA Conference — the last in-person event I attended before all hell broke loose.

Since then, it’s been the main concern among clients my company serves. (It bears repeating that I’m grateful to be doing work that matters during this crisis.)

As we all hunker down and work from home, videoconferencing has become a front-and-center security challenge. Malicious hackers have set their sights on these platforms to cause disruption and steal our personal data.

Amid this, Zoom has become the poster child for the technology’s security holes. Zoom CEO Eric Yuan has addressed the problems — vulnerabilities that enable such things as “Zoombombing,” when intruders hijack video calls and post hate speech and pornography.

“‘If we mess up again, it’s done,’ I thought a lot last night,” he told The Wall Street Journal.

There has been a rising chorus of security professionals warning people not to use Zoom, especially for business meetings. There are many other, more secure options for videoconferencing, they say. There’s some validity in that. I’ve also seen reports of similar security holes in other video platforms. That’s a vulnerability management issue corporate security teams must stay on top of.

But for the larger population, I don’t see Zoom going away, nor should it. Yuan is right — his company needs to get a handle on this. But there will never be 100 percent security. There never is with anything.

I also don’t believe the security challenges should diminish our gratitude for what has become a critical lifeline during the pandemic.

Personally, Zoom has allowed me to stay connected to friends, family and industry peers. Without it, I can’t say for certain that I’d be managing my emotions as well as I have. I’ve even made new connections that I’ll be learning from long after this crisis passes.

I suspect many of you could say the same.

My takeaway: Keep using Zoom. Just be mindful of the security risks and take the necessary precautions. Some people I collaborate with in my day job have offered some useful advice.

It’s also worth noting that some of the smartest security minds on Earth continue to use Zoom for things like virtual happy hours. If they still feel safe using it, so do I.

I’ll end with some perspective from my friend Dave Kennedy, founder of Binary Defense and TrustedSec, along with Amit Serper, VP of security strategy and principal security researcher at Cybereason, and Russ Handorf, Ph.D., principal threat intelligence hacker at White Ops.

Together they have written about concrete security steps all users can take. I recommend you read it all. As they note in the article:

The Internet, and especially infosec twitter is full of hot takes and attempts to generate sensational headlines and alarmist news items. It’s important to remember that “not all that glitters is gold”. Vulnerabilities exist in many programs and no piece of code is immune to such issues. Not every vulnerability or exposure is critical and creates an unmitigated or dangerous risk. Knowing what your threat is and applying careful thought to threat modeling is a crucial part of understanding the problem and determining its true effects.

COVID-19 Gratitude 3: Seeing My InfoSec Friends Fight the Bad Guys

The pandemic has kept me and a lot of friends in the information security industry busy, as attackers try to cash in on the hysteria over COVID-19. Watching friends in the industry come together to do their part has been a powerful shot in the arm for me.

We are truly in this together.

Mood Music:

A couple quick examples.

The COVID-19 CTI League, for cyber threat intelligence. This group spans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft and Amazon:

One of four initial managers of the effort, Marc Rogers, said the top priority would be working to combat hacks against medical facilities and other frontline responders to the pandemic. It is already working on hacks of health organizations.

Also key is the defense of communication networks and services that have become essential as more people work from home, said Rogers, head of security at the long-running hacking conference Def Con and a vice president at security company Okta Inc.

—Joseph Menn, writing for Reuters

Cyber Volunteers 19 (CV19). This group formed specifically to target threats to healthcare facilities:

Cybercriminals are doing all they can to exploit the fear and confusion that the COVID-19 pandemic has brought with it. This exploitation does not stop at the hospital, medical facility, or healthcare service entrance. Staying on top of their cybersecurity game might not be the highest priority within those organizations right now, but it is nonetheless vital. It only takes one successful ransomware attack to have a life and death impact on patient care potentially….

One newly formed group of information security professionals, including company CISOs, penetration testers, security researchers, and more, have vowed to do all they can to help provide cybersecurity support to healthcare services across the U.K. and Europe.

—Davey Winder, writing for Forbes

These efforts are additional examples of how the current crisis has brought out the best in humanity.

When my spirits dim and waves of anxiety wash over me in these difficult days, seeing things like this give me the strength to keep showing up.

Rock on, friends.

Thought I Was a Security Rockstar. Was Just Stupid

In pretty much every industry of late, people of great talent, drive and achievement are being labeled rock stars. I certainly see it as I work in the information security industry.

Those who get the label tend to deserve it. But there’s a dangerous side-effect: The term rock star can bloat the egos of those it’s bestowed upon. It leads to big heads and bad attitudes. I’ve watched many handle it with humble grace. And I’ve watched a few fall into the trap.

Exhibit A: me.

Mood music:

As a security journalist who posted new content almost daily, I got a lot of praise and, yes, some called me a rock star. This snowballed when I started The OCD Diaries.

I found myself on more than one “security influencers to follow” list. People kept praising me for my supposed raw honesty. So I did what any good addict does: I drank it up, tied all my self worth into it and started to believe it all.

Don’t get me wrong. I think I’ve accomplished a lot of good stuff, and I’ve certainly been lucky in my career. But a rock star? Looking back on it now, I don’t think so.

I believed it when people told me, though. My head grew larger, while my brain went stale. I stopped trying. I truly believed I could pull off anything with little effort.

Of course, the real world doesn’t work that way.

I eventually found myself growing snobby, moldy and stagnant. Somewhere along the way as I bought into my own hype, I started to fail.

I lapsed into old habits. I began dialing in my work. The praise became chains, weighing me down like Scrooge’s old business partner in A Christmas Carol.

Sometime last fall, I went from being a rock star to the office jerk. It left me off balance and in a depression that deepened over the winter. I started to worry about being found out as an impostor. Worse, I found myself losing my usefulness.

Since then, I’ve been working hard to return to my roots. I feel like I’m starting to make real progress, but I still have a ways to go.

As for those in my industry who remain honest and humble, I aspire to be more like them. And I don’t fault those who are kind enough to put the rock star mantle on others. I simply see as lessons for all of us:

Never stop working your asses off.
Never stop seeking truth.
Don’t be like me — not too much, anyway.

 

 

Why I’m Not Enjoying the Ashley Madison Hack

Because I have a happy marriage and am not the cheating type, I thought I’d enjoy the fallout over the Ashley Madison hack, in which millions of people using the adultery site were outed. One of the outed individuals was reality TV star Josh Duggar, a self-proclaimed devout Christian who preaches the virtues of family values. Everyone likes to see hypocrites fall, right?

Mood music:

https://youtu.be/OZZ9bm_qe9w

I spent a lot of time pondering what I could write in my information security blogs. I could have harped about all the old lessons people failed to learn about how to behave in cyberspace. In the case of Ashley Madison, the lesson is that there’s no such thing as true privacy, that if you use sites like this, a determined hacker will figure out how to break in and expose you.

Then I started to feel dirty about it all.

I had been feeling morally superior to all the apparent cheaters. Once I realized where my head was going, it freaked me out a little and I felt ashamed. Why? Because I’ve done a lot of dumb things in my life, too.

Go through this blog and you’ll find plenty of examples. I’ve lied to my wife. I’ve talked crap about others behind their backs. I’ve done a lot of selfish things and hurt people along the way. I’ve been guilty of thinking I’m better than others.

With these truths in mind, I found it hard to share in the online feeding frenzy.

The Ashley Madison story is replete with casualties. Significant others are learning that they were cheated on, and site users now have to deal with their demons in a very public way. I’m not going to tell people how they should think about this story. I only know how I feel.

Ashley Madison’s slogan is “Life is short. Have an affair.” Life is short. I want to learn some things and be a better person along the way. Not engaging in hypocrisy is a step in the journey.

Ashley Madison Home Page

It’s Not What You Do for a Living, It’s How You Carry It Forward

Every job, no matter how lowly it seems, is an opportunity to learn something that’ll come in handy later in life.

The other day I was helping someone who wants to pursue a career in information security. He wasn’t sure if he should list some of his past jobs in his profiles because they don’t have anything to do with his preferred industry. I urged him to include everything.

Mood music:

He’s currently a barista at Starbucks. While it’s not an infosec job, it requires people skills, customer service prowess and an ability to juggle multiple tasks at once — all important qualities for anyone who wants to thrive in the security world.

Most jobs have something you can carry forward.

I learned about customer service working in a record store. I hated working in my father’s warehouse as a teenager, but it taught me a lot about how shipping and distribution works. Working for weekly newspapers had a lot of drawbacks. The pay sucked — really sucked — and I worked 80 hours a week. But I learned a lot about how government and politics work from all the meetings I covered and a lot about the court system from all the arraignments I was sent to. I also learned how to write a lot of stories quickly.

Had I not worked those jobs, I would not have had the success I’ve had in infosec. I wouldn’t be able to make sense of all the threat data I’m constantly writing about. I wouldn’t be able to juggle writing reports, threat advisories and blog posts. And I wouldn’t have been able to build the industry network I have today.

It was all worth it, even if it all seemed like thankless drudgery at the time.

So if you’re in a job you don’t think is a good fit, by all means strive toward something else. But don’t ignore the tools you can collect along the way.

Milton Stephen Root in Office Space

On Skipping Security Cons

On Twitter last month, friend and fellow infosec professional Marcus Carey suggested industry peers place too much importance on conferences:

One can take the tweet several ways.

Mood music:
https://youtu.be/gWWWBvxEXZM

Some might say he’s criticizing conference organizers for roping in people who spend all their time speaking at and attending conferences and too little time in their organizations working on the daily challenges the bad guys throw in front of us.

Others might say he’s picking on people who attend a lot of conferences simply to be seen. I don’t think he is, especially since every time I’ve seen him in person, it’s been at a security conference. The conferences I attend have a lot of repeat speakers who I’ll never get tired of listening to, such as security pioneer Dan Geer. (Watch him speak at Black Hat 2014.) Other famous speakers have done a lot of important work over time but have become less relevant lately. I won’t name names here, but yeah, I’m tired of seeing them as keynoters.

The debate over security conferences will go on into infinity. Carey’s soul searching sparked something within me, though, and it’s unlikely it has much to do with his intent.

I love security conferences. I love traveling around the world to attend them. I’ve made countless connections that have taught me many lessons in how this industry ticks. It wouldn’t be a stretch to say my conference attendance led to my current job.

But I have to admit that as the years have gone on, I’ve become almost obsessive about getting to conferences. To skip them is to be invisible and irrelevant. To stay away is to no longer be respected.
That’s how my mind presents it, anyway.

In an earlier post I called it the security rock star mentality — the notion that you had to be seen to be relevant and that by getting around a lot, I thought I was somehow better than I really was.
Early on, as a journalist, I had to attend as many conferences as possible to generate content and feed the needs of a daily news machine. In my current role, the mission is more about promoting what my company does and collecting research I can bring back to base for future use.

My current job also involves less frequent travel. Some of that is because I can easily communicate face-to-face with colleagues around the world through Skype and other video-conferencing programs.
But I’m also traveling less because there’s a lot going on in my family right now. My kids have a lot of activities I want to be there for. My father has been in hospice and I’m trying to get in all the time with him as I can. And so it goes.

I’ve noticed something since grounding myself, however: My absence at security conferences hasn’t hurt my career or workmanship. Not one bit.

The people I like to see at conferences are all available to me on Twitter, Facebook, and increasingly on Skype. Most talks are recorded and end up on YouTube within hours of being delivered. And most importantly, less travel has meant more time immersed in my company’s research. I’m working with some of the best researchers in the industry, learning more from them than I’d learn from a hundred conference keynotes.

I’m not retreating from the conference scene forever. I still get too much value from events like DEF CON, Black Hat, RSA, ShmooCon and BSides to completely stay away. I expect to travel more frequently next year.

In the meantime, I’m staying home, being around more for my family and constantly working to improve my craft.

RSA 2015 Crowd Shot

Vincent Bugliosi Inspired My Work in Journalism, InfoSec

Vincent Bugliosi, the man who prosecuted Charles Manson and his family and then detailed the case in his book Helter Skelter, has died at age 80. Indirectly, I owe some of my career trajectory to him.

Mood music: 

https://youtu.be/0rC3l3niTaE

I’ve chronicled my interest in the Manson case at length in this blog. Those posts capture the mental health issues that led to the crimes, as well as my own OCD-fueled obsession with the case. But Bugliosi’s influence on me is rooted in his best-selling book. I never met the man, though I’ve read Helter Skelter too many times to count and have even visited the scenes of the Tate-Labianca murders. Those who haven’t read it assume the book is all blood and gore.

Far from it.

Read my Manson-related posts in this anthology.

Yes, Bugliosi describes the murder scenes in chilling detail. But the book is mostly about him building the case against Manson and his followers. There’s a lot of rich detail about police and detectives clumsily tainting the crime scenes and working against each other to feed their egos, missing important clues that could have solved the case sooner.

He pieces together the gathering of evidence, the rounding up of witnesses and his uphill battle to convince the jury of the bizarre Helter Skelter motive. Along the way, there’s the endless display of disruptive tactics from defense attorneys and the occasional roadblocks tossed in by the judges, especially the one who presided over the separate trial for Charles “Tex” Watson, Manson’s lead killer.

The book has lessons on just about everything journalists need to know:

  • Police and detective work
  • Politics
  • Court procedure
  • Forensics
  • The importance of thorough research and investigation

I used to push the book on reporters when I was a newspaper editor, especially those covering the cops and courts. It fueled my passion for news gathering and had more than a little to do with my pursuing a writing career.

Even now, as someone working in the information security industry, I get a lot of use from the book. If you look closely at Bugliosi’s gathering of forensics and tireless research into what made the bad guys tick, you see many traits of a good security researcher.

I’m forever grateful to Bugliosi for inspiring me down this path. May he rest in peace.

Vincent Bugliosi On CSpan

The Drama Over Drama

Recently, someone in the security community opined that she’s not a fan of hugs at security conferences. The pro-huggers didn’t like her comment and used social media to say so.

Also recently, the folks running RSA Conference decided to ban so-called “booth babes.” That led to a very long debate about sexism vs. freedom of expression.

Mood music:

In both cases, someone in the crowd yelled a word that’s been used so much that it’s true meaning has been all but forgotten:

Drama.

Personally, I don’t see any of this as drama. I see it as mostly intelligent people discussing very real cultural matters. They’re not specific to infosec, but since that’s our industry, it’s where the discussion is focused. I see absolutely nothing wrong with it. A lot of good dialogue came out of the so-called “hug-gate.”

The word drama is almost always used these days to describe something people don’t want to discuss. It’s a one-word arsenal meant to shoot down anyone you disagree with. I get shot at a lot. And I’m perfectly fine with it.

What is real drama? Let’s consult the dictionary, in this case the Merriam-Webster Dictionary’s Collegiate: “a piece of writing that tells a story and is performed on a stage”; “a play, movie, television show, or radio show that is about a serious subject and is not meant to make the audience laugh”; or “the art or activity of performing a role in a play, show, etc.”

The stuff being discussed of late is real life. We’re not on a stage, acting in a play. It doesn’t start that way, at least. Often in these discussion threads, the trolls make comments meant to get a reaction out of people. That’s when we go from discussion to drama. And those who start it are usually the very people who decry something as drama in the first place. The Facebook thread on booth babes is a perfect example.

I love you people. I’m proud to be in the same industry with you. But if you don’t like a topic, maybe you should just ignore it instead of sticking around to make trouble. You’re free to do what you want, of course. But don’t think for a second that these issues will go away because you said something snarky.

In fact, your snark simply ensures that the discussion will continue and that it will become drama where none previously existed.

Captain Kirk yelling

My Biggest Critic Sounds Off: Two Angry Responses

I once wrote that writers like me need our critics to keep honest. This post is a tribute to my biggest critic: fellow infosec professional Dave Marcus.

Mood music:

A few things about Dave:

  • Despite everything that follows, we’re good friends with similar musical tastes.
  • He owns some of the coolest guitars on the market, but he doesn’t play. The guitars hang on a wall like Han Solo frozen in carbonite.
  • He’s an avid weight lifter.
  • His critiques have forced me to do more gut checks than anyone else’s.
  • As critical as he is, he does agree with some of what I write.

Here are two of his most colorful critiques.

Critique 1: “This post is escapism and blame.”

When I wrote a post suggesting that all parents have their flaws, Dave went nuttier than Charles Manson on a hot summer night.

Not all of us were raised by lousy parents. Not all of us ARE lousy parents. No matter how one was raised at a certain point your life becomes your own responsibility. Not your parents’. Not your genes’. Not your phobias’. This post, to me, is escapism and blame. I choose to fix the problem and not the blame.

Critique 2: “Are you trying to superimpose your issues on the rest of us?”

After I wrote that there’s a burnout problem in the infosec industry, fueling cases of depression, Dave was particularly incensed. He wasn’t the only one to disagree, but he expressed himself eloquently in a private Facebook exchange he later gave me permission to share.

The scene: I’m working when a Facebook chat box alarm sounds. 

Dave: Your last few OCD articles seem to really try to pigeonhole the whole community as obsessed and mentally ill. Are you trying to superimpose your issues on the rest of us? Your last article really annoys me. Do you feel that depression runs deep in the community? My issue is that you and the greater InfoSec Burnout movement sounds more and more like its an InfoSec problem or job/workplace-centric problem rather than a mental health problem that the individual brings with them originally. Granted, you may be getting lost in their greater noise. You are more balanced usually.

Me, trying to be diplomatic: I agree with your last statement and have written a gazillion posts making the point that it starts with the individual. But because we are trying to address burnout in our industry as one of many byproducts/triggers, some see it as us painting everyone with the same brush. There are aspects of this we are simply never going to agree on. It is also my observation — and I do not mean this as an insult — that if you are personally not affected by something, you don’t see is as legitimate. My experience is that there is no one-size-fits-all path.

Dave: Without research and study all you are left with is opinion.

So you see, Dave is one tough critic. He makes powerful points, and sometimes he goes off his rocker. But I love the guy.

Dave Marcus and the words Doesn't even attribute
Meme courtesy of Michael Schearer