So Long, Microsoft, And Thanks For All The Fish

Word Version 1.1a

Word Version 1.1a

I have been using Microsoft software since 1985 when I purchased Microsoft Word and Microsoft Multiplan for my new Zenith Z160 “portable” PC. I’ve used Word continuously for thirty years at home, at work, as a university instructor, and as a published author.

I wrote my first three books in FrameMaker, a superior but far more expensive word processor ($500 per user in 1998) as required by my publishers at the time. But by the early 2000’s most had moved to Word since Microsoft had sufficiently closed the feature gap.

I’m coming to realize that this weekend might be the last time I use Microsoft software – at home anyway (I use a PC running Windows 7 and Office for work).


Zenith Z160 portable computer

I ordered a new MacBook Pro yesterday, and it will arrive on Monday. The MBP comes with Apple’s versions of office programs, called Pages, Keynote, and Numbers. Next week I will try them out on my university teaching and on my current writing project. If it goes alright and I figure out all of the subtle differences, I will probably not purchase Office for the new Mac.

Part of this comes down to economics. Office for Mac costs $150 or more, and the same programs from Apple cost $20 apiece (if you don’t have a new Mac that came with them), or free with your Mac since some time in the past year or two.

I’ll post a review of Pages, Keynote, and Numbers in a month or so after I’ve been using them a while.

Still, I can’t help but feel somewhat nostalgic, as I’ve had Word with me nearly all of my adult life. But as the dolphins exclaim in Hitchhiker’s Guide to the Galaxy, “So long, and thanks for all the fish.”

Why encryption is important in communications

Communications between devices often passes over public networks that have varying risks of eavesdropping and interference by adversaries. While the endpoints involved in a communications session may be protected, the communications itself might not be. For this reason, cryptography is often employed to make communications unreadable by anyone (or any thing) that may be able to intercept them. Like the courier running an encrypted message through a battlefield in ancient times, an encrypted message in the modern context of computers and the Internet cannot be read by others.

  • excerpt from a book in progress

In air travel and data security, there are no guarantees of absolute safety

The recent tragic GermanWings crash has illustrated an important point: even the best designed safety systems can be defeated in scenarios where a trusted individual decides to go rogue.

In the case of the GermanWings crash, the co-pilot was able to lock the pilot out of the cockpit. The cockpit door locking mechanism is designed to enable a trusted individual inside the cockpit from preventing an unwanted person from being able to enter.

Such safeguards exist in security mechanisms in information systems. However, these safeguards only work when those at the controls are competent. If they go rogue, there is little, if anything, that can be done to slow or stop their actions. Any administrator with responsibilities and privileges for maintaining software, operating systems, databases, or networks has near-absolute control over those objects. If they decide to go rogue, at best the security mechanisms will record their malevolent actions, just as the cockpit voice recorder documented the pilot’s attempts to re-enter the cockpit, as well as the co-pilot’s breathing, indicating he was still alive.

Remember that technology – even protective controls – cannot know the intent of the operator. Technology, the amplifier of a person’s will, blindly obeys.

DSL Hell

I am a CenturyLink DSL customer in Seattle, WA. CenturyLink advertises 1 Gig Internet, but in our neighborhood, 10MB is all that is available.  Countless inquiries to customer support and tech support have not identified a soul who knows if or when faster DSL is coming to my neighborhood.

Often, the DSL is so bad that simple tasks such as loading web pages often times out. Speed tests typically show < 1MB of download speed. Here is a typical test from earlier today.speednot

CenturyLink techs have been out to the house numerous times. I’ve tried several different modems. I’ve bypassed my internal wiring altogether. Nothing they have done has made any difference.

I am a work from home (WFH) security consultant. However, on bad days, WFH is more like “wait from home”. Some days it seems like a miracle if my VPN connection stays up for more than an hour.

Here in Seattle, my only choices are CenturyLink for DSL and Comcast. CenturyLink has had two years to get the DSL service working right. Comcast, you’re next. My neighbors all say their Comcast Internet rocks and is really fast. Let’s hope so.

Don’t let it happen to you

This is a time of year when we reflect on our personal and professional lives, and think about the coming years and what we want to accomplish. I’ve been thinking about this over the past couple of days… yesterday, an important news story about the 2013 Target security breach was published. The article states that Judge Paul A. Magnuson of the Minnesota District Court has ruled that Target was negligent in the massive 2013 holiday shopping season data breach. As such, banks and other financial institutions can pursue compensation via class-action lawsuits. Judge Magnuson said, “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.” I have provided a link to the article at the end of this message.

Clearly, this is really bad news for Target. This legal ruling may have a chilling effect on other merchant and retail organizations.

I don’t want you to experience what Target is going through. I changed jobs at the beginning of 2014 to help as many organizations as possible avoid major breaches that could cause irreparable damage. If you have a security supplier and service provider that is helping you, great. If you fear that your organization may be in the news someday because you know your security is deficient (or you just don’t know), we can help in many ways.

I hope you have a joyous holiday season, and that you start 2015 without living in fear.

Padding Your Resume

It’s a popular notion that everyone embellishes their resume to some extent. Yes, there is probably some truth to that statement. Now and then we hear a news story about people “padding their resumes”, and once in a while we hear a story about some industry or civic leader who is compelled to resign their position because they don’t have that diploma they claimed to have on their resume.

Your resume needs to be truthful. In the information security profession, the nature of our responsibility and our codes of ethics require a high standard of professional integrity. More than in many other professions, we should not ever stretch the truth on our resume, or in any other written statements about ourselves. Not even a little bit. Those “little white lies” will haunt us relentlessly, and the cost could be even higher if we are found out.

– first draft excerpt from Getting An Information Security Job For Dummies

Understanding success in an information security job

There is a basic truth of information security jobs that can be intensely frustrating to some people but represent an exciting challenge to others: your guidance on improving security and reducing risk will often be ignored.

Many security professionals have a difficult time with the feeling of being ineffective. You can spend considerable time on a project that includes recommendations on improving security, and many of those recommendations might be disregarded. A track record of such events can make most professionals feel like a failure.

A security professional needs to understand that they are a change agent. Because information security practices are often not intuitive to others, your job will often involve working with others so that they will embrace small or large changes and do their part in improving security in the organization. To be an effective change agent, you need the skills of negotiation and persuading others to understand and embrace your point of view and why it’s important to the organization.

You need to realize, however, that even if you are a skilled negotiator, you still won’t get your way sometimes. This should not be considered a failure, and here’s why: it’s our job to make sure that decision makers make informed decisions, considering a variety of factors including security issues. As long as decision makers make informed decisions (meaning, we have informed them of the risks associated with their choices), we have done our job, and we need to be comfortable knowing that sometimes decisions are made that we don’t agree with.

– Excerpt from Getting An Information Security Job For Dummies, to be published in 2015