Blog Sorts

Blog archive

January

Your decisions help define your future self

Did you ever have to make a quick decision? One with real world consequences. One where there is a danger to health, life, or property. Were you able to take in a lot of information all at once? Did you feel overwhelmed? We do not always get time to reason out our decisions. To analyze the facts. To deliberate over our options. Sometimes we have but seconds to choose. This is one such story.

One bright, warm, spring day I was driving home from school. Windows rolled down and car stareos playing just a little too loud. I was surrounded by dozens of other like minded sixteen, seventeen, and eightteen year olds enjoying one of the first pleasant days of the year. It seemed as we all did not have a care in the world at that moment. I was completely oblivious to what was about to occur.

I was driving my 1972 Plymouth. Even in 1983 this was considered to be an old, boxy car. I was stopped at the traffic light waiting in line for the light to turn. There were three or four cars ahead of me and a long line of cars behind me. We were all waithing patiently when my engine suddenly started racing at full throttle. Not understanding what was going on, I tried popping the gas peddle with my right foot while my left foot held the break peddle as strongly as I could. The gas peddle was stuck to the floor and the light had not yet turned greeen. As I stood on the break peddle with both feet, I feared my four-wheel drum breaks would not hold. The light turned.

As the few cars ahead of me started to slowly, I had to decide what I was going to do. I could not completely let off the break. My car would race at full throttle. This was a scary thought for an automobile that can reach speeds upwards of 120 miles-per-hour. Where to put my car in heavy traffic. The cars ahead of me merged onto Sherwood Way from Pecos Street leaving me an opportunity to move forward and out of the way. I chose to stick my car in the empty left-turn lane. Riding my break peddle with both feet, still. I allowed my car to inch forward onto Sherwood Way and over three lane finally stopping in the left-turn lane. I was literally standing on the break peddle with both feet in order stop. I slipped the transmission in to neutral, the engine whined uncontrollably. When I turned the key of the off posision the engine refused to stop. It kept running. I was not sure if it would ever stop. Finally after about thirty to forty-five seconds, the engine relented, sputtered, and stopped. Now, to find out what happened.

Now that the engine completely stopped, I move the gear-shift lever to park. I exited the car carefully and walked around the front. I did not know what to expect when I opend the hood. Staring at the big V8 engine I had no idea where to begin. I decided to follow the accelerator linkage from the firewall to the carburetor. There I stood in the middle of the road with my hood up, and bent over the engine compartment. I was in a very vulnerable position. I ran my finger over the linkage from the firewall to the carb examining each junction. I finally came upon the problem. One of the last junctions was what I called the accelerator-recoil spring. It was a little spring attached the linkage to the carb and forced the peddle back up off the floor while at the same time allowing the plunger valve to close; cutting off fuel to the engine. Ther is was, in two pieces.

Taking up the broken spring, I crossed over to the far side of the street and walked the few blocks to "Crazy Larry's." It was a hot-rod parts house and the only place in town that carried parts for a 318CI Mopar engine. Not even the local Chrysler dealership carried such a part in stock. The forty-something gentleman behind the counter to help. Still too dumbfounded to talk, I opened my fist and showed him the broken spring. He asked me the make and model of the vehicle to which I spewed everything that I knew about the car and engine. In a matter of just minutes he returned from the back room with a small plastic bag containing a single part. "I have just the thing for you" he quipped. As I paid him the for part and thanked him, I turned and started out door. I approached my disabled car setting in the middle of the road looking like an old, broken dinasour. I slipped the spring into place attaching to the carb and the accelerator linkage. Now for the moment of truth.

I jumped in the drivers seat. Would it start or did I just completely blow up my engine? Hesitantly I turned the key. The engine roared to life effortlessly and at a normal RPM. I popped the gass peddle a couple of times to make sure the spring would hold. The peddle bounced back every time. I stepped out and closed the large metal hood of the Plymouth then slipped back into the driver's seat. Closing my door I buckled my seatbelt in one move. After finding a spot to merge into traffic I proceeded home and then off to work.

I had a total of about three or four seconds before the light turned green to make every decision I was going to make that afternoon. Was I going to kill the engine where I sat or would I move forward and not block traffic? If I moved forward, where to and how withough running into every car on the road? I do not even remember all the questions that ran through my mind that day in those few seconds. They all passed by at light speed and I made a decision on the viability of each question before moving to the next. No question in my mind was left unanswered. In under five seconds I had a plan and a contingency plan. In times of crisis decisions must be made and I never shied away from make the ones that needed to be made. I was always willing to accept, or defend, the consequences later.

February

February

There comes a time in your life when you need to make a choice. Will you choose people who lift you up or drag you down?

When I was in college, I lived the steriotypical college life. I lived a little wildly. I was known for living the high life. The problem was, I was known for it. After I wasted away my first year of college, I needed to move forward and get serious about my studies. I found it difficult as everyone I knew wanted the old me, the party me. For me, the best option was to leave town and go to school elsewhere. Somewhere no one knew me or my reputation. I needed people who would help me up instead of pulling me back down. To quote Freewill by Rush, "If you choose not to decide, You still have made a choice." You need to make a choice or one will be made for you. I chose to finish my education. I graduated with a 3.8 GPA.

In my last year of high school I watched a program on PBS. The speaker was talking about setting goals in you life. One need not actually achieve those goals but at least they were something to work towards. His plan was to set short-term (1-5 years), mid-term (5-10 years), and long-term (10-20 years) goals. I even added another term, immedate (less than 1 year). I did and I wrote them down. I kept that list pinned to my refriderator all through college and well after starting my career. The thing is, I achieved almost everyone of those goals I wrote down in my senior year of high school. I never bought the fancy sports car, one of my short-term goals, nor did I buy the expensive luxory car, one of my long-term goals. As for the former, I did not have the money. For the latter, it just did not seem important anymore.

My wife and I now have monthly business meetings. We discuss our household budget and her business expenses. We also use this time to talk about our immediate and short term goals. Longer team goals we discuss in private. The immediate goals we put on our calendar. Short term, we take notes. We really should jot down our long-term goals somewhere. Find people who will lift you up and not drag you down. Findally, make the choice. You may not like the choices life makes for you.

March

How do you define risk?

For those that may be new to information security, we have a way to define risk. The most basic model is Risk = Vulnerability * Threat * Asset Value (R=V*T*Av). To understand this we must first undersand the terms.
  • Vulnerability:
    First you must have a vulnerabiilty. Without a vulnerabiilty then there can be no risk. As an example, back in 2007 Sun Microsystems had a vulnerability in there "telnet" system, CVE-2007-0882. This vulnerabilty allow anyone who could execute a simple tenet command login ass anyone with a UID less than 100. For those of you familiar with the Solaris operating system, UIDs 100 and under were generaly reserved for priviledged accounts. This created a vulnerabiilty. A flaw that could be exploited. At the time the it was reported, Solaris 10 and 11 operating systems shipped with the telnet service enabled. This was an exploitable vulnerabiilty.
  • Threat:
    Is a repeatable, successful attack against a vulnerability. In our example above, an unpatched Solaris 10 or Solaris 11 operating system was easily exploited with a simple telnet commend. Again, it allowed an attacker to log in as any user with a UID under 100. As we know, the "root" account is UID 0 on all UNIX and Linux operating systems. It is a special account and is the same. This is a known threat, required to have risk.
  • Asset Value:
    Is not the cost of the inital purchase price of the asset but rather the cost to the organization but the cost to the organization if the asset is compromised or unavailable. I worked for a company where the core of the buisness was run on SAP. This was so important to the company that SAP had its own environment within the company environment. Only those with approved, documented requirement had access to the environment. Firewalled from the rest of the environment, least privilege access, etc. My recommendation to the UNIX/Linux admin team was to disable the telnet service for all systems and require the use of SecureSHell (SSH) instead. By turning off the service, we mitigated the risk without having to wait on Sun Microsystems to produce a patch.
The reason that the risk formula is written as multipliers is because in the abesnce in one of these components there can be no risk. If there is not a vulnerability then there can be no risk. If there is no threat, then there can be no risk. If the asset value is zero or near zero, then there is no risk.

On day my laptop harddrive failed. This caused zero disruption to the corporation. I was able to use web based email from a different system. I was able to reproduce the data on my harddrive in short order. The loss of my laptop had zero impact on the company bottom line; hence no asset value.

April New

The 1-3-1 Rule

A LinkedIn member shared the YouTube video linked below. I liked it so I thought I would share it myself. The premise of the exercise is to cut through the Analysis-Paralisis that often befalls organizations and produce a workable result. The process outlined in the video is similar to the method I used in the past when quoting a new project. The explanation given here is so much more simple.
1 - Define a single goal, toward which you will work.
3 - Provide three options as a method to addressing the goal. Explain the analysis and data used to draw the conclusion.
1 - Report you one best recommendation.

Often times, I would start my option list with "Do Nothing". What would happen if we did nothing at all. Second is usually my less favored option. This is because I want to get the positive aspects of my least favored option out first. Finally, I will finish with my favored option. In this summary I want to paint the picture of how my favored option out performs the other, covers where gaps that exist in the other options, and itemize the shortfalls of the favored option and address them.

In the end, I present what I believe to be the best option. I would also have the beginings of a plan to implement so we can get the project rolling as quickly as possible.

The 1-3-1 Rule

May Lorem ipsum dolor sit amet consectetur adipisicing elit. Assumenda iusto soluta voluptatum perferendis facere itaque, ut maxime libero alias eius beatae nihil fuga, odio nostrum. Et earum nostrum voluptatum consequatur.
June
July
August
September
October
November
December